The hacker group eGobbler exploited vulnerabilities in Chrome for iOS, as well as desktop versions of the Chrome and Safari browsers, to bypass the protection and show their victims in-browser ads and redirect them to malicious sites.
According to experts Confiant, eGobbler first got into the opinion of specialists in the fall of 2018, and is now considered one of the most serious groups in the field of malicious advertising. Usually the group activates for a short time, during major holidays. For example, in February 2019, when Presidential Day was celebrated in the United States, hackers showed American users more than 800,000,000 malicious advertisements that led victims to fake technical support sites and phishing resources.
During such bursts of activity, hackers buy ads from legitimate services and inject malicious code into ads so that their exploits go beyond the safe iframe of an ad and perform malicious actions in browsers. The group was mainly focused on mobile devices, since most of their users do not use ad blockers, and mobile browsers are not as well protected from exploits as their desktop “colleagues”.
Confiant experts have now published new reportin which they reported that eGobbler is still actively exploiting bugs in browsers. So, hackers exploited their first exploit for 0-day vulnerability in April of this year. Then the attack affected only Chrome users for iOS, and as a result, the vulnerability CVE-2019-5840 was fixed in June, with the release of Chrome 75. However, eGobbler continued to use the bug even after the patch was released, targeting users who could not update Chrome .
Researchers write that in the summer of this year, shortly after Google developers fixed the vulnerability in Chrome for iO, hackers discovered another problem that was useful for their activities. The new bug affects the WebKit engine, which is used by older versions of Chrome, as well as Safari. As a result, both browsers were at risk, because the current Chrome engine (Blink) is based on WebKit and still uses parts of the old code.
According to Confiant, so far only Apple engineers have fixed this vulnerability (in iOS 13, released last week). Google hasn’t yet released the hotfix, which means that Chrome users are still vulnerable.
Since the second vulnerability affects not only mobile versions of browsers, the group has extended its operations to desktop users as well. According to researchers, between August 1 and September 23, they recorded that eGobbler distributed malicious ads at a “stunning” speed and managed to deliver approximately 1.16 billion impressions of dangerous ads.
The group is no longer targeted only to iOS users from the USA, but also attacks desktop browsers of European users. Currently, the Italians have suffered the most from such attacks.