Surge of malicious ads target iOS and macOS users

(Image credit: Pixabay)

By exploiting zero-day vulnerabilities in Chrome and Safari, cybercriminals were able to serve over 1bn malicious ads to users in less than a two month period.

The attackers targeted both iOS and macOS users by leveraging known zero-day vulnerabilities (which have since been patched) to inject exploit code which redirected vulnerable users to malicious sites according to the security firm Confiant.

The threat actor eGobbler exploited a zero-day vulnerability in Webkit, the browser engine used in Safari and Blink, the Webkit fork used in Chrome, to generate successful redirects. 

The vulnerability, tracked as CVE-2019-8771, existed in a JavaScript function which occurs each time a user presses down a key on their keyboard. By exploiting the vulnerability, eGobbler was able to allow ads linked in HTML tags called iframes to break out of security sandbox protections that prevent a user from being redirected without their knowledge.

Malicious ads

Researcher and engineer at Confiant, Eliya Stein explained how the vulnerability worked in a blog post, saying:

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

After discovering eGobbler's latest campaign, Confiant reported its findings to both Google and Apple's security teams. The vulnerability was fixed in Chrome with the release of iOS 13 and a patch for Safari arrived shortly after with the release of Safari 13.0.1.

eGobbler has launched similar campaigns in the past and earlier this year one of its campaigns served an estimated 500m malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The threat actor's latest campaign was focused on luring European users to phishing pages based on their mobile provider.

Via Ars Technica

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.