Malvertiser ‘eGobbler’ Exploited Safari, Chrome Flaws in iOS in Malvertising Campaign

Over one billion ad impressions have been hijacked in a malvertising campaign to redirect potential victims to malicious payloads.

According to a post published by security firm Confiant (via The Next Web), roughly 1.16 billion malicious ads served in the past six weeks by a malvertising actor called “eGobbler” contained exploit code that redirected vulnerable users to malicious sites. The surge of malicious ads exploited a Safari vulnerability in both iOS and macOS, as well as a Chrome vulnerability in iOS.

Gobbler is targeting Safari browsers on iOS and macOS devices, as well as Chrome browsers on iOS devices, said Eliya Stein, a researcher with Confiant. The latest campaign, which has garnered up to 1.16 billion impressions between Aug. 1 and Sept. 23, exploits an issue with WebKit, a browser engine used in Apple’s Safari browser, he said.

“If we take a snapshot of eGobbler activity from August 1 to September 23, 2019, then we see a staggering volume of impacted programmatic impressions,” Confiant researcher and engineer Eliya Stein wrote. “By our estimates, we believe up to 1.16 billion impressions have been affected.”

According to researchers, malvertising campaigns by eGobbler typically last for a few days. In that period, eGobbler buys advertisements on genuine services but embeds malicious code in its adverts to perform unauthorised activity on users’ browsers.

These activities normally include displaying disrupting popup ads or redirecting users to malicious sites running scams or hosting malware.

“eGobbler is using this attack to drive victims to phishing pages,” Stein said. “Normally a victim would have to click on an ad to be redirected to a landing page, but eGobbler is able to drive victims to their phishing pages without such interaction.”

Confiant reported the vulnerability to the security teams at both Apple and Google Chrome on August 7. By August 9, the Chrome team had put together a patch and submitted it to the WebKit developers. The same day, Apple responded to say it was investigating. The vulnerability was fixed in the iOS 13 release on September 19, and on September 24 it was also fixed in Safari 13.0.1.

eGobbler has launched similar campaigns in the past and earlier this year one of its campaigns served an estimated 500m malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The threat actor’s latest campaign was focused on luring European users to phishing pages based on their mobile provider.