If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.
According to security company Confiant, which took a closer look at these campaigns, a typical message might look something like this:
There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.
But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.
The volume of campaigns was massive – 500 million pop-ups since 6 April 2019, apparently – featuring 30 adverts connected to a cybercrime group called eGobbler.
Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.
Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.
Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:
We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.
Dodging the bullet
The ads are not easy to avoid because they trigger on legitimate US and European websites, giving the ads an apparent legitimacy.
Each campaign lasts for 24 to 48 hours:
Publishers aren’t choosing to serve these ads – they’re bogus, unwanted and unexpected adverts that winkle their way into the patchwork of ad systems upon which the industry is based.
By the time publishers work out what’s going on – that could take hours, days or even longer – the crooks have moved on to a new campaign with different ads linking to new domains.
What to do?
One giveaway of eGobbler’s pop-up ads is that they often use a
.world Top-Level Domain (TLD) as a landing page, so be cautious of those domains if you don’t usually visit
Without more detail on the vulnerability, it’s hard to assess what sort of wider threat it might pose or whether it’s mostly about nuisance and inconvenience.
However, until this popup bypass is patched in Chrome, you could just stick to Safari, Apple’s own built-in iOS browser.