Malvertising Attack Hijacks 1B+ Sessions With Webkit Exploit

malvertising campaign

The eGobbler threat actor is back with a new malvertising campaign that has hijacked more than 1 billion sessions.

Researchers have discovered a new wave of attacks launched by the threat group eGobbler where victims are redirected to websites with malicious payloads. Security experts believe eGobbler was behind this year’s prolific Easter malvertising attack. This time, more than 1 billion ad impressions were hijacked using a Webkit browser engine exploit.

The eGobbler threat group was first discovered in an April session-hijacking attack launched against half a billion Apple iOS users. That campaign exploited a Chrome flaw in iOS browsers, to hijack iPhone and iPad user sessions (which has since been fixed).

This time around, eGobbler is targeting Safari browsers on iOS and macOS devices, as well as Chrome browsers on iOS devices, said Eliya Stein, a researcher with Confiant who also posted a blog outlining his finding¬†on Monday. This latest campaign, which has garnered up to 1.16 billion impressions between Aug. 1 and Sept. 23, exploits an issue with WebKit, a browser engine used in Apple’s Safari browser, he said.

“eGobbler is using this attack to drive victims to phishing pages,” Stein told Threatpost. “Normally a victim would have to click on an ad to be redirected to a landing page, but eGobbler is able to drive victims to their phishing pages without such interaction.”

Session hijacking occurs when a user is browsing a web page and is suddenly redirected to another site or landing page, or when a pop-up appears that users can’t exit out of. The pages look like ads from well-known brands; but in reality, if a user clicks on one of them, a payload is deployed. (Below are some of the landing pages used in the campaign, provided to Threatpost by Confiant).

malvertising campaign

Researchers discovered the latest malvertising campaign was redirecting victims through leveraging a flaw in WebKit browsers. The threat actor is exploiting a vulnerability on the ‘keydown’ event, which provides a code that indicates which key on the keyboard is pressed – which explains why more desktop users were targeted in this attack (as opposed to mobile users being targeted in the April campaign), Klein told Threatpost.

The bug stems from a cross-origin nested iframe that impacts the keydown event. An iframe (Inline Frame) is an HTML document embedded inside another HTML document on a website.

When the iframe “autofocuses” (the autofocus attribute specifies that the element should automatically get input focus when the page loads) it bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.

“When the element in the iframe is focused automatically (as per the exploit) this tricks the browser into thinking that the victim took an explicit action in that iframe when the user then presses a key,” Stein told Threatpost. “The exploit essentially tricks the browser into thinking the user initiated some sort of action inside the iframe when they did not.”

Sandbox attributes like “allow-top-navigation-by-user-activation” are designed to keep an iframed ad from doing forced redirections by waiting for a user initiation – so the bypass allows the session to be hijacked.

“With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation,” said researchers.

The latest campaign also points to a change of pace in targeting for the threat actor, which had previously targeted mobile devices, researchers said: “eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” they said. “Historic activity from the threat actor, prior to mid-June was generally targeted towards mobile devices.”

The campaign was reported to Apple on Aug. 7. Apple issued a fix in iOS 13/Safari 13.0.1 on Sept. 24. Apple did not immediately respond to a request for comment from Threatpost.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles