Malvertising Campaign Abuses Chrome Hijacking 500 Million User Sessions

Since April 6th, a malicious advertising campaign has been redirecting Iphone and Ipad users to adware and scams, with more than 500 million IOS user sessions being targeted for almost a week. The attacks are primarily focused on users in the US and European countries, and the bug only affects Chrome for IOS, not Safari and not any other Chrome version.

Session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.

Behind the attacks is a threat group, called eGobbler, which have used 8 individual campaigns and over 30 fake creatives, to perform the attacks over 6 days. The bug was created by placing malicious hard-wired code hidden in the online adverts to redirect the user from legitimate sites to malicious sites. Users were presented with a ‘You’ve Won a Gift Card’ landing page when they visited the malicious ‘.world’ domain that the landing pages were hosted on.

EGobbler often strike around major holidays, and were first seen during the American Thanksgiving last year. This is due to advertising companies having fewer staff to stop the malicious ads, therefore making the success rate of these malvertisements higher around public holidays.

The last attack was in February during America’s Presidents’ Day holiday weekend, when eGobbler hijacked as many as 800 million ads over a three-day period to redirect users to tech support scams and phishing sites.

Researchers explained: “We tested the payload across over two dozen devices, both physical and virtual. The tests included variations in platform, operating system, browser, desktop, and mobile. The malicious code itself has hard-coded logic that targets iOS, so we removed that condition in order to see the results of the full execution on all of the devices that we tested. We also split test this experiment between sandboxed and non-sandboxed iframes.”

“The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iframes,” researchers added.

“Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.”

Watch out for sites hosted on ‘.site’ domains, as this is the new malicious site that has been active since April 14th 2019.