A malicious actor has been leveraging a Google Chrome browser exploit to deliver malvertisements to iOS users, including a campaign earlier this month during which 500 million user sessions were exposed to a session hijacking attack.

Dubbed eGobbler by researchers at Confiant, the threat actor from April 6-10 ran a massive operation consisting of eight individual campaigns and more than 30 fake creatives. Each mini-campaign lasted around two days and had its own unique targeting, although most affected publishers were based in the U.S.

In a company blog post, Confiant researcher Eliya Stein said the operation was among “the top three massive malvertising campaigns that we have seen in the last 18 months.”

Surprisingly, the actor’s session hijacking mechanism was pop-up-based, even through browsers typical have strong pop-up blocker defenses. That’s because in this case the actors were able to take advantage of a flaw in Chrome that allowed to circumvent the mechanism that normally requires to users to interact with the browser and voluntarily allow pop-ups.

With this mechanism rendered moot, malvertising code can perform a sandbox escape and break free from the iframe through it was delivered, thus allowing it to hijack the user session.



Confiant says it alerted Google’s Chrome team of the bug on April 11 and that the developers “responded in a timely manner.” However, there is no patch available yet, and until such time the researchers will withhold additional details about the exploit, including their own their proof-of-concept code.

“We believe that this exploit was key in magnifying the impact of this attack,” concludes Stein in his blog post.

Stein said the typical entry points for eGobbler campaigns are “legitimate ad servers that they infect, coupled with one or more buy-side platforms.” Moreover, the actors “use cloaked intermediate CDN [content delivery network] domains as part of their ad delivery,” and in an attempt to remain undetected, they “smuggle their payloads in popular client-side JavaScript libraries such as GreenSock.”

eGobbler is known to ramp up attacks around holiday periods, and one of its hallmarks is its use of the .world TLD for their landing pages, where device users are redirected. In an example depicted in the Confiant post, the scammers send a fake ad offering Verizon customers the chance to receive special rewards

SC Media has contacted Google for comment.