Leveraging zero-day vulnerabilities in Chrome and Safari, cybercriminals were able to deliver over 1 billion malicious ads to users in less than two months.
The attackers attacked both iOS and MacOS users by using known zero-day vulnerabilities (now patched) to inject exploit code that redirected vulnerable users to malicious websites, according to security firm Confiant.
The threat actor eGobbler used a zero-day vulnerability in Webkit, the webkit branch used in Safari and Blink in Chrome, to generate successful redirects.
Confiant researcher and engineer Eliya Stein said in a blog post how the vulnerability works:
"The error is that an inter-nested iframe is able to change focus by bypassing the sandbox's" Allow user to navigate "rule on the parent frame. When the inner frame is automatically focused, the keydown event becomes a user-enabled navigation event, rendering the sandbox of the ad completely unusable as a forced-forwarding reduction measure. "
Following the discovery of eGobbler's latest campaign, Confiant has forwarded the results to the Google and Apple security teams. The vulnerability was fixed in Chrome with the release of iOS 13, and a patch for Safari appeared shortly after the release of Safari 13.0.1.
eGobbler has started similar campaigns in the past, and earlier this year, one of its campaigns returned an estimated 500 million malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The latest campaign by the threat actor focused on luring European users to phishing sites based on their mobile service provider.
About the Ars Technica
The price written on this page is true as the time it is written. It may change at any moment.