Another malicious ad campaign is in the wild targeting iOS users this time. Reportedly, the malvertiser ScamClub is exploiting a WebKit zero-day vulnerability to redirect users to malicious websites.
ScamClub Malvertiser Abused WebKit Zero-day
Security researchers from Confiant cybersecurity firm have uncovered a malicious ScamClub malvertiser campaign exploiting a WebKit zero-day.
Sharing the details, the researchers explained that this malvertising campaign employs iframe sandbox bypass.
The clickMe button is outside of the sandboxed frame after all. However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.
Eventually, they redirect users to malicious websites that lure the victims into clicking on malicious ads by offering lucky prizes. The aim is to trick the users into submitting their financial details (to claim prizes that never exist).
What’s makes ScamClub malvertising distinct from others is that the attackers defiantly execute the campaigns instead of maintaining a low-profile. They do this to increase the chances of exploitation of potential vulnerabilities across the different browser versions.
Technical explanations of this malvertising campaign are available in Confiant’s post.
Apple Deployed Patches
While the malicious campaign has been around for some years, the WebKit zero-day went under exploitation perhaps recently. The researchers observed this campaign to be active since June 2020 when they spotted event listeners in the ScamClub redirect payload.
Regarding the extent of this ad campaign, the researchers stated,
Over the last 90 days, ScamClub has delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day.
Hence, following the exploitation, Apple has worked on developing a fix for it. Consequently, they rolled-out the patch in December 2020 that has reached the Safari browser with the February updates.