iPhone users warned to update as 1.1 billion eGobbler malvertising attack is confirmed

Davey Winder for Forbes:

I first wrote about eGobbler, the prolific threat actor behind malvertising campaigns with a history of compromising adverts in their hundreds of millions in a matter of hours, on April 17, 2019. Back then, it was iPhone users that were coming under attack as eGobbler exploited a vulnerability in the Google Chrome web browser for iOS to bypass the pop-up blocker and forced redirection mitigations in place. The Chromium development team fixed that CVE-2019–5840 bug with the release of Chrome 75 for iOS on June 4, 2019. This wasn’t, unfortunately, the end of the eGobbler story. The same security researchers from Confiant who found that earlier Chrome vulnerability soon spotted another eGobbler payload out in the wild: this time turning more than 1.1 billion adverts into badverts.

A badvert, or malvertising if you prefer the popular infosecurity vernacular, is a seemingly legitimate advert that has been manipulated to contain underlying code that redirects to malicious content. The core nature of most badverts is fraudulent, with users being redirected away from the real advertising message to landing pages that deliver fake content where the attacker can generate revenue from serving genuine adverts. A secondary payload of badverts can be more malicious in intent; malware distribution or the collection of user credentials is not uncommon.

Given the vast volumes of hits that the badverts served up by these campaigns achieve, in just ten days that iOS-targeted campaign was able to distribute more than 500 million badverts, it’s likely eGobbler is an organized criminal venture rather than a lone-wolf actor.

The vulnerability was fixed in the iOS 13 release on September 19, and on September 24 it was also fixed in Safari 13.0.1.

MacDailyNews Note: Obviously, all users who can should update to Safari 13.0.1. and Apple’s latest iOS 13 version (currently iOS 13.1.2) ASAP.

6 Comments

  1. The article does not mention that it affects Safari’s webkit at all since it’s different from Chrome’s. I’m not a techie. It says that the bug allows:

    “a cross-origin iFrame to autofocus and so bypass the “allow-top-navigation-by-user-activation” sandbox of the parent frame.

    Can someone please explain what that means and how it affects Safari webkit?

      1. Actually ALL users that employ Webkit based browsers on any platform were affected by the ‘2nd wave’ ‘badverts’. Chrome was not affected by the 2nd vulnerability except on iOS where it is required by Apple that they use Webkit.

    1. You obviously didn’t bother to read the source article that says after the Chrome vulnerability was fixed the same researchers noticed that eGobbler switched to ‘badverts’ which ARE webkit based. As Chrome uses Webkit on iOS due to Apple’s backend rendering policy forcing ALL browser for iOS to use Webkit they were informed by Confiant in addition to Apple of the new vulnerability August 7. By August 9, the Chrome team had put together a patch and submitted it to the WebKit developers.

  2. Didn’t DED make a comment here before? Weird that it is gone, censorship is anathema to freedom and liberty but it lives in curious places. DED is a DEDbeat sometimes with his over the top cheerleading but I generally agree with him. His comments about MDN were a bit harsh though, but now they’ve been erased. I wonder if we’ll ever see a DED article linked by MDEDN again, probably not.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.