Attackers from eGobbler have delivered over one billion malicious adverts over the past two months, according to security firm Confiant.
These ads were targeted primarily at macOS and iOS users, and leveraged zero-day vulnerabilities in versions of Chrome and Safari.
“If we take a snapshot of eGobbler activity from Aug. 1— Sep. 23, 2019 then we see a staggering volume of impacted programmatic impressions,” said Confiant.
“By our estimates, we believe up to 1.16 billion impressions have been affected.”
According to Confiant, eGobbler has used two major browser exploits over the past six months.
The first, which it first reported on in April, impacts Chrome for iOS up until version 75, while the second – first uncovered on 7 August – was fixed in iOS 13/Safari 13.0.1 on 19 September.
How the exploits work
For the first exploit, Confiant said that eGobbler used traditional cloaking techniques and obfuscation to make its payloads look like real adverts.
However, what was different about eGobbler’s exploit was how it leveraged pop-ups to spawn a new window or tab.
This was surprising because modern browsers tend to have particularly strong pop-up blockers. Tests found that the built-in pop-up blocker of Chrome on iOS consistently failed to block these adverts.
While the second exploit looked similar to the first, Confiant said that there was a key difference.
“This time around, however, the iOS Chrome pop-up was not spawning as before, but we were in fact experiencing redirections on WebKit browsers upon the ‘onkeydown’ event.”
Confiant said that both exploits have since been patched.