eGobbler hacking group launches flurry of malvertising campaigns to steal 500 million iOS users’ sessions

• More than 500 million iOS users have been targeted in massive malvertising campaigns conducted for almost a week.
• The attacks are primarily focused on users in the US and European countries.

Who is behind the attacks - Experts at security firm Confiant tracked that eGobbler threat actor group has used ‘8 individual campaigns and over 30 fake creatives’ to perform the attacks. The overall campaign lasted for 6 days starting from April 6, 2019.

What is the purpose of the attacks - These campaigns have been specifically designed to steal iOS users’ sessions. Experts noted that each of the fake ads pushed by the threat actor group has a lifespan of between 24 and 48 hours. These fake ads, once launched, were used to orchestrate the further attack process.

How are they launched - Like other threat actor group, eGobbler leveraged cloaking techniques and obfuscation methods to make their payloads look like legitimate ads.

For this wave of attacks, the hacking group used landing pages hosted on .world domain. Once the users visited the malicious domains, they were redirected to ‘You ‘ve won a gift card’ landing pages designed for phishing or malware dropping purposes.

The crooks’ way of hijacking users’ sessions came to light after researchers tested dozens of iOS devices.

“We tested the payload across over two dozen devices, both physical and virtual. The tests included variations in platform, operating system, browser, desktop, and mobile. The malicious code itself has hard-coded logic that targets iOS, so we removed that condition in order to see the results of the full execution on all of the devices that we tested. We also split test this experiment between sandboxed and non-sandboxed iframes,” researchers explained.

How is Chrome abused - According to Confiant researchers, the hackers had managed to bypass the detection by abusing a bug in the Chrome browser for iOS devices.

Chrome’s ad sandboxing features was found to be inefficient to limit malicious ads into a web page.

“The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes,” researchers added.

“Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.”

What’s the new change - After a brief pause, the attackers are back with new phishing sites hosted on .site domain. These malicious sites are active since April 14, 2019. Researchers claim that this is among the top three massive campaigns that have been observed in the last 18 months.