Surge of malicious ads target iOS and macOS users

By exploiting zero-day vulnerabilities in Chrome and Safari, cybercriminals were able to serve over 1bn malicious ads to users in less than a two month period.

The attackers targeted both iOS and macOS users by leveraging known zero-day vulnerabilities (which have since been patched) to inject exploit code which redirected vulnerable users to malicious sites according to the security firm Confiant.

The threat actor eGobbler exploited a zero-day vulnerability in Webkit, the browser engine used in Safari and Blink, the Webkit fork used in Chrome, to generate successful redirects. 

The vulnerability, tracked as CVE-2019-8771, existed in a JavaScript function which occurs each time a user presses down a key on their keyboard. By exploiting the vulnerability, eGobbler was able to allow ads linked in HTML tags called iframes to break out of security sandbox protections that prevent a user from being redirected without their knowledge.

Malicious ads

Researcher and engineer at Confiant, Eliya Stein explained how the vulnerability worked in a blog post, saying:

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

After discovering eGobbler’s latest campaign, Confiant reported its findings to both Google and Apple’s security teams. The vulnerability was fixed in Chrome with the release of iOS 13 and a patch for Safari arrived shortly after with the release of Safari 13.0.1.

eGobbler has launched similar campaigns in the past and earlier this year one of its campaigns served an estimated 500m malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The threat actor’s latest campaign was focused on luring European users to phishing pages based on their mobile provider.

Via Ars Technica

Source

Be the first to comment

Leave a Reply

Your email address will not be published.


*


1 × five =