Over the past six months, a criminal group specialized in showing malicious ads (malvertising) has used two obscure browser bugs to bypass browser security protections and successfully show intrusive popup ads and redirect users to malicious sites.
The group’s name is eGobbler and has been active since last Thanksgiving when security researchers spotted its first malvertising campaigns.
eGobbler typically operates in short bursts of activity that only last a few days. During these bursts, the group buys ads on legitimate services but injects malicious code inside the adverts so their exploits break out of the ad’s secure iframe container and perform malicious actions inside users’ browsers, untethered.
Commonly, these actions involve showing popup ads for various shady products, or redirecting the user to a malicious site hosting scams or malware-laced downloads.
Historically, the group has targeted mobile devices, where most users don’t employ ad blockers, and where browsers are not as hardened against exploits as their desktop counterparts, making their campaigns many times more effective.
According to previous reports, eGobbler operates on a massive scale. They were responsible for blasting out a whopping 800 million malicious ad impressions over the Presidents’ Day weekend alone.
Furthermore, the group also has the rare technical skills to find bugs in browsers’ source code. Not many malvertising operations can say this these days, in a landscape where exploit kits usage has been going down due to improvements in browsers security.
First browser bug
Nonetheless, eGobbler found and weaponized its first browser zero-day back in April. The zero-day only impacted Chrome for iOS, and allowed the eGobbler gang to break out of the security sandbox protections that protect advertising iframes, and show their malicious code to users.
They used the exploit to bombard users with popup ads and redirected them to malicious sites.
The bug (CVE-2019-5840) eventually received a patch in June, when Google released Chrome 75, with a fix. Nevertheless, eGobbler continued to use it, even after, targeting users who failed to update their Chrome installs.
Second browser bug
But in a report shared privately with ZDNet last week, Confiant, a cyber-security firm specialized in tracking malvertising campaigns, said the group found a second bug over the summer, right after Google devs patched the Chrome for iOS exploit. It’s like the group intentionally went looking for a new bug to exploit, and found it a few months later, in August.
This new bug impacts WebKit, the browser engine at the core of older Chrome versions, but also Apple’s Safari. Both browsers are impacted. This is because Chrome’s current engine, named Blink, was based on the older WebKit, and still shares some code.
For now, according to Confiant, only Apple has fixed this issue, with the release of iOS 13, last week. Google has yet to ship a fix, meaning that Chrome users are still vulnerable.
Expanding to desktop users
Since the “onkeydown” event at the center of this second bug also impacts dekstop browsers, and not just mobile ones, the second bug has also allowed the eGobbler group to expand operations. The group is now also targeting desktop-based browsers, which resulted in an explosion in the group’s activity.
Confiant said that between August 1 and September 23, they’ve seen the eGobbler group ship malvertising code with a “staggering” volume of ads, which they estimate to be up to 1.16 billion impressions.
The group is not targeting iOS users in the US anymore, but have since expanded to desktop browsers and European users, with Italians being hit the hardest.
As it’s been said many times before — the best way to safeguard against malvertising campaigns, malicious ads, and tracking scripts, is to use a browser extension that can block ads, or install an antivirus product.