The security firm Confiant has disclosed a malvertising campaign that exploited a zero-day vulnerability in WebKit to infect browsers with malicious payloads and thus redirect users to scan websites.

While the Apple developed WebKit browser engine powers Safari browser, and a host of other web browsers, including Google Chrome, BlackBerry Browser, and the Amazon Kindle browser.

According to Confiant, the first attack was recorded in June 2020 and leveraged on a bug that allowed any malicious third-parties to bypass the iframe sandboxing security in the Webkit browser engine to run malicious code.

How Malvertisers Exploied WebKit Zero-Day to Redirect Browser Users to Scam Sites?



ScamClub, a malvertising group exploited how WebKit handles JavaScript event listeners, which flaw makes it possible to break away from the sandbox associated with the inline frame element irrespective of the "allow-top-navigation-by-user-activation" attribute that forbids redirection unless a click event occurs within the iframe.



The bug tracked as (CVE-2021–1801) could allow malicious third-parties to bypass the iframe sandboxing policy in the WebKit browser engine that powers Apple Safari and Google Chrome for iOS to run malicious code.

Over the past 90 days, ScamClub has successfully delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts, with as many as 16MM impacted ads being served in a single day, according to Confiant.

And ScamClub malvertisements are mainly defined by forced redirections to scam sites that offer prizes to “lucky” users, such as the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” pages.

Why Google SafeBrowsing and other browser-based security isn't Enough



Google SafeBrowsing was pretty late in reporting the landing pages as malicious, as the domain used in the scheme has been flying under the radar and not detected by Google SafeBrowsing.

However, Apple has issued a patch for WebKit with improved iframe sandbox enforcement as part of the latest security updates released for iOS 14.4 and macOS Big Sur, thus addressed the issue.

WebKit Zero-Day Vulnerability Exploited by Malvertisers to Scam Users

The security firm Confiant has disclosed a malvertising campaign that exploited a zero-day vulnerability in WebKit to infect browsers with malicious payloads and thus redirect users to scan websites.

While the Apple developed WebKit browser engine powers Safari browser, and a host of other web browsers, including Google Chrome, BlackBerry Browser, and the Amazon Kindle browser.

According to Confiant, the first attack was recorded in June 2020 and leveraged on a bug that allowed any malicious third-parties to bypass the iframe sandboxing security in the Webkit browser engine to run malicious code.

How Malvertisers Exploied WebKit Zero-Day to Redirect Browser Users to Scam Sites?



ScamClub, a malvertising group exploited how WebKit handles JavaScript event listeners, which flaw makes it possible to break away from the sandbox associated with the inline frame element irrespective of the "allow-top-navigation-by-user-activation" attribute that forbids redirection unless a click event occurs within the iframe.



The bug tracked as (CVE-2021–1801) could allow malicious third-parties to bypass the iframe sandboxing policy in the WebKit browser engine that powers Apple Safari and Google Chrome for iOS to run malicious code.

Over the past 90 days, ScamClub has successfully delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts, with as many as 16MM impacted ads being served in a single day, according to Confiant.

And ScamClub malvertisements are mainly defined by forced redirections to scam sites that offer prizes to “lucky” users, such as the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” pages.

Why Google SafeBrowsing and other browser-based security isn't Enough



Google SafeBrowsing was pretty late in reporting the landing pages as malicious, as the domain used in the scheme has been flying under the radar and not detected by Google SafeBrowsing.

However, Apple has issued a patch for WebKit with improved iframe sandbox enforcement as part of the latest security updates released for iOS 14.4 and macOS Big Sur, thus addressed the issue.

No comments