Malvertiser abused WebKit zero-day to redirect iOS and MacOS users to shady sites

Malicious ad campaigns have taken place all last year. Patches shipped on February 1, 2021.


Image: WebKit

A cybercrime group specialized in showing malicious ads has abused an unpatched zero-day vulnerability in WebKit-based browsers to break security restrictions and redirect users from legitimate portals to shady sites hosting online gift card scams.

The attacks were first spotted in June 2020 and are still active today; however, patches for the WebKit zero-day have been released at the start of the month.

According to a report from cyber-security firm Confiant, shared with ZDNet last week, the culprits behind the attacks are a group previously known as ScamClub.

Active since 2018, this group operates by buying large quantities of ad slots on multiple platforms in the hope that some of its bad ads make it through security checks.

Since it was first discovered almost three years ago, ScamClub has typically targeted iOS users with malicious ads that often redirected users to sites hosting online scams that tried to collect users' financial information.

Its most recent operation also follows this pattern. In a campaign that appears to have started last summer, Confiant said it saw the group abuse a novel method to allow the malicious code that it typically hides in ad slots to break out of the ad slot's iframe HTML element's sandbox, a security system that prevents the code from interacting with the underlying website.

Using a quirk in how the Webkit browser engine handles JavaScript event listeners, the ScamClub group has been delivering malicious ads for the past months that redirected users from legitimate sites to shady domains hosting gift card scams, similar to what they've done in previous campaigns in previous years.


Image: Confiant

"Over the last 90 days, ScamClub has delivered over 50 million malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16 million impacted ads being served in a single day," said Eliya Stein, a Senior Security Engineer at Confiant.

The vulnerability abused in these malvertising campaigns only worked with browsers using the open-source WebKit engine. This includes Apple's Safari and Google Chrome for iOS.

Stein said his company reported the bug to both the Apple WebKit team and Google last June. A patch for the WebKit bug shipped last December, and the fix has eventually reached Safari for MacOS and iOS, released at the start of the month.

Victims of this malvertising campaign will be hard to trace. Anyone who bought gift cards from unofficial websites using a Safari or Chrome for iOS browser can be considered a candidate. If they shared payment card details with these sites, users might need to check their payment card history for any suspicious transactions, which might suggest that the group might have abused or shared their financial details with other scam groups.

Confiant has released a list of sites where the ScamClub group hosted gift card scams as part of its recent malvertising campaign. Users can check their browser history to see if they accessed any of these sites before taking other steps to secure their payment card data.