The eGobbler malvertising threat actor has made a return,
this time exploiting a WebKit vulnerability used primarily by iPhone’s Safari
browser. Security researchers from Confiant estimate up to 1.16 billion
impressions have been compromised since the start of the latest eGobbler
campaign, on August 1.
While people are usually wary of opening an infected
email, they might not exercise the same caution when browsing online for a new
pair of shoes. This is precisely what threat actors like eGobbler focus on.
eGobbler is what the security industry calls a
malvertiser, which seeks to resemble a regular company trying to sell online
advertising. The problem arises when ads exploit vulnerabilities in browsers,
usually redirecting users to malware-laden websites ready to infect unprotected
or out-of-date devices.
These types of attacks are much more common than people
think. Recall how often you’ve opened a website only to be redirected, without
your input, someplace else. If you have an up-to-date phone and Internet
browser, you will most likely be fine. But not always.
Confiant tracked eGobbler after it debuted on the market
by exploiting a Google Chrome vulnerability on iOS devices, on April 6th. The infected
ads targeted the browser’s built-in pop-up blocker, easily bypassing the
sandbox and sending people to different landing pages and websites.
Their initial campaign lasted a little over six days.
Confiant estimates more than 500 million sessions were exposed, although the problem
only manifested itself on iOS.
Confiant notified the Chromium team, and a fix arrived
with the Chrome 75 release. You would think that’s the end for eGobbler, but it’s
back. This time, it targets the Safari internet browser, which is still using
“The iOS Chrome pop-up was not spawning as before,
but we were in fact experiencing redirections on WebKit browsers upon the
‘onkeydown’ event,” said Eliya Stein, a security researcher at Confiant.
“The nature of the bug is that a cross-origin nested
iframe is able to ‘autofocus’ which bypasses the
‘allow-top-navigation-by-user-activation’ sandbox directive on the parent
frame. With the inner frame automatically focused, the keydown event becomes a
user activated navigation event, which renders the ad sandboxing entirely
useless as a measure for forced redirect mitigation.”
Of course, Confiant quickly reported the problem to Apple
and Chrome, and a fix was implemented in WebKit, iOS and Safari by September