Connect with us


Malvertiser exploited two browser bugs to show over one billion malicious ads



Massive malvertising campaign hits iOS users in the US
A malvertising campaign deployed via a high-profile ad platform targeted iOS users across the US. Crooks hijacked over 300 million web sessions. Read more:

Over the past six months, a criminal group specialized in showing malicious ads (malvertising) has used two obscure browser bugs to bypass browser security protections and successfully show intrusive popup ads and redirect users to malicious sites.

The group’s name is eGobbler and has been active since last Thanksgiving when security researchers spotted its first malvertising campaigns.

eGobbler typically operates in short bursts of activity that only last a few days. During these bursts, the group buys ads on legitimate services but injects malicious code inside the adverts so their exploits break out of the ad’s secure iframe container and perform malicious actions inside users’ browsers, untethered.

Commonly, these actions involve showing popup ads for various shady products, or redirecting the user to a malicious site hosting scams or malware-laced downloads.

Historically, the group has targeted mobile devices, where most users don’t employ ad blockers, and where browsers are not as hardened against exploits as their desktop counterparts, making their campaigns many times more effective.

According to previous reports, eGobbler operates on a massive scale. They were responsible for blasting out a whopping 800 million malicious ad impressions over the Presidents’ Day weekend alone.

Furthermore, the group also has the rare technical skills to find bugs in browsers’ source code. Not many malvertising operations can say this these days, in a landscape where exploit kits usage has been going down due to improvements in browsers security.

First browser bug

Nonetheless, eGobbler found and weaponized its first browser zero-day back in April. The zero-day only impacted Chrome for iOS, and allowed the eGobbler gang to break out of the security sandbox protections that protect advertising iframes, and show their malicious code to users.

They used the exploit to bombard users with popup ads and redirected them to malicious sites.

The bug (CVE-2019-5840) eventually received a patch in June, when Google released Chrome 75, with a fix. Nevertheless, eGobbler continued to use it, even after, targeting users who failed to update their Chrome installs.

Second browser bug

But in a report shared privately with ZDNet last week, Confiant, a cyber-security firm specialized in tracking malvertising campaigns, said the group found a second bug over the summer, right after Google devs patched the Chrome for iOS exploit. It’s like the group intentionally went looking for a new bug to exploit, and found it a few months later, in August.

This new bug impacts WebKit, the browser engine at the core of older Chrome versions, but also Apple’s Safari. Both browsers are impacted. This is because Chrome’s current engine, named Blink, was based on the older WebKit, and still shares some code.

Confiant said this second browser zero-day exploits the “onkeydown” event — a JavaScript function that executes on each keypress. eGobbler have been using it to bombard users with popups when users interact with a site by pressing a key.

For now, according to Confiant, only Apple has fixed this issue, with the release of iOS 13, last week. Google has yet to ship a fix, meaning that Chrome users are still vulnerable.

Expanding to desktop users

Since the “onkeydown” event at the center of this second bug also impacts dekstop browsers, and not just mobile ones, the second bug has also allowed the eGobbler group to expand operations. The group is now also targeting desktop-based browsers, which resulted in an explosion in the group’s activity.

Confiant said that between August 1 and September 23, they’ve seen the eGobbler group ship malvertising code with a “staggering” volume of ads, which they estimate to be up to 1.16 billion impressions.

The group is not targeting iOS users in the US anymore, but have since expanded to desktop browsers and European users, with Italians being hit the hardest.


Image: Confiant (supplied)

Image: Confiant (supplied)

As it’s been said many times before — the best way to safeguard against malvertising campaigns, malicious ads, and tracking scripts, is to use a browser extension that can block ads, or install an antivirus product.

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading