The latest such malvertising campaign coordinated by the ScamClub group exploited a zero-day in WebKit-based browsers. The end goal of the operation was to inject malicious payloads that redirect users to sites designed for gift card scams.
ScamClub Malvertising and CVE-2021-1801
The malvertising campaign, first observed by Confiant in June last year, exploited the critical CVE-2021-1801 vulnerability. According to the official information, the vulnerability was first discovered in Apple macOS up to 11.1 by researcher Eliya Stein of Confiant.
Apple’s advisory says that the flaw affects the iframe sandboxing policy by using maliciously crafted web content. “This issue was addressed with improved iframe sandbox enforcement,” the advisory said. In other words, the vulnerability allowed threat actors to bypass the iframe sandboxing policy the WebKit browser engine powering Safari and Google Chrome.
“Active for at least several years now, ScamClub malvertisements are defined mainly by forced redirections to scams that offer prizes to “lucky” users, like the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” landing pages,” Confiant said in their report.
As visible by the screenshots Confiant shared, the tricks used by the ScamClub group are well-known and widely used by various scammers. Maybe you’ve come across similar intrusive pop-ups while browsing online. For example, a popular approach utilized by scammers is employing the names of popular brands such as Amazon (“Congratulations Dear Amazon Customer” pop-ups).
We have covered several scams that utilize the gift card approach, like:
In terms of the techniques ScamClub applied, the attackers relied on the so-called “bombardment strategy”:
Instead of trying to fly under the radar, they flood the ad tech ecosystem with tons of horrendous demand well aware that the majority of it will be blocked by some kind of gatekeeping, but they do this at incredibly high volumes in the hopes that the small percentage that slips through will do significant damage.
More technical details are available in the original Confiant report.