According to a blog post from researchers at Confiant, there is a current malvertising campaign that is specifically targeting iOS users. The malvertising campaign, dubbed “eGobbler” by Confiant, was uncovered in early April and reported to Google as it leverages a zero-day exploit in Chrome. The eGobbler campaign was at its most active between April 6 through April 10 and employed numerous “mini-campaigns” that sought to session-hijack iOS users.

Roughly 500 million iOS user sessions found themselves exposed to this campaign thanks to the destructive nature of the Chrome zero-day. What makes eGobbler so destructive, besides its sheer reach, is the payload that the threat actors deploy against users. Researchers at Confiant found in their analysis that the payload is incredibly atypical for a malvertising campaign. They explain as follows:

Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently... Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.

While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.

The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.

With both a massive exploit and a unique payload, the 500 million iOS users affected by eGobbler never really stood a chance. Google has yet to patch the zero-day in question and has not responded to the InfoSec journalists who contacted them about the situation. Really at this point this will be a waiting game until the exploit can be patched. In the meantime iOS (and possibly Android) users who utilize Chrome should cease at once and delete the browser until this issue is resolved.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

10 hours ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

14 hours ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

17 hours ago

WAN optimization: Fast tips to get your network up to speed

A wide-area network gradually slows down over time for several reasons. These WAN optimization tips can help you regain some…

1 day ago

Review: Self-service key recovery solution Specops Key Recovery

Helpdesks spend way too much of their time unlocking users’ computers. Specops Key Recovery is a self-service solution for this…

2 days ago

CSI: Enterprise Software (Episode 23): Follow the breadcrumbs

Managing software in today’s enterprise is often like working a crime scene. But by following the breadcrumbs, you can keep…

2 days ago