According to a blog post from researchers at Confiant, there is a current malvertising campaign that is specifically targeting iOS users. The malvertising campaign, dubbed “eGobbler” by Confiant, was uncovered in early April and reported to Google as it leverages a zero-day exploit in Chrome. The eGobbler campaign was at its most active between April 6 through April 10 and employed numerous “mini-campaigns” that sought to session-hijack iOS users.

Roughly 500 million iOS user sessions found themselves exposed to this campaign thanks to the destructive nature of the Chrome zero-day. What makes eGobbler so destructive, besides its sheer reach, is the payload that the threat actors deploy against users. Researchers at Confiant found in their analysis that the payload is incredibly atypical for a malvertising campaign. They explain as follows:

Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently... Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.

While on the surface the allow-popups directives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.

The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.

With both a massive exploit and a unique payload, the 500 million iOS users affected by eGobbler never really stood a chance. Google has yet to patch the zero-day in question and has not responded to the InfoSec journalists who contacted them about the situation. Really at this point this will be a waiting game until the exploit can be patched. In the meantime iOS (and possibly Android) users who utilize Chrome should cease at once and delete the browser until this issue is resolved.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Review: Specops uReset Active Directory self-service password reset

Specops uReset is an Active Directory password reset solution to handle the problem of forgotten…

2 hours ago

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

3 days ago

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

3 days ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

4 days ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

4 days ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

4 days ago