Researchers at Confiant observed a
The campaign was observed between August 1 and September 23.
“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.
“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”
“The nature of the bug is that a cross-origin nested
Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these
“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.
Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.
On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:
Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.
The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by