Fraudsters Exploit Browser Bugs to Display Over a Billion Malicious Ads

According to experts at Confiant, the eGobbler group first came to their attention in the fall of 2018 and is now considered one of the most serious organizations in the field of malicious advertising. Typically, the group becomes active for short periods during major holidays. For example, in February 2019, during Presidents’ Day in the United States, hackers showed American users more than 800 million malicious ads that redirected victims to fake tech support and phishing sites.

During these activity spikes, hackers purchase ads from legitimate services and inject malicious code into the ads, allowing their exploits to break out of the ad’s secure iframe and execute harmful actions in browsers. The group has mainly targeted mobile devices, as most mobile users do not use ad blockers and mobile browsers are generally less protected against exploits compared to their desktop counterparts.

New Report Reveals Ongoing Exploitation

Confiant has now published a new report stating that eGobbler continues to actively exploit browser bugs. Their first exploit for a zero-day vulnerability was deployed in April of this year. That attack only affected users of Chrome for iOS, and the vulnerability (CVE-2019-5840) was patched in June with the release of Chrome 75. However, eGobbler continued to exploit the bug even after the patch, targeting users who had not updated Chrome.

Researchers note that in the summer, shortly after Google fixed the Chrome for iOS vulnerability, hackers discovered another issue useful for their operations. This new bug affects the WebKit engine, which is used by older versions of Chrome as well as Safari. As a result, both browsers were at risk, since the current Chrome engine (Blink) is based on WebKit and still uses parts of the old code.

How the Exploit Works

The bug is exploited through the use of the onkeydown event, a JavaScript function that executes every time a key is pressed. eGobbler uses this vulnerability to display pop-up windows to victims when they interact with a site by pressing keys.

According to Confiant, so far only Apple engineers have fixed this vulnerability (in iOS 13, released last week). Google has not yet released a fix, meaning Chrome users remain vulnerable.

Expanding Targets and Scale of the Attack

Since the second vulnerability affects not only mobile browsers but also desktop versions, the group has expanded its operations to target desktop users as well. Researchers report that between August 1 and September 23, eGobbler distributed malicious ads at an “astonishing” rate, managing to deliver approximately 1.16 billion dangerous ad impressions.

The group is no longer focused solely on iOS users in the United States but is also attacking desktop browsers of European users. Currently, Italians have suffered the most from these attacks.