A threat actor known as eGobbler is taking advantage of a vulnerability in the Chrome web browser for iOS to target iPhone users with an exploit that serves up malicious advertising. According to researchers at security vendor Confiant, the malvertising campaign has served up more than 500 million malicious ads since it started ten days ago.
Malicious advertising, malvertising for short, is where seemingly legitimate adverts are displayed which actually contain underlying code that redirects users to fraudulent or malicious content. In the case of the eGobbler campaign targeting iOS users, the threat actor has infected legitimate advertising servers which are then used to deliver adverts that redirect the user to a pop-up competition scam window. The payload for the attacker is two-fold as they can earn money from the adverts being displayed as well as using the landing pages to distribute malware or collect user data. eGobbler is the name that has been given to the threat actor, thought to be a well organized criminal group, thanks to the huge volumes of hits that the malicious advertising campaigns it runs achieve. The group has been active for some time and the campaigns it runs are usually only stay active for a couple of days and then go quiet before for a short time before the next wave begins. This pattern of activity has been noted by researchers investigating the ongoing malvertising campaign.
Chrome for iOS, which runs on Webkit rather than using the Chromium engine, incorporates what is known as sandboxing technology that prevents advertising injection code from interacting with other components in a way that might be a security threat. In particular, the Chrome sandbox should prevent malicious adverts from being able to hijack the browser session and launch a pop-up window without any user interaction or to redirect the user to landing pages they are not expecting. Confiant researchers have yet to reveal the precise mechanism by which eGobbler has bypassed the Chrome for iOS sandboxing, in order to give Google time to issue a patch, but say that "the fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser's anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session." The security researcher who uncovered the vulnerability, Eliya Stein, tweets that this "is technically a chrome pop-up blocker bypass, but in a way it's a sandbox bypass, because it hijacks the session with a pop-up instead of a redirection."