Malvertising Bypasses Security with Straight to Browser Attacks

Malvertising has recently made headlines thanks in part to a large Easter attack by the eGobbler gang that struck in early April and primarily focused on U.S. and European countries. The eGobbler gang has a history of launching attacks just prior to major holidays. Their Easter malvertising attack took advantage of an unpatched flaw in the Google Chrome for iOS browser that helped the threat actors target iPhone and iPad users – devices that most people thought were safe from these types of attacks. So far, nearly half a billion Apple iOS user sessions were made vulnerable to session-hijacking attacks and it’s been reported that Apple Safari users may also be vulnerable, meaning that more exposure is possible.

The Easter malvertising attack is comprised of up to eight different campaigns that used 30 different types of pop-up ads, each lasting a couple of days. It starts with a pop-up malvertising ad that subverts pop-up blockers, escapes sandboxing efforts, and separates itself from the iframe that delivered it. The ads can appear on legitimate sites, look like a recognizable brand ad, and not allow a user to exit. This often results in a user click, which then takes the intended target to a phishing site that steals credit card, credentials, or other sensitive data that can then be sold on the dark web or exploited for gain.

So how do you protect your employees from these attacks?

That’s the question that has security experts scrambling. The Easter attack demonstrates that organizations cannot stop all ads from being served to their employees. Traditional anti-phishing security solutions focus primarily on email delivery mechanisms making the malvertising attack vector difficult to defend against. Google’s sandboxing attributes have proven ineffective against the eGobbler attack, so while threat intelligence feeds can help, they are usually slow to prevent malvertising attacks. What is effective is preventing users from ever reaching the malicious website that these pop-ups intend for their targets. With our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense products powered by SEER™ threat detection technology, we can prevent the real damage from happening.

SEER (Session Emulation and Environment Reconnaissance) runs virtual browsers in a purpose-built cloud to dynamically inspect sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives. SEER uses virtual browsers to dynamically inspect page contents and server behavior to detect tens of thousands of new phishing URLs per day.

By preventing the straight to browser attacks from their phishing goal of sending victims to an infected page, the malvertising attack fails to accomplish it’s intended purpose. The malvertising ads, while sophisticated enough to bypass traditional security methods, become just a nuisance without the landing page threat effectiveness.

SEER threat detection technology enables our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense products to detects all six major categories of phishing and social engineering threats, including:

Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization from straight to browser Malvertising attacks.

Blog Subscription

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.