Attackers exploited a zero-day vulnerability in Chrome and Safari web browsers and served up more than 1 billion malicious ads to users between August and September, said security firm Confiant.
Malvertisements, or malicious advertisements, are particularly insidious types of attacks because they can redirect users from the sites they are on to other malicious sites or execute code on the user’s computer. The user typically doesn’t need to click on the ad itself, or engage with the ad, to become a victim.
The threat actor eGobbler racked up a “staggering volume” of impressions over a six-week period starting in August as part of their latest malvertisement campaign, Confiant said. Users were redirected to phishing pages spoofed to look like the target’s mobile provider. The attacks seem focused on stealing credentials and user information and less on executing code.
"By our estimates, we believe up to 1.16 billion impressions have been affected," wrote Confiant researcher and engineer Eliya Stein.
The vulnerability was in WebKit, the browser engine used in Safari and other browsers, within a JavaScript function—a onkeydown
event which occurs whenever a user presses a key on the keyboard (CVE 2019-8771). Chrome relies on a Webkit fork, Blink, but the vulnerable code was also in that version. The WebKit exploit triggered the vulnerability to allow ads linked in the iframe
tag on an HTML page to break the browser’s security sandbox protections. Once free of the sandbox, the ad could redirect users to other pages. Confiant also noted that the campaign specifically targeted web applications that had text areas and search forms “to maximize the chances” of the user typing something and firing the JavaScript function.
...the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless...
“The nature of the bug is that a cross-origin nested iframe is able to autofocus
which bypasses the allow-top-navigation-by-user-activation
sandbox directive on the parent frame,” Stein wrote. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”
Confiant researchers reported the issues to both Google and Apple in early August. The vulnerability was fixed in Webkit promptly, and Apple fixed the vulnerability in Chrome in iOS13, and in Safari with version 13.0.1.
It does not look as if the vulnerability has been fixed for the Windows users surfing the web via Chrome. There were no WebKit security fixes in Chrome 77, released mid-September.
Confiant has been tracking eGobbler over the past year. A previous campaign over the spring exploited an unpatched vulnerability in the iOS version of Chrome (CVE-2019-5840) and served an estimated 500 million malicious ads to unsuspecting users. That flaw was fixed with Chrome 75.
In that attack, the group circumvented the Chrome’s built-in pop-up blocker to display malicious ads. The mobile browser did not have standard ad serving sandbox features, which meant there was nothing stopping the attacker after bypassing the blocker. Confiant said only the Chrome browser on iOS was impacted, and other mobile and desktop browsers successfully blocked the pop-up attack.
Historically, eGobbler targeted its malicious ad campaigns to mobile users, but the latest campaign targeted users on desktop platforms since the WebKit exploit depended on the user typing something. The onkeydown
event “is less likely to spawn organically during mobile browsing,” Stein wrote. Confiant said the eGobbler switched to using the WebKit exploit shortly after the iOS flaw was fixed.
The group is very quick to adapt and evolve its methods. Over the past six months, the threat group has used two obscure vulnerabilities in the web browser to bypass the browser's built-in protections against pop-ups and forced redirects. While this wave heavily targeted users in Europe, eGobbler has targeted users all around the world.
“It’s not uncommon for their campaigns to compromise up to hundreds of millions of programmatic ad impressions in a matter of hours and the impact from their ongoing activity is felt across the United States and Europe,” Stein wrote.