Malvertisers Using Browser Zero-Day To Redirect GiftCard Scams

Malvertising
Malvertising

Malvertisers Using Zero-Day To Redirect macOS and iOS Users.

The group operates name ‘ScamClub’ has targeted Apple users with malicious ads that redirected users to sites hosting online scams that tried to collect user financial information.

What Happened?

The malvertising group named ScamClub using a zero-day vulnerability in the WebKit web browsers engine to exploit payloads that redirect to gift card Scams. WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux

According to security research by Confiant,

The group is active for at least several years now, ScamClub malvertisements are defined mainly by forced redirections to scams that offer prizes to “lucky” users, like the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” landing pages.

Giftcard Scam Screenshot by Confiant
Giftcard Scam Screenshot by Confiant

Webkit Patched a Bug, an iframe with sandbox=allow-top-navigation-by-user-activation can navigate the top frame when the user interacts with an frame from another origin. This is not strict enough and does not match the behavior of Chrome.

In Chrome, the user activation is only valid for the purpose of navigation if the user interacted with either:

  • The iframe triggering the navigation
  • A descendant iframe of the iframe triggering the navigation
  • A frame from the same origin as the iframe triggering the navigation

The Payload

A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency . This of course is usually obfuscated in absurd ways in attempt to evade url blocklists.

For example, one browser version might block redirect attempts from cross-origin frames, while the prior version lets them through, so they try all of the things including known bypasses that might have since been patched.

The `allow-top-navigation-by-user-activation` sandbox attribute, which is often lauded as one of the most vital tools in an anti-malvertising strategy should in theory prevent any redirection unless a proper activation takes place. Activation in this context typically means a tap or a click inside the frame.

Over the last 90 days, ScamClub has delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day.

The malvertising attacks through following address.

goodluckpig.space
goodluckman.space
goodluckguy.space
goodluckdog.space
luckytub.xyz
luckyguys.xyz
luckyguys.top
hknewgood.xyz
hknewgood.top
usgoodwinday.top
usgoodwinday.xyz
2020workaffnew.top
vip.peopleluck.xyz
vip.fortunatefellow.xyz
vip.fortunateman.xyz
vip.fortunatetime.xyz
vip.fortunatepeople.xyz
vip.luckydevil.xyz
vip.superlucky.xyz
vip.luckydraw.space
vip.hipstarclub.com
workcacenter.space
trkcenter.xyz
trkingcenter.xyz
gotrkspace.xyz
trkmyclk.space
dbmtrk.xyz
trkmyclk.xyz

How To Protect from Malvertising?

A Malware comes from Advertising. It happens when we visit any malvertising website. That attempts to install malware through online advertisements. High online advertising demands that requires input from victims.

The end of the result to get users to download malware or redirect the user to a malicious server through browser activity.

  • Install Internet Security in place of Antivirus.
  • Enable Web Browser Security In Addons
  • Do not click on Unknown Link
  • Do not click on any Gifts Cards Messages or link.
  • Use Ad Blocker.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel

.
Total
1
Shares
Related Posts