EGobbler Group Distributes Over 1 Billion Malicious Banners in 2 Months
The eGobbler cybercriminal group exploits vulnerabilities in the Google Chrome browser for iOS, as well as in the desktop versions of the Chrome and Safari browsers, to distribute malicious banners, display pop-up ads, and redirect users to malicious sites.
According to experts from Confiant, between August 1 and September 23 this year, criminals distributed malicious ads about 1.16 billion times. The victims of attacks were users in the USA and Europe, mainly in Italy.“It’s not uncommon for their campaigns to compromise up to hundreds of millions of programmatic ad impressions in a matter of hours and the impact from their ongoing activity is felt across the United States and Europe. Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections”, — report Confiant specialists.
In April of this year, experts recorded a large-scale malicious campaign, in which the eGobbler group exploited a vulnerability in the iOS version of Chrome. The issue affected Chrome exclusively for iOS and did not apply to Safari and other versions of Chrome.
Read also: Scammers found a new way to make money on Google Play
Now criminals are using a new vulnerability affecting WebKit – a browser engine implemented in versions of Chrome and Safari. For operation, the “onkeydown” event is used – a JavaScript function that runs every time you press a key. EGobbler uses it to display pop-ups when interacting with the site. According to the researchers, Apple fixed this problem with the release of iOS 13, a patch for Chrome is not yet available.
EGobbler usually acts quickly, and attacks last only a few days. In active periods, the group buys ads on legitimate services and injects malicious code into it. In this way, malware can go beyond the floating frame of an ad and perform actions in user browsers, including displaying pop-ups advertising various suspicious products or redirecting a user to a malicious site.
“Shockingly, we found that even when the sandbox parameters were present, a pop-up would be spawned when the user tapped on the parent page. The Chrome browser on iOS was impacted, whereas other mobile and desktop browsers successfully blocked the pop-up”, – write Confiant researchers.