Surge of malicious ads target iOS and macOS users



Leveraging zero-day vulnerabilities in Chrome and Safari, cybercriminals were able to deliver over 1 billion malicious ads to users in less than two months.

The attackers attacked both iOS and MacOS users by using known zero-day vulnerabilities (now patched) to inject exploit code that redirected vulnerable users to malicious websites, according to security firm Confiant.

The threat actor eGobbler used a zero-day vulnerability in Webkit, the webkit branch used in Safari and Blink in Chrome, to generate successful redirects.

The vulnerability, which is tracked as CVE-2019-8771, is a JavaScript function that occurs each time a user presses a key on their keyboard. By exploiting the vulnerability, eGobbler ads associated with HTML tags named iframes could remove the security sandbox protection to prevent users from being redirected without their knowledge.

Harmful ads

Confiant researcher and engineer Eliya Stein said in a blog post how the vulnerability works:

"The error is that an inter-nested iframe is able to change focus by bypassing the sandbox's" Allow user to navigate "rule on the parent frame. When the inner frame is automatically focused, the keydown event becomes a user-enabled navigation event, rendering the sandbox of the ad completely unusable as a forced-forwarding reduction measure. "

Following the discovery of eGobbler's latest campaign, Confiant has forwarded the results to the Google and Apple security teams. The vulnerability was fixed in Chrome with the release of iOS 13, and a patch for Safari appeared shortly after the release of Safari 13.0.1.

eGobbler has started similar campaigns in the past, and earlier this year, one of its campaigns returned an estimated 500 million malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The latest campaign by the threat actor focused on luring European users to phishing sites based on their mobile service provider.

READ  Airbus hacked through supplier VPNs

About the Ars Technica

Spread the good stuff:
This post contains affiliate links, to find out more information, please read our disclaimer.
The price written on this page is true as the time it is written. It may change at any moment.

Related Posts