The group tracked as eGobbler is exploiting a security flaw in the Google Chrome browser to target millions of iOS users.
Experts at security firm Confiant tracked the campaign since April 6, they estimate that more than 500 million malicious ads have been already served to iOS users.
The users are being redirected to scam “You’ve won a gift card” landing pages hosted on the “.world” TLD top-level domain previously associated with eGobbler.
Google is already working on a fix to address the bug in its browser.
According to Confiant, the flaw ties the way the Chrome browser for iOS handles pop-ups. Chrome implements ad sandboxing features to limit the interaction of the code used to insert ads into a Web page with other components.
In a normal condition, the ad sandboxing features should prevent a pop-up from being launched unless the user explicitly enables it, but the bug in Chrome allows attackers to bypass the protection mechanism.
“The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.” reads the analysis published by Confiant.
“Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.
We believe that this exploit was key in magnifying the impact of this attack. Where standard sandboxing rules like the ones above would ultimately succeed in blocking certain redirections, they consistently failed to protect users from this campaign on iOS Chrome”
Experts tracked eight individual malvertising campaigns associated with
eGobbler, mostly targeting iOS users in the US over a six-day period starting April 6. Each campaign has lasted between one to two days,
“The typical entry points for eGobbler campaigns are legitimate ad servers that they infect coupled with one or more buy-side platforms.
They use cloaked intermediate CDN domains as part of their ad delivery. Quite often these domains sit behind at least a single layer of client-side fingerprinting.
Experts believe that
Confiant decided to give Google Chrome security team the time to address the flaw before releasing more details on the exploit.