eGobbler

eGobbler is a criminal group that is behind a massive corrupted advertising campaign against iOS devices. The eGobbler campaign was launched before Easter 2019 and seemed to have a pattern that begins before a significant date or holiday, is active for three to four days, and then is disabled until the next time the attack is carried out. One aspect of eGobbler campaigns that have been alarming to PC security researchers extremely is because about half a billion devices seem to have been affected by the corrupted advertising campaign associated with the eGobbler attacks. Attacks carried out by the eGobbler group seem to be enabled through a threatening vulnerability in Google Chrome, which criminals have exploited as part of their attacks.

The Threatening Malware Campaign Linked to eGobbler

Attacks like those associated with eGobbler have been seen multiple times before in a particular form or another. The campaign linked to eGobbler takes over victims' Web browsers. Then, the affected Web browsers are forced to visit particular websites automatically. These websites cause the affected Web browser to display constant advertisements to the victim. This allows the criminals to monetize these attacks, inflating their ad revenue and traffic numbers at the expense of the victims artificially. Unfortunately, because of the way eGobbler attacks work, using ad blockers is not something that can help protect iOS users. The best solution would be for the flaw in Google Chrome that is enabling eGobbler attacks to be fixed as soon as possible.

Techniques Associated with Attacks Carried Out by eGobbler

Session hijacking, or taking over the victim's session on their Web browser, is the most common form of corrupted advertisement. The most used technique to carry out these attacks is the use of harmful Java scripts that redirect the victim when the affected Web browser starts up. Apart from unwanted scripts, malware associated with eGobbler attacks also may make unwanted changes to the affected Web browser's DNS settings or pop-up settings to display new windows or tabs automatically. Redirecting the victim's Web browser to unwanted websites can be more effective than displaying pop-up windows or tabs on modern devices, although both are still quite annoying. The eGobbler attackers use sophisticated obfuscation techniques to prevent PC security researchers and anti-malware devices from stopping the attacks. However, one aspect of eGobbler attacks that is somewhat creative is that it leverages a bug in Google Chrome's security. This was discovered by reverse engineering the payload associated with various eGobbler attacks. Doing this revealed a new technique that allows the attackers to circumvent Google Chrome's pop-up blocker. On April 11, 2019, Google was notified of this bug that is enabling eGobbler attacks, and it is likely that a security patch will be released as soon as possible.

The Latest eGobbler Campaign Boasts Some Impressive Numbers

The latest eGobbler campaign began on April 6, 2019, and included eight individual campaigns with its own targets, most in the United States but also some in Europe. Fake advertisements associated with this eGobbler campaign lasted between one and two days. PC security researchers estimate that more than 500 million people were affected by fake advertisements delivered by campaigns linked to eGobbler. Criminals carrying out these attacks seem to make use of legitimate ad servers that have been compromised to work on behalf of the attackers rather than carry out their normal operations. One worrying aspect of this particular campaign is that hijacking the victims' Web browsers have the potential for more threatening malware. While the unwanted advertisements may seem harmless to many computer users, it is important to note that having control over the victims' Web browsers and being able to deliver ad content carries the potential for exposure to more threatening malware.