eGobbler threat group's new malvertising campaign infects over 1 million ads

• This campaign, which was conducted between August 1 and September 23, 2019, has infected over 1.10 million ad impressions.
• In this campaign, the threat group has leveraged obscure browser bugs that impact WebKit based browsers.

What is the issue?

A new malvertising campaign conducted by eGobbler threat group has infected over 1.16 million ad impressions via the WebKit exploit.

More details about the malvertising campaign

This campaign, which was conducted between August 1 and September 23, 2019, specifically targeted some web applications with text areas and search forms in order to maximize the chances of hijacking keypresses.

• In this campaign, the threat group has leveraged obscure browser bugs that impact WebKit based browsers.
• Researchers noted that the bug initiated redirections on WebKit browsers upon the ‘onkeydown’ event.
• The bug causes a cross-origin nested iframe to “autofocus” thereby bypassing the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.
• Therefore, once the inner frame gets automatically focused, the keydown event becomes a user-activated navigation event, which makes the ad sandboxing feature unable to block the redirects.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing. Historic activity from the threat actor, prior to mid-June was generally targeted towards mobile devices,” researchers said.

Worth noting

The eGobbler threat actors were spotted using several content delivery networks (CDNs) to deliver their payloads.

• Upon discovery, the researchers reported the bug to both the Chrome and Apple security teams on August 7, 2019.
• The Apple team responded back on August 9, 2019 stating that they’re working on a patch.
• On August 12, 2019, the Chrome team provided an update stating that a patch was submitted to WebKit.
• Later, the bug was fixed in iOS 13 on September 19, 2019, and in Safari 13.0.1 on September 24, 2019.