A vulnerability in Chrome for iOS was used by hackers to push fake ads to 500 million user sessions.
According to a blog post by IT security firm Confidant, the threat actor, nicknamed eGobbler by researchers, kicked off the campaign on Saturday, 6 April and was composed of eight individual campaigns and over 30 fake creatives. The campaign was directed at users in the US and Europe.
Researchers said that around 500 million user sessions were targeted with the fake ad push. The ad campaigns had lifespans of around 24 to 48 hours before going into hibernation.
They added that eGobbler is easily recognised by its use of the ".world" TLD for its landing pages. Sessions are then hijacked and redirected to malicious landing pages, despite the presence within the browser of pop-up blockers.
Researchers discovered the hijacking after testing two dozen devices, both physical and virtual. The tests included variations in platform, operating system, browser, desktop, and mobile and was split between sandboxed and non-sandboxed iframes.
"Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently," said researchers.
Using reverse engineering, researchers then found that hackers used techniques that took advantage of iOS Chrome’s detection around user activated pop-up detection, resulting in the circumvention of pop-up blocking.
Researchers said that they would reveal an analysis of the payload and POC exploit after the Chrome bug is patched.
They said that one interesting point of the campaign that the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.
"A large majority of sandboxed cross-origin ad serving happens to come from Google?—?this includes both AdX and EBDA. We tested the eGobbler payload against the standard set of sandboxing attributes as they exist in 90 percent of Google’s ad serving products," said researchers.
"The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.
Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session."
Researchers added that the campaign was a "standout" one compared to others tracked by the firm.
"After a brief pause, the campaign saw a strategic pivot on April 14 to another platform and is currently still active under ".site" TLD landing pages. With half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months," researchers added.
Gary Cox, technology director for Western Europe at Infoblox, told SC Media UK that as usual this campaign seems to be one which is just sprayed out as wide as possible for maximum gain.
"The fact that we are seeing it in certain geo’s isn’t surprising, the campaign needs to be believable, for example if most people in the UK received a message about an upgrade to their Verizon phone contract they would ignore it, however, rebuild the campaign and change that to Vodafone or EE and it becomes relevant for a UK target audience," he said.
Alex Hinchliffe, threat intelligence analyst at Palo Alto Networks, told SC Media UK that anything that uses the internet, or an intranet, in the slightest way must be included on the list of potential threat vectors and secured accordingly. "Creating an industry safeguard against malvertising requires the coordinated effort of ad networks and publishers, as well as pressure from ad hosting web sites," he said.