eGobbler infects more than 1 billion ads in worldwide campaign

The eGobbler malvertising threat actor has made a return, this time exploiting a WebKit vulnerability used primarily by iPhone’s Safari browser. Security researchers from Confiant estimate up to 1.16 billion impressions have been compromised since the start of the latest eGobbler campaign, on August 1.

While people are usually wary of opening an infected email, they might not exercise the same caution when browsing online for a new pair of shoes. This is precisely what threat actors like eGobbler focus on.

eGobbler is what the security industry calls a malvertiser, which seeks to resemble a regular company trying to sell online advertising. The problem arises when ads exploit vulnerabilities in browsers, usually redirecting users to malware-laden websites ready to infect unprotected or out-of-date devices.

These types of attacks are much more common than people think. Recall how often you’ve opened a website only to be redirected, without your input, someplace else. If you have an up-to-date phone and Internet browser, you will most likely be fine. But not always.

Confiant tracked eGobbler after it debuted on the market by exploiting a Google Chrome vulnerability on iOS devices, on April 6th. The infected ads targeted the browser’s built-in pop-up blocker, easily bypassing the sandbox and sending people to different landing pages and websites.

Their initial campaign lasted a little over six days. Confiant estimates more than 500 million sessions were exposed, although the problem only manifested itself on iOS.

Confiant notified the Chromium team, and a fix arrived with the Chrome 75 release. You would think that’s the end for eGobbler, but it”s back. This time, it targets the Safari internet browser, which is still using WebKit.

“The iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event,” said Eliya Stein, a security researcher at Confiant.

“The nature of the bug is that a cross-origin nested iframe is able to ‘autofocus’ which bypasses the ‘allow-top-navigation-by-user-activation’ sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Of course, Confiant quickly reported the problem to Apple and Chrome, and a fix was implemented in WebKit, iOS and Safari by September 24.