I first wrote about eGobbler, the prolific threat actor behind malvertising campaigns with a history of compromising adverts in their hundreds of millions in a matter of hours, on April 17, 2019. Back then, it was iPhone users that were coming under attack as eGobbler exploited a vulnerability in the Google Chrome web browser for iOS to bypass the pop-up blocker and forced redirection mitigations in place. The Chromium development team fixed that CVE-2019–5840 bug with the release of Chrome 75 for iOS on June 4, 2019. This wasn’t, unfortunately, the end of the eGobbler story. The same security researchers from Confiant who found that earlier Chrome vulnerability soon spotted another eGobbler payload out in the wild: this time turning more than 1.1 billion adverts into badverts.
A badvert, or malvertising if you prefer the popular infosecurity vernacular, is a seemingly legitimate advert that has been manipulated to contain underlying code that redirects to malicious content. The core nature of most badverts is fraudulent, with users being redirected away from the real advertising message to landing pages that deliver fake content where the attacker can generate revenue from serving genuine adverts. A secondary payload of badverts can be more malicious in intent; malware distribution or the collection of user credentials is not uncommon.
Given the vast volumes of hits that the badverts served up by these campaigns achieve, in just ten days that iOS-targeted campaign was able to distribute more than 500 million badverts, it’s likely eGobbler is an organized criminal venture rather than a lone-wolf actor.
The vulnerability was fixed in the iOS 13 release on September 19, and on September 24 it was also fixed in Safari 13.0.1.
MacDailyNews Note: Obviously, all users who can should update to Safari 13.0.1. and Apple’s latest iOS 13 version (currently iOS 13.1.2) ASAP.