Malvertisers Using Zero-Day To Redirect macOS and iOS Users.
The group operates name ‘ScamClub’ has targeted Apple users with malicious ads that redirected users to sites hosting online scams that tried to collect user financial information.
The malvertising group named ScamClub using a zero-day vulnerability in the WebKit web browsers engine to exploit payloads that redirect to gift card Scams. WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux
According to security research by Confiant,
The group is active for at least several years now, ScamClub malvertisements are defined mainly by forced redirections to scams that offer prizes to “lucky” users, like the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” landing pages.
Webkit Patched a Bug, an iframe with sandbox=allow-top-navigation-by-user-activation can navigate the top frame when the user interacts with an frame from another origin. This is not strict enough and does not match the behavior of Chrome.
In Chrome, the user activation is only valid for the purpose of navigation if the user interacted with either:
- The iframe triggering the navigation
- A descendant iframe of the iframe triggering the navigation
- A frame from the same origin as the iframe triggering the navigation
A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a malicious CDN hosted dependency . This of course is usually obfuscated in absurd ways in attempt to evade url blocklists.
For example, one browser version might block redirect attempts from cross-origin frames, while the prior version lets them through, so they try all of the things including known bypasses that might have since been patched.
The `allow-top-navigation-by-user-activation` sandbox attribute, which is often lauded as one of the most vital tools in an anti-malvertising strategy should in theory prevent any redirection unless a proper activation takes place. Activation in this context typically means a tap or a click inside the frame.
Over the last 90 days, ScamClub has delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day.
The malvertising attacks through following address.
How To Protect from Malvertising?
A Malware comes from Advertising. It happens when we visit any malvertising website. That attempts to install malware through online advertisements. High online advertising demands that requires input from victims.
The end of the result to get users to download malware or redirect the user to a malicious server through browser activity.
- Install Internet Security in place of Antivirus.
- Enable Web Browser Security In Addons
- Do not click on Unknown Link
- Do not click on any Gifts Cards Messages or link.
- Use Ad Blocker.