“А series of rampant malvertising campaigns“ targeting iOS users have been detected. As campanhas segmentadas ambos os editores norte-americanos e europeus, e respectivamente usuários.
According to Confiant security researchers the malicious activities come from a known threat actor called eGobbler that earned its name due to the huge volumes of hits that their campaigns generate.
The hacker group has a tendency to “ramp up their buying around holidays and weekends”. Usually their campaigns peak in volume over a period of 36–48 hours before going into a state of hibernation until the next big push, os pesquisadores disseram.
eGobbler Malvertising Campaigns In Detail
The latest wave of attacks is associated with the use of the “.world” TLD for the landing pages. The volume of attacks is divided into 8 individual campaigns and more than 30 fake creatives (páginas de destino). The duration of the campaign is 6 dias, starting on Saturday, April 6th. Victims are located across the US and Europe.
De acordo com o relatório:
The fake ad campaigns themselves had lifespans in the 24–48 hour range, which is common with eGobbler. We estimate that over 500MM user sessions have been exposed beginning Saturday, April 6th. Even though eGobbler has recently been seen on many buy-side platforms, this entire campaign ran on just one the whole time.
o 8 individual campaigns that were introduced during the big storm following April 6 were staggered with new ones appearing approximately every two days. Each campaign had its own targeting, and its own lifespan, os pesquisadores descobriram.
During their analysis which included reverse engineering the payload, the researchers discovered techniques that leveraged “iOS Chrome’s detection around user activated pop-up detection, resulting in the circumvention of pop-up blocking“. O que isto significa? The payload’s main session hijacking mechanism was pop-up based. Em outras palavras, it turned out that “Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently“. The researchers will provide an analysis of the payload and a proof-of-concept exploit for the vulnerability in Chrome on iOS in the near future, as the campaign is still active and the bug is unpatched.
The good news is that Chrome’s team has been notified of the bug about a week ago, and is currently investigating.
The overall impression of this extensive malvertising campaign is that the threat actors did their best. Compared to other such campaigns, this one was unique in both payloads and volumes. It is noteworthy that the campaign saw a strategic pivot on April 14 to another platform and continues to be active under “.site” TLD landing pages.
“With half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 meses”, os pesquisadores concluíram.
RoughTed is another example of a quite successful malvertising campaign which was detected in 2017. RoughTed was a large-scale malvertising campaign which saw a peak in March the same year. Ambos os sistemas operacionais Windows e Mac foram alvo, bem como iOS e Android. A operação foi bastante raro em sua abrangência, ter usado uma variedade de abordagens maliciosos de explorar kits para scams online, como golpes de apoio falso tecnologia, atualizações falsas, extensões do navegador desonestos.