A MALVERTISING ACTOR known as eGobbler has been exploiting two browser security flaws to display invasive pop-up ads and to redirect users to malicious websites.
One of these involved a patched flaw in Chrome for iOS while the other exploits a zero-day flaw in the WebKit browser engine.
The activities of the group were first noticed last year when security researchers found it running malvertising campaigns to display malicious ads on vulnerable devices.
According to researchers, malvertising campaigns by eGobbler typically last for a few days. In that period, eGobbler buys advertisements on genuine services but embeds malicious code in its adverts to perform unauthorised activity on users' browsers.
These activities normally include displaying disrupting popup ads or redirecting users to malicious sites running scams or hosting malware.
Security researchers at Confiant said that, in April, they noticed eGobbler exploiting a bug in Chrome for iOS, which enabled them to bypass the built-in pop-up blocker in the OS to overwhelm users with ads. The exploit also enabled them to redirect users to malicious sites.
Confiant researchers notified the Chromium team about the bug (CVE-2019-5840), which eventually patched it in June with the release of Chrome 75.
However, eGobbler continued to exploit the bug and targeted users who failed to update their Chrome app.
Confiant added that, in August, the group started exploiting a new bug impacting WebKit, the browser engine working at the core of older Chrome versions and Apple's Safari.
The issue was reported to Apple and Google in August. Apple released a patch for WebKit in three days and closed the bug in both iOS 13 and Safari 13.0.1 in September.
Google is yet to release a fix for the issue, meaning that Chrome users are still vulnerable to malvertising attacks from eGobbler and other threat actors.
Confiant said that between 1 August and 23 September, they saw eGobbler generating 1.16 billion ad impressions. Those attacks primarily targeted Windows users accessing the web via Chrome.
"eGobbler's preference for desktop platforms during this period supports their latest WebKit exploit, as the 'onkeydown' event is less likely to spawn organically during mobile browsing," the researchers said.
"The eGobbler group will often use CDNs [content delivery networks] for payload delivery. When available, they will leverage subdomains that look innocuous or include familiar brands." µ
Watch your back, Huawei
Porn-based prattery gets fisted
As long as it follows the rules
The Home in the home could be a legal minefield