„А series of rampant malvertising campaigns“ targeting iOS users have been detected. The campaigns targeted both US and European publishers, and respectively users.
According to Confiant security researchers the malicious activities come from a known threat actor called eGobbler that earned its name due to the huge volumes of hits that their campaigns generate.
The hacker group has a tendency to “ramp up their buying around holidays and weekends”. Usually their campaigns peak in volume over a period of 36–48 hours before going into a state of hibernation until the next big push, the researchers said.
eGobbler Malvertising Campaigns In Detail
The latest wave of attacks is associated with the use of the “.world” TLD for the landing pages. The volume of attacks is divided into 8 individual campaigns and more than 30 fake creatives (landing pages). The duration of the campaign is 6 days, starting on Saturday, April 6th. Victims are located across the US and Europe.
According to the report:
The fake ad campaigns themselves had lifespans in the 24–48 hour range, which is common with eGobbler. We estimate that over 500MM user sessions have been exposed beginning Saturday, April 6th. Even though eGobbler has recently been seen on many buy-side platforms, this entire campaign ran on just one the whole time.
The eGobbler threat actor is looking to compromise legitimate ad servers as well as some buy-side platforms. The hackers utilized cloaked intermediate CDN domains for their infection chain. In their attempt to lay low, the hackers also tried to “smuggle” their payloads in well-known client-side JavaScript libraries such as GreenSock.
The 8 individual campaigns that were introduced during the big storm following April 6 were staggered with new ones appearing approximately every two days. Each campaign had its own targeting, and its own lifespan, the researchers discovered.
During their analysis which included reverse engineering the payload, the researchers discovered techniques that leveraged “iOS Chrome’s detection around user activated pop-up detection, resulting in the circumvention of pop-up blocking“. What does this mean? The payload’s main session hijacking mechanism was pop-up based. In other words, it turned out that “Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently“. The researchers will provide an analysis of the payload and a proof-of-concept exploit for the vulnerability in Chrome on iOS in the near future, as the campaign is still active and the bug is unpatched.
The good news is that Chrome’s team has been notified of the bug about a week ago, and is currently investigating.
The overall impression of this extensive malvertising campaign is that the threat actors did their best. Compared to other such campaigns, this one was unique in both payloads and volumes. It is noteworthy that the campaign saw a strategic pivot on April 14 to another platform and continues to be active under “.site” TLD landing pages.
“With half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months”, the researchers concluded.
RoughTed is another example of a quite successful malvertising campaign which was detected in 2017. RoughTed was a large-scale malvertising campaign which saw a peak in March the same year. Both Windows and Mac operating systems were targeted, as well as iOS and Android. The operation was quite rare in its comprehensiveness, having used a variety of malicious approaches from exploit kits to online scams such as fake tech support scams, fake updates, rogue browser extensions.