Hacking

eGobbler Malvertising Attack Infects More Than a Billion Ads

Two eGobbler malvertising exploits impacted 1.16 billion programmatic ads between Aug. 1 and Sept. 23, according to Confiant, which has been tracking the threat for about a year.

The first targeted versions of Chrome prior to Chrome 75 on iOS. The flaw was fixed in the Chrome 75 rollout June 4.

The second exploit impacted WebKit-based browsers. Confiant reported it to the Chrome and Apple security teams Aug. 7. The Chrome team issued a patch Aug. 9. Apple fixed the problem in iOS 13 on Sept. 19, and in Safari 13.0.1 on Sept. 24.

Malvertising, generally speaking, involves using online ads to spread a variety of malware. Programmatic ads are those that are bought and sold through automated processes via software rather than human interactions.

“Confiant has been focused on detecting and blocking malvertisements since its inception,” said CTO Jerome Dangu.

The company monitors more than 50 billion ad views monthly, he told TechNewsWorld. This scale lets it “make security assessments on every ad in real time and build attribution and threat intelligence on top of it.”

How eGobbler Works

eGobbler is designed to bypass browser features that block forceful redirections initiated by people other than the user, said Eliya Stein, senior security engineer at Confiant.

Cross-origin iframes, which load resources from a domain that’s different than the parent page, are commonly used in forceful redirection attempts.

In its most basic form, the malicious ad would try to redirect the parent page like this: Top.window.location = “http://malicious_landing_page,” Stein told TechNewsWorld.

Browser security mechanisms typically prevent that from happening, and are augmented by sandboxing attributes, Stein said. However, eGobbler bypasses those mechanisms and enables the forceful redirection to go through if the user presses any key on the keyboard.

“Forceful redirections like this will succeed often enough on non-vulnerable browsers if the sandbox attributes are absent in the iframe where the ad is being served,” Stein observed. “This is still common.”

A pop-up would be spawned when a user tapped on the parent page, even when sandbox parameters were present, Confiant found.

The eGobbler hackers often use content delivery networks, or CDNs, for payload delivery. When available, they leverage subdomains that look innocuous or include familiar brands.

Who Was Hit

eGobbler targets most of the popular browsers being used instead of focusing on any one vulnerable browser, Stein noted.

The Chrome browser on iOS was impacted, whereas other mobile and desktop browsers successfully blocked the pop-up, Confiant found.

After mid-June, the hackers apparently targeted desktops rather than mobile devices, with almost 78 percent of the targets being Windows devices, according to Confiant. Mac OS X devices made up only about 14 percent, and iOS devices about 1 percent.

Ads on Chrome accounted for 82 percent of the ads affected; those on Firefox made up 10 percent; ads on Edge 3.4 percent; and ads on Opera 2.2 percent.

Apparently the technique used for the second exploit is less likely to spawn organically during mobile browsing.

“By some industry estimates, this shopping season will be the first one in which mobile purchases outpace those done on a traditional laptop and Web browser,” Kim DeCarlis, CMO at PerimeterX, pointed out.

“So in some ways, companies whose business comes from mobile users can worry a bit less,” she told TechNewsWorld.

The Impact of eGobbler

Programmatic display ad spending in the U.S. will grow almost 21 percent this year, to US$59.45 billion, eMarketer predicted.

eGobbler’s impact will depend on how much of an advertiser’s budget is spent on programmatic ads, DeCarlis noted.

The exploit will result in two outcomes, she said. “First, advertisers will assess the outcome driven by their programmatic work and, if it has decreased, it’s likely they will decrease their investment in it in favor of alternate advertising and market channels.

“Second,” DeCarlis continued, “advertisers might start investigating solutions that will help address malvertising by partnering with their IT and security departments to find a solution.”

Clear and Present Danger

Although eGobbler’s current focus appears to be desktops, “threat actors are smart, and they will likely morph their work to go after mobile users, particularly if that is where the money is,” DeCarlis warned.

“eGobbler runs campaigns like this quite often and at large scale, whether or not they have an exploit like this handy,” Confiant’s Stein pointed out. The eGobbler hackers are “quite persistent, so we suspect they will iterate on their strategy now that the patches for these bugs are in place.”

How to Protect Against eGobbler

Users should keep both their mobile and desktop Web browsers updated to protect against eGobbler, Stein said. They also should be mindful of phishing pages when filling out forms online.

Advertisers must work with their IT and cybersecurity departments to investigate malware protection solutions, DeCarlis suggested.

Consumers should report to website owners any strange behavior they come across, she said. “The only way the site owner or advertiser knows what is happening is when incidents are reported by Web visitors.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels