According to a blog post from researchers at Confiant, there is a current malvertising campaign that is specifically targeting iOS users. The malvertising campaign, dubbed “eGobbler” by Confiant, was uncovered in early April and reported to Google as it leverages a zero-day exploit in Chrome. The eGobbler campaign was at its most active between April 6 through April 10 and employed numerous “mini-campaigns” that sought to session-hijack iOS users.

Roughly 500 million iOS user sessions found themselves exposed to this campaign thanks to the destructive nature of the Chrome zero-day. What makes eGobbler so destructive, besides its sheer reach, is the payload that the threat actors deploy against users. Researchers at Confiant found in their analysis that the payload is incredibly atypical for a malvertising campaign. They explain as follows:

Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently... Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.

While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.

The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.

With both a massive exploit and a unique payload, the 500 million iOS users affected by eGobbler never really stood a chance. Google has yet to patch the zero-day in question and has not responded to the InfoSec journalists who contacted them about the situation. Really at this point this will be a waiting game until the exploit can be patched. In the meantime iOS (and possibly Android) users who utilize Chrome should cease at once and delete the browser until this issue is resolved.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Google faces probe for GDPR data protection violations

In what may be a landmark case, Google faces a hefty fine if it is found guilty of violating GDPR…

14 hours ago

IT security practices that have stood the test of time

Sometimes, old wisdom is the best wisdom. Protect your data with these IT security best practices that have proven effective…

18 hours ago

Xtreme Podcast: Has Big Data been overshadowed by dark data?

Today’s Xtreme Podcast: Shining a light on dark data, legacy security tools, and hacking stats that will leave you more…

20 hours ago

Cryptojacking: Don't let your system perform for someone else

In most cyberattacks, hackers want you to know you’ve been compromised. But in cryptojacking, hackers want you to live in…

2 days ago

System feeling down? Architect your enterprise apps for high availability

Businesses want to improve uptime, and optimizing every part of their technology stack for high availability is a significant step…

2 days ago

10 hacking stats every business leader and IT pro must know

Cybercrime is bad and getting worse. Yes, these 10 hacking stats will scare you, but knowing about them can help…

2 days ago