In this attack, eGobbler threat group is exploiting Chrome Sandboxing bug to target iOS devices in the US and EU.
Malvertising campaigns, in which malware is distributed through advertisements, have become a common norm nowadays. But, the latest malvertising campaign that’s been specifically targeting iOS users can easily be categorized as among the biggest of all such campaigns observed in the past eighteen months.
See: iPhone hacking tool Cellebrite being sold on eBay
According to the findings of security vendor Confiant, large-scale malvertising attacks have been launched by the infamous threat group eGobbler that exploits a security bug in the Chrome browser to bypass its default pop-up blocker and infect iOS devices.
Reportedly, iOS users in the US and various European Union countries are the primary targets in this campaign, which has been active for a week. Apparently, millions of iOS users are currently at risk. Confiant identified this campaign immediately after it was launched on April 6. The company claims that so far over 500 million infected ads have been distributed.
The campaign involves trapping the iOS user with a lucrative offer that states the user has won a gift card. The landing pages used in the scam are hosted on a high-profile domain that is already known to be associated with eGobbler.
It is also observed that eGobbler has launched eight individual campaigns and more than “30 fake creative,” while every fake ad campaign lasts somewhere between 24 and 48 hours and afterward these go into hibernation and end abruptly when the next campaign starts.
Confiant states that the problem lies in the way Chrome’s iOS version handles pop-up ads. It is worth noting that Chrome also has sandboxing feature like other browsers do to ensure that the code used for inserting ads into the web pages doesn’t interact with other components.
According to Eliya Stein, Confiant’s senior security engineer, sandboxing allows web browsers to limit the activities of advertisements especially those served via domains other than the page the browser is hosting. This helps in preventing the browser sessions from being hijacked through pop-up ads that may redirect users to infected landing pages.
However, in this campaign, Google Chrome’s sandboxing fails due to a vulnerability that allows the pop-up to evade this protection and get displayed on the user’s screen.
Stein explains that eGobbler has developed an exploit that tricks Chrome for iOS to let pop-ups get displayed without any interaction from the browser. This means, the bug is present in the built-in pop-up blocker of Chrome. Therefore, all the iOS versions of Chrome are currently impacted, says Stein, because the exploit lets the attacker redirect a user through a pop-up ad and other protections against such redirections like disallowing JavaScript cannot help much.
The exploit developed by eGobbler has certainly magnified the intensity and impact of the campaign.
See: New Mac Malware steals iPhone text messages from iTunes backups
Google was informed about the Chrome browser bug on April 11 and the company is trying to fix the issue since online ads are one of the key revenue generating methods for Google so it cannot afford to let malvertising campaigns like this one affect its reputation.
Confiant is waiting for Google to come up with a fix soon after which the company plans to release a full analysis of the bug and how the eGobbler developed exploit actually works.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.