Over the past six months, a threat group dubbed eGobbler has leveraged obscure browser bugs in order to bypass built-in browser protections against pop-ups and forced redirections. The first campaign was spotted by Confiant researchers in April, when the eGobbler group was using a Chrome for iOS bug (CVE-2019–5840) to circumvent the browser's built-in pop-up blocker to deliver malicious ads to 500 million sessions of users from the U.S. and EU countries. Although the bug was fixed in Chrome 75, released in June, the attackers continued to use the exploit, targeting users that failed to update their browsers.
The second campaign was observed between August 1 and September 23, 2019; while eGobbler's operations were previously focused on iOS devices, this time around, the attackers targeted Windows, Linux, and macOS desktop devices in another series of malvertising attacks. Within a span of two months, the group has compromised nearly 1.16 billion ad impressions to redirect potential victims to malicious sites.
While analyzing the payload observed in the new campaign, the researchers found that the eGobbler group has switched its tactics in the recent attacks utilising the vulnerability in WebKit-based browsers.
“This time around however, the iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event”, the researchers explained.
“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”
During the latest campaign the eGobbler group was seen using several content delivery network (CDNs) to deliver their payloads leveraging subdomains that look innocuous or include familiar brands.
While initially the eGobbler group was focused only on iOS users in the US, the recent campaign expanded its targeting to desktop browsers and users in European countries, with most victims located in Italy.
The Chrome team submitted a WebKit patch on August 12, while Apple fixed the bug in iOS 13 and Safari 13.0.1.