New Malvertising Campaign by the ScamClub Group Is Actively Exploiting Zero-Days
How the New Campaign Works and What to Watch Out for.
Just when you thought things were finally going smoothly for a change, the malvertising group widely known as “ScamClub” has made an unfavorable comeback. This time, they exploited a zero-day vulnerability in WebKit-based browsers in order to implant malicious payloads that redirected users to fraudulent gift card set-ups. The new malvertising campaign by the Scamclub group is particularly dangerous to companies and institutions who are behind on their software patching.
The group has been active since early 2018, launching malvertising attacks aimed to redirect users to a vast range of scam prize-promising websites.
So when did the new malvertising campaign by the Scamclub group start? These assaults, which were first noticed back in June 2020 by cybersecurity company Confiant, manipulated a CVE-2021–1801 bug allowing malicious parties to avoid the iframe sandboxing policy in the Safari and Google Chrome browsers for iOS and run malicious code.
In short, this technique exploited the way WebKit manages JavaScript occasion listeners. It provided the means to bypass the sandbox associated with an ad’s inline frame element without being affected by the “allow-top-navigation-by-user-activation” attribute that plainly shuts down any redirection unless it’s triggered by user actions, such as a click or tap within the iframe.
According to cybersecurity researcher Eliya Stein, one of the reasons attackers chose to do this is because they have partial control at best when it comes to what device or platform the payload is running on, and they want to maximize their monetization opportunity as best they can.
As for the victims of this malvertising marketing campaign, they can be quite difficult to trace. Anyone who purchased gift cards from unofficial websites utilizing a Safari or Chrome browser for iOS is a target. Assuming they shared credit card information with these websites, customers should verify their card’s historical past for any suspicious transactions, which could prove that the group abused or passed on their monetary details with different scam teams.
How to Protect Yourself from Zero-day Vulnerabilities
Zero-day vulnerabilities feature serious security risks, leaving you exposed to zero-day attacks, which can further result in potential damage to your computer or personal data. To keep them both safe, it’s smart and highly recommended to take proactive and reactive security measures.
#1. Patching vulnerabilities
As my colleague Bianca explained in her article on Vulnerability Management, patching is the first recommended step to prevent potential exploits. It is quickly followed by traffic filtering and scanning both of which prevent communication with command & control servers.
Our innovative Heimdal™ Patch and Asset Management solution enables you to automate your patching process and efficiently manage vulnerabilities. It can prevent zero-day attacks using advanced automated patching, scheduling, IT asset management, and more. You will no longer worry about vulnerabilities that expose you to malvertising campaigns such as the one operated by ScamClub after you take your patch management to the next level.
#2 Implementing a Content Security Policy
A content security policy (CSP), is a mechanism that can control which domains are able to host content on your website. Implementing it will prevent unauthorized scripts from running, ensure that page resources (images, stylesheets, or frames) are loaded from trusted sources, and will transparently upgrade all resource requests to HTTPS.
#3. Installing Software Updates
To help reduce the risk of malvertising attacks, make sure you install new software updates as soon as they become available. Luckily for you, our Heimdal™ Patch and Asset Management solution allows you to mitigate exploits, achieve compliance, and solve vulnerabilities effortlessly.
To take your enterprise security to the next level, we recommend covering other areas of your cybersecurity infrastructure as well, such as Privileged Access Management (PAM), DNS security, a reliable Next-Gen Antivirus with Firewall Integration, and advanced email security as well. We have all of these and more, unified in a single intelligent dashboard, as part of our market-leading EPDR suite.
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Software updates allow you to install necessary revisions to the software or OS, including adding new features, removing outdated ones, updating drivers, delivering bug fixes, and most importantly, fixing security holes that have been discovered.
#4. Constantly Educating Yourself
I’m just going to say it – the majority of zero-day attacks capitalize on human error. It’s a fact. Thus, user education is indispensable in preventing such exploits. You should always keep yourself up to date with good security habits, tips, and best practices that will help keep you safe online and protect your organization from zero-day vulnerabilities and other digital threats.
Over the last 90 days, ScamClub has delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts — with as many as 16MM impacted ads being served in a single day, Stein reports.
How well do you keep your information protected from the security risks associated with zero-day exploits? Even without the new malvertising campaign by the Scamclub group, unpatched software is dangerous, as it can hide zero-day vulnerabilities.
With the right cybersecurity knowledge and proper practices, as well as a reliable suite of solutions, staying safe from these vulnerabilities will come easy. As always, Heimdal™ Security can help you with the latter. If you want to know more about which of our company products are best suited for your needs, don’t hesitate to contact us at sales.inquiries@heimdalsecurity.com.