To run the attack, the group uses an exploit in the Webkit browser engine. Eliya Stein, a security researcher with Confiant disclosed the attack on Monday in a blog post. He said the group eGobbler is behind the exploit and over one billion ad impressions have already been hit. Those attacks took place through August and September and targeted the Webkit engine Apple uses for its Safari browser. Of course, eGobbler has form in exploiting Apple services. Another session hacking attack was started by the group against iOS users in April. “eGobbler is using this attack to drive victims to phishing pages,” Stein told Threatpost. “Normally a victim would have to click on an ad to be redirected to a landing page, but eGobbler is able to drive victims to their phishing pages without such interaction.” Like other session hijacking attacks, eGobbler redirects webpages to a malware infested site or landing page. These pages carry a pop-up that does not allow users to leave. Like normal confidence attacks, the landing pages have legitimate-looking ads, but a click on one of them will allow the malware to be deployed.
Attack
The bug in Webkit that is allowing the exploit originates in a cross-origin nested iframe. This is an HTML document that is embedded inside another HTML document on websites. When iframe autofocuses it bypasses the sandbox directive that gives users control over navigation. “When the element in the iframe is focused automatically (as per the exploit) this tricks the browser into thinking that the victim took an explicit action in that iframe when the user then presses a key,” Stein said. “The exploit essentially tricks the browser into thinking the user initiated some sort of action inside the iframe when they did not.” “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation,” he added. It is worth noting Apple was told about the problem early in August. Cupertino rolled out a fix that is in iOS 13 (for Safari 13.0.1) on September 24.