eGobbler Malvertising Affects 1 Billion Ads in Worldwide Campaign

Ever heard “We should be very careful while surfing the networks”? Of course, you’d because we all know this thing for a long time that cybercriminals and threats are lurking.

Last week security experts disclosed how eGobbler (a malvertising actor) victimized browser bugs and infected about 1 billion programmatic ads in two-months. Researchers also detected a new cryptocurrency crook and an IoT (Internet of Things) botnet launching various DDoS (Distributed Denial-of-Service) attacks. Moreover, they uncovered some new attack campaigns for even more established threats that includes Adwind and Emotet.

Those affected are basically iOS and macOS users through the so-called ‘zero-day vulnerabilities’, in both Chrome and Safari browsers.

So, What is eGobbler?

A series of uncontrolled malvertisement campaigns that have injected malware into thousands of devices, called eGobbler. It was titled eGobbler after generating billions of hits on the campaigns it generated.

gob·bler means a person who eats greedily and noisily.

As per his account information, it has infected WebKit (Safari) and Chrome both with around 1 billion advertisements. According to researches, this group can ramp up their purchase on weekends and holidays. These campaigns stay on the peak around 36-48 hours then, goes in the state of hibernation until the upcoming big push.

Users can easily recognize eGobbler as it uses “.world” TLD in its landing pages.

How it Works?

eGobbler is designed in such a manner that it skips all the browser features which blocks all the forceful redirections generated by unauthorized users.

Cross-origin inframes that loads resources from the domain other than the parent page, are being used in the forceful redirection endeavors. In some basic cases, the malicious ads try to redirect the parent page like – Top.window.location = “http://malicious_landing_page”. When this happens the browser security typically prevents this from happening but, eGobbler easily bypasses such browser mechanisms and initiates a forceful redirection to analyze if the user presses any button on the keyboard. All such forceful redirections will succeed on all the non-vulnerable web browsers in case if the sandbox attributes will be absent in the iframe where the ad is displaying.

Users will get a pop-up on the parent page even if the sandbox parameters will present. eGobbler hackers use CDNs (Content Delivery Networks) for payload delivery and whenever possible, they leverage subdomains carrying innocuous or famous brands.

Who’s Affected by eGobbler?

eGobbler was first detected in April 2019, informed by Apple and Google. But, the issue was not resolved at that time. Italy and Spain are the two most affect countries by this distributed malicious advertising. Initially, the attack was aimed just for mobile phones so it does not affect Chrome desktop versions but in second detection, the attack also affected WebKit, the search engine used by iOS and macOS in Safari. Attackers used the ‘onkeydown’, a JavaScript function that gets executed after pressing a key.

Till now, only Apple has updated its Safari vulnerability and Google is also developing its own solution. This means users who are not using the latest version are highly prone to get affected.

Final Words

Well, this is not the first time we are hearing about the eGobbler group. As we mentioned earlier, the hackers already executed their first major operation in early 2019. Hackers will try to gain your trust to infect your system and access your crucial information. They will overload ads and expect you to visit malware distribution sites. Therefore, be very alert while surfing on the Internet and get some good antivirus programs along with an anti-malware.