Security investigators have discovered a new one malvertising campaign, motivated by hacking team eGobbler. The campaign took place between 1 August and 23 September. Hackers affected 1,16 billions advertisements, to redirect victims to malicious payloads.
In April, the researchers Confiant had discovered another campaign by the same group. Hackers took advantage of an exploit that helped them bypass its built-in pop-up blocker browser to spread fake ads to millions of users in the US and Europe in less than a week.
The researchers found that the hackers used a new one exploit payload, similar to the one used to target iOS users. However, the new payload has new features that affect WebKit browsers in a whole new way.
"This time, iOS Chrome pop-up wasn't created as before, but we were actually redirected to WebKit browsers."
Hackers use an inframe that takes advantage of keystrokes. When users press a key, they are considered to be surfing the web, so the sandboxing feature for the ads does not prevent redirects.
“It is worth noting that the campaign behind this payload was targeted world wide web applications with text boxes and search forms to maximize the chances of these keypresses being misused ”, said Confiant.
Both the Chrome team and Apple were informed of the error in August, when researchers discovered the malvertising campaign.
Chrome developers have released one patch for WebKit on August 12. Apple, on the other hand, fixed the issue in September with iOS 13 and the Safari 13.0.1 version.
"The eGobbler's preference for desktop platforms during this campaign has to do with WebKit exploit, as it takes advantage of keystrokes," Confiant explained.
The new campaign shows that the eGobbler team has changed the way it attacks. Previously, it focused on providing malicious payloads to mobile devices.
In her latest attacks, eGobbler has exploited various supply networks content (CDNs) for delivering its payloads.
Confiant researchers had discovered a similar campaign in November of 2018, from the team ScamClub. The hackers had affected about 300 millions of iOS users, redirecting them to adult content sites and other fake sites.