I first wrote about eGobbler, the prolific threat actor behind malvertising campaigns with a history of compromising adverts in their hundreds of millions in a matter of hours, on April 17, 2019. Back then, it was iPhone users that were coming under attack as eGobbler exploited a vulnerability in the Google Chrome web browser for iOS to bypass the pop-up blocker and forced redirection mitigations in place. The Chromium development team fixed that CVE-2019–5840 bug with the release of Chrome 75 for iOS on June 4, 2019. This wasn't, unfortunately, the end of the eGobbler story. The same security researchers from Confiant who found that earlier Chrome vulnerability soon spotted another eGobbler payload out in the wild: this time turning more than 1.1 billion adverts into badverts.
What is a badvert?
A badvert, or malvertising if you prefer the popular infosecurity vernacular, is a seemingly legitimate advert that has been manipulated to contain underlying code that redirects to malicious content. The core nature of most badverts is fraudulent, with users being redirected away from the real advertising message to landing pages that deliver fake content where the attacker can generate revenue from serving genuine adverts. A secondary payload of badverts can be more malicious in intent; malware distribution or the collection of user credentials is not uncommon.
What is eGobbler?
As I have already mentioned, eGobbler isn't an exploit as such, but rather the name has been given to a prolific and seemingly somewhat successful malvertising campaign threat actor. Given the vast volumes of hits that the badverts served up by these campaigns achieve, in just ten days that iOS-targeted campaign was able to distribute more than 500 million badverts, it's likely eGobbler is an organized criminal venture rather than a lone-wolf actor. It's also a venture with some excellent technical skills on the team, capable of finding obscure vulnerabilities that can be exploited. The ability to bypass sandbox parameters to spawn a pop-up when the user tapped the parent page serving an ad, for example, only affected the Chrome browser on iOS while other mobile and desktop variants would block it.