Malvertisers Exploits WebKit Zero-Day Vulnerability
Malvertisers Exploits WebKit Zero-Day Vulnerability – Redirect Browser Users to Scam Pages
An advertising cybersecurity firm called Confiant discovered a malvertising campaign last year that was taking advantage of what turned out to be a zero-day vulnerability in the WebKit browser engine.
Using a zero-day vulnerability in WebKit-based browsers, the malvertisers group “ScamClub” injected malicious payloads that led users to fake webpages where they were tricked into buying gift cards.
How does “ScamClub” Operate?
ScamClub specializes in high-volume operations — even if most of their payloads are blocked, a large number still reach users.
“Over the last 90 days, ScamClub has delivered over 50MM malicious [ad] impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day,” Confiant said in a blog post on Tuesday.
The “allow-top-navigation-by-user-activation” attribute in WebKit’s iframe sandboxing feature is designed to prevent malicious redirections by only allowing a redirection to occur when it’s triggered by user actions (e.g. a click or a tap inside the frame).
Get Legit Cash App Money Transfer Now
What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.
WHAT DETAILS DO WE NEED FROM YOU TO COMPLETE TRANSACTION?
- Cashtag $name
- Cashapp Email
- Cashapp Account Holder’s Full Name (To help us send with description to the holder)
- Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it
The attacks, which were discovered by the ad security company Confiant in late June 2020, took advantage of a bug (CVE-2021-1801) that gave malicious parties access to circumvent the iframe sandboxing policy in the browser engine that runs Safari and Google Chrome for iOS and execute malicious code.
Specifically, the technique exploited the manner how WebKit handles JavaScript event listeners, thus making it possible to break out of the sandbox associated with an ad’s inline frame element despite the presence of “allow-top-navigation-by-user-activation” attribute that explicitly forbids any redirection unless the click event occurs inside the iframe.
The researchers set out to build a straightforward HTML file with a cross-origin sandboxed iframe and a button outside of it that would launch an event to access the iframe and send clicks to malicious websites in order to test this theory.
Eliya Stein, a Confiant researcher, stated that “the button is outside of the sandboxed window after all.” It proved out to be the case when tested on WebKit-based browsers, namely Safari on desktop and iOS, if it does redirect, in which case we have a browser security bug on our hands.
Following responsible disclosure to Apple on June 23, 2020, the tech giant patched WebKit on December 2, 2020, and subsequently addressed the issue “with improved iframe sandbox enforcement” as part of security updates released earlier this month for iOS 14.4 and macOS Big Sur.
“On the tactics side, this attacker historically favors what we refer to as a ‘bombardment’ strategy,” Stein elaborated.
“Instead of trying to fly under the radar, they flood the ad tech ecosystem with tons of horrendous demand well aware that the majority of it will be blocked by some kind of gatekeeping, but they do this at incredibly high volumes in the hopes that the small percentage that slips through will do significant damage.”
Confiant has also published a list of websites used by the ScamClub group to run its recent scam campaign.
Click Here to Get Legit Cash App Money Transfer
Get $500 Cashapp | Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp | Get $5k Cashapp | Get $4k CAshapp
