ScamClub malvertising gang abused WebKit zero-day to redirect to online gift card scams

Malvertising gang ScamClub has exploited an unpatched zero-day vulnerability in WebKit-based browsers in a campaign aimed at realizing online gift card scams.

The Malvertising gang ScamClub has abused an unpatched zero-day vulnerability in WebKit-based browsers to bypass security measures and redirect users from legitimate sites to websites hosting online gift card scams.

The malvertising campaign was first spotted in June 2020 and is still ongoing despite the flaw has been addressed with the release of security updates early this month.

“A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency. This of course is usually obfuscated in absurd ways in an attempt to evade url blocklists.” reads the analysis published by the security firm Confiant.

The group has been active since 2018, it mainly targeted iOS users with malicious ads that often redirected users to sites hosting online scams. The landing pages were designed to trick victims into providing their financial information.

In the most recent campaign, ScamClub hackers used a new technique to bypass the iframe HTML sandboxing mechanism. The iframe sandboxing is a defense measure that prevents the malicious code from interacting with the underlying website.

The malvertising gang abused a bug in how the Webkit browser engine handles JavaScript event listeners to redirect users from legitimate sites to malicious domains that were hosting gift card scams.

“The `allow-top-navigation-by-user-activation` sandbox attribute, which is often lauded as one of the most vital tools in an anti-malvertising strategy should in theory prevent any redirection unless a proper activation takes place. Activation in this context typically means a tap or a click inside the frame.” continues the analysis.

“This means our proof of concept shouldn’t work under any circumstances. The clickMe button is outside of the sandboxed frame after all. However, if it does redirect, that means we have a browser security bug on our hands, which turned out to be the case when tested on WebKit based browsers, namely Safari on desktop and iOS.”

The trick abused by the threat actors in these malvertising campaigns only worked with browsers using the open-source WebKit engine, such as Apple’s Safari and Google Chrome for iOS.

The experts reported that over the last 90 days, ScamClub gang has delivered over 50 million malicious impressions, alternating a low baseline of activity with frequent manic bursts. The experts observed peak of 16 million impacted ads being served in a single day.

Below the disclosure timeline:

• June 22, 2020 — Confiant Security Team observes event listeners in ScamClub redirect payload.
• June 23, 2020 — Bug report submitted to Apple Security. Google Chrome team also notified (Chrome on iOS uses WebKit).
• Dec 2, 2020 — Patched https://trac.webkit.org/changeset/270373/webkit
• Feb 1, 2021 — CVE assigned and published as part of Apple’s security update: https://support.apple.com/en-us/HT212147

Confiant researchers also released Indicators of Compromise (IoCs) in STIX format.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malvertising)

[adrotate banner=”5″]

[adrotate banner=”13″]