According to a blog post from researchers at Confiant, there is a current malvertising campaign that is specifically targeting iOS users. The malvertising campaign, dubbed “eGobbler” by Confiant, was uncovered in early April and reported to Google as it leverages a zero-day exploit in Chrome. The eGobbler campaign was at its most active between April 6 through April 10 and employed numerous “mini-campaigns” that sought to session-hijack iOS users.

Roughly 500 million iOS user sessions found themselves exposed to this campaign thanks to the destructive nature of the Chrome zero-day. What makes eGobbler so destructive, besides its sheer reach, is the payload that the threat actors deploy against users. Researchers at Confiant found in their analysis that the payload is incredibly atypical for a malvertising campaign. They explain as follows:

Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently... Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.

While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.

The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.

With both a massive exploit and a unique payload, the 500 million iOS users affected by eGobbler never really stood a chance. Google has yet to patch the zero-day in question and has not responded to the InfoSec journalists who contacted them about the situation. Really at this point this will be a waiting game until the exploit can be patched. In the meantime iOS (and possibly Android) users who utilize Chrome should cease at once and delete the browser until this issue is resolved.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

How do you create the right DevOps culture in your organization?

Adding DevOps to your business is not enough. You must also create a successful DevOps culture. Here’s some ideas to…

1 hour ago

How to assign network security groups in Azure using PowerShell

Azure network security groups are essential to protect the traffic in any subnet within a virtual network. Here’s more on…

18 hours ago

Intel next-gen Cooper Lake CPU delivers 56 processor cores

Intel says its next-gen Cooper Lake processors will deliver “breakthrough platform performance” with built-in AI training acceleration.

22 hours ago

Lock it down: Securing and protecting your IoT network

Even the slightest misconfiguration of an IoT network can serve as a point of entry for cyberattacks, security breaches, data…

1 day ago

Using Desktop Analytics to ease Windows update headaches

Microsoft Desktop Analytics has the potential to greatly simplify the preparation for future Windows 10 update releases. Here’s more on…

4 days ago

Microsoft unveils preview version of Azure Dedicated Host

Microsoft’s new Azure Dedicated Host will help organizations run their Linux and Windows virtual machines on single-tenant physical servers.

4 days ago