According to a blog post from researchers at Confiant, there is a current malvertising campaign that is specifically targeting iOS users. The malvertising campaign, dubbed “eGobbler” by Confiant, was uncovered in early April and reported to Google as it leverages a zero-day exploit in Chrome. The eGobbler campaign was at its most active between April 6 through April 10 and employed numerous “mini-campaigns” that sought to session-hijack iOS users.
Roughly 500 million iOS user sessions found themselves exposed to this campaign thanks to the destructive nature of the Chrome zero-day. What makes eGobbler so destructive, besides its sheer reach, is the payload that the threat actors deploy against users. Researchers at Confiant found in their analysis that the payload is incredibly atypical for a malvertising campaign. They explain as follows:
Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently… Perhaps the most fascinating thing about the malvertising exploit leveraged by eGobbler is that it’s not preventable by standard ad sandboxing attributes.
While on the surface the
allow-popupsdirectives seem like there’s nothing special about eGobbler’s payload, this is not true, because these actions should only be possible as a result of direct user interaction — a requirement that the eGobbler exploit successfully circumvents. The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes. Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.
The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes.
With both a massive exploit and a unique payload, the 500 million iOS users affected by eGobbler never really stood a chance. Google has yet to patch the zero-day in question and has not responded to the InfoSec journalists who contacted them about the situation. Really at this point this will be a waiting game until the exploit can be patched. In the meantime iOS (and possibly Android) users who utilize Chrome should cease at once and delete the browser until this issue is resolved.
Featured image: Pixabay