Surge of malicious ads target iOS and macOS users

News
By published

1bn malicious ads served in less than two months

(Image credit: Pixabay)

By exploiting zero-day vulnerabilities in Chrome and Safari, cybercriminals were able to serve over 1bn malicious ads to users in less than a two month period.

The attackers targeted both iOS and macOS users by leveraging known zero-day vulnerabilities (which have since been patched) to inject exploit code which redirected vulnerable users to malicious sites according to the security firm Confiant.

The threat actor eGobbler exploited a zero-day vulnerability in Webkit, the browser engine used in Safari and Blink, the Webkit fork used in Chrome, to generate successful redirects. 

The vulnerability, tracked as CVE-2019-8771, existed in a JavaScript function which occurs each time a user presses down a key on their keyboard. By exploiting the vulnerability, eGobbler was able to allow ads linked in HTML tags called iframes to break out of security sandbox protections that prevent a user from being redirected without their knowledge.

Malicious ads

Researcher and engineer at Confiant, Eliya Stein explained how the vulnerability worked in a blog post, saying:

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame. With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

After discovering eGobbler's latest campaign, Confiant reported its findings to both Google and Apple's security teams. The vulnerability was fixed in Chrome with the release of iOS 13 and a patch for Safari arrived shortly after with the release of Safari 13.0.1.

eGobbler has launched similar campaigns in the past and earlier this year one of its campaigns served an estimated 500m malicious ads by exploiting a similar vulnerability in the iOS version of Chrome. The threat actor's latest campaign was focused on luring European users to phishing pages based on their mobile provider.

Via Ars Technica

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Latest in News
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
Hornet swings their weapon in mid air
Hollow Knight: Silksong could potentially launch this year and I reckon it could be a great game for an Xbox handheld
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Cassian looking at someone off-camera from a TIE fighter cockpit in Andor season 2
Star Wars: Andor creator is taking a stance against AI by canceling plans to release its scripts, and I completely get why
More about security
ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
Data leak

Top collectibles site leaks personal data of nearly a million users
Someone looking at a marketing graph

Why ‘boring’ tech will be 2025's biggest marketing trend
See more latest
Most Popular
Mark S and Helly R standing by their desks bathed in blue light in Severance's season 2 finale
Severance season 2 episode 10 ending explained: what does Mark do, who dies, will there be a season 3, and more big questions answered
YouTube Premium
Would you pay for better sound on YouTube? The video-sharing platform could soon let you control audio quality, but it'll cost you
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
I Hate This Place artwork
Bloober Team is keeping busy as it announces its next survival horror game I Hate This Place and offers a new look at its upcoming title Cronos: The New Dawn
Equal1 Bell-1 quantum computer
This is the first quantum computer you can actually buy (and use, and power): Equal1's Bell-1 uses a standard power socket
Ryzen AI Max+ 395
Obscure Chinese PC vendor gets preferential AMD treatment as Lisa Su signs first desktop PC with Ryzen AI Max+ 395 ahead of May launch
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs
SanDisk Slim Dual Drive
This is the first 2TB dual-port external SSD ever and it's not as expensive as you may think
Bimawen B15.6 TV Pro
A sign of things to come? This portable monitor comes with Google TV, a remote control and a very well hidden Android PC