ScamClub malvertising gang abused WebKit zero-day to redirect to online gift card scams

Malvertising gang ScamClub has exploited an unpatched zero-day vulnerability in WebKit-based browsers in a campaign aimed at realizing online gift card scams.

The Malvertising gang ScamClub has abused an unpatched zero-day vulnerability in WebKit-based browsers to bypass security measures and redirect users from legitimate sites to websites hosting online gift card scams.

The malvertising campaign was first spotted in June 2020 and is still ongoing despite the flaw has been addressed with the release of security updates early this month.

“A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency. This of course is usually obfuscated in absurd ways in an attempt to evade url blocklists.” reads the analysis published by the security firm Confiant.

The group has been active since 2018, it mainly targeted iOS users with malicious ads that often redirected users to sites hosting online scams. The landing pages were designed to trick victims into providing their financial information.

In the most recent campaign, ScamClub hackers used a new technique to bypass the iframe HTML sandboxing mechanism. The iframe sandboxing is a defense measure that prevents the malicious code from interacting with the underlying website.

The malvertising gang abused a bug in how the Webkit browser engine handles JavaScript event listeners to redirect users from legitimate sites to malicious domains that were hosting gift card scams.

“The `allow-top-navigation-by-user-activation` sandbox attribute, which is often lauded as one of the most vital tools in an anti-malvertising strategy should in theory prevent any redirection unless a proper activation takes place. Activation in this context typically means a tap or a click inside the frame.” continues the analysis.

“This means our proof of concept shouldn’t work under any circumstances. The clickMe button is outside of the sandboxed frame after all. However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.”

The trick abused by the threat actors in these malvertising campaigns only worked with browsers using the open-source WebKit engine, such as Apple’s Safari and Google Chrome for iOS.

The experts reported that over the last 90 days, ScamClub gang has delivered over 50 million malicious impressions, alternating a low baseline of activity with frequent manic bursts. The experts observed peak of 16 million impacted ads being served in a single day.

Below the disclosure timeline:

Confiant researchers also released Indicators of Compromise (IoCs) in STIX format.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malvertising)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.