April 24, 2019

A massive fake advert campaign exploiting a vulnerability in the Chrome for iOS mobile browser has redirected more than half a billion iPhone and iPad web sessions to other malicious sites.

According to Confiant, a cyber-security firm that specialises in tracking malvertising (malicious advertising), a notorious hacker well-known to researchers launched the campaign on 6thApril. More than 500 million user sessions were hijacked, targeting users in Europe and the US.

There were eight individual campaigns with over 30 fake adverts. Each campaign had a lifespan of between 24 and 48 hours before going quiet.

The bug enables malware hidden in fake online ads to break out of protected iframes in mobile web pages – a protected or sandboxed space commonly used for adverts – and either redirect the user to malicious landing pages, or display a bogus popup over top of a legitimate site.

Confiant researchers found the hijacking after testing two dozen devices. The hacker apparently used techniques that took advantage of iOS Chrome’s detection of user activated pop-up blocking, and found a back door to get around its built-in blocking capability.

Return of a celebrity hacker

This particular malvertising campaign is the work of a known cyber assailant given the nom de guerre eGobbler by researchers. He or she first reared their head during the US Thanksgiving holiday last year. Confiant ranks eGobbler amongst the top three purveyors of malvertising campaigns, the other two being ScamClub and VeryMal. All three tend to target US-based iOS users.

Holidays seem to be a favourite timescale, with the last malvertising campaign launching in February during the Presidents’ Day holiday weekend. During that attack eGobbler hijacked as many as 800 million ads over a three-day period, redirecting users to tech support scams and phishing sites.

Confiant says they have analysed the likely payload and shared it with Google for review.

What is malvertsing?

If you’ve been on the internet long enough, at some point you will have seen a pop-up ad warning that your computer is infected with a virus. The claim was bogus but made to look like a legitimate system alert. The strategy was to trick the unsuspecting into paying for dodgy tech support they didn’t need, or drive them to a malicious landing page that would load a very real virus onto their device.

While the pop-up blockers most browsers now feature have largely put paid to that exploit, malvertising is still with us. Specialists like eGobbler use an increasingly innovative set of techniques to insert malware into ads distributed by popular website advertising networks.

How does it work?

In most cases, hackers create fake advert creative that carries malware and then try to sneak them onto online advertising networks. The infected ads can then deposit their payload onto a web user’s mobile device or computer when they are loaded onto the web page — even if they don’t click on the ad.

Called ‘drive-by downloads’ by cyber experts they are particularly effective against users who don’t regularly update or patch their operating systems. Unlike other types of cyberattack like phishing, a drive-by doesn’t need the user to do anything to actively enable the attack. It can take advantage of an app, operating system, or web browser that contains security flaws caused by out of date software.

According to a report from GeoEdge, malvertising cost the online advertising industry more than $1.1 billion in 2018. It must be an effective vector of infection: the cost is expected to rise another 20–30 percent this year.

What can we do to defend against it?

Malvertising is tricky to catch, and as we’ve seen with this attack hackers are endlessly looking for and finding new ways to get around in-built device and software security defences. Campaigns regularly slip under the radar of advertising networks because they aren’t notified until the first victim pipes up. Attackers can hide malware in images and other elements of the advert creative, meaning security systems have to be able to do more than just scan the advert as a single file. They need to analyse each individual graphic component.

To protect themselves from malvertising, employees should be made aware of the importance of keeping their operating systems up to date.  Whether its company-issued or BYOD device, every endpoint on your network has to be updated whenever prompted, and whatever the operating system. While everyone needs to maintain an awareness of the risks associated with adverse downloads and clicks.

As with phishing scams, if an advert seems oddly placed or particularly intrusive, your cyber awareness antennae should immediately go up.

In the end, IT departments need to monitor systems for the signature behaviour of malvertising while individual staff members should stick with approved browsing tools. That wouldn’t necessarily have kept eGobbler adverts off your device, but at least your IT team will have been alerted by Google once the Chrome iOS exploit was identified.

Otherwise, monitor the latest malvertising strategies and make sure security awareness training covers the issue along with telltale signs that an advert may be carrying malware. That should add another brick in the data security wall.

Share this: