Security researchers from Confiant detailed a malvertising campaign that exploited a vulnerability in WebKit-based browsers to bypass security restrictions and redirect users to shady websites promising prizes such as giftcards or gadgets.
The vulnerability was discovered by researchers while analyzing a campaign carried out by a threat actor tracked as ScamClub. This group has been around for several years now and is known by their malvertising operations involving the scammers buying large quantities of ad slots on multiple platforms in the hope that some of their malicious ads reach users.
“This attacker historically favors what we refer to as a “bombardment” strategy. Instead of trying to fly under the radar, they flood the ad tech ecosystem with tons of horrendous demand well aware that the majority of it will be blocked by some kind of gatekeeping, but they do this at incredibly high volumes in the hopes that the small percentage that slips through will do significant damage,” Confiant explained.
The observed campaign appears to have been active since June 2020, the researchers said.
“Over the last 90 days, ScamClub has delivered over 50MM malicious [ad] impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day,” according to Confiant.
The researchers also noticed that in this operation ScamClub used a novel method to bypass WebKit iframe sandboxing feature by using an event listener for a “message” event.
“Combined with ScamClub’s large volumes and broad targeting that hits dozens of different websites, it’s all about the increased efficacy of spawning a successful redirect — even if we’re talking about a single digit percentage increase, that can mean tens of thousands of impacted impressions over the duration of a single campaign,” the researchers pointed out.
Confiant informed Apple and Google whose browsers use the WebKit browser engine of its findings last summer. The vulnerability, tracked as CVE-2021-1801, was patched in WebKit in December 2020, and Apple added the patch for this bug in the versions of WebKit included in updates released for iOS and macOS at the beginning of February.