Posted on November 27, 2018 at 4:29 PM
According to the newest reports, a new malware campaign is targeting iOS devices in the US via the high-profile platform. So far, the campaign successfully infected around 300 million web sessions, researchers claim.
It is believed that the group responsible for the sessions hijacking calls itself ScamClub and that most of the hijacking was done within 48 hours. After hijacking them, the group redirected users to gift card and adult scams. This was done by employing a hijacking tactic known as malvertising, which uses online ads for spreading malicious code.
While there are various codes that can be spread this way, ScamClub used one that hijacks the browsing session and takes it away from legitimate sites. Instead of showing the website that the user wanted to see, they are redirected to an entire chain of temporary sites. Finally, they end up on a website that offers a gift card scam or displays adult content.
While campaigns such as this one are nothing new and have been present for years, none of them ever grew to a scale of this size. Jerome Dangu, a CTO and co-founder of Confiant, a known cyber-security company, commented by saying that the real spike in telemetry was first noticed on November 12. The firm attempted to investigate, which led to the discovery of ScamClub, as well as the fact that they were active at least since August 2018.
The November spike happened due to the fact that ScamClub managed to access a large ad exchange. Prior to this, they usually targeted low-reputation networks that were barely visible on premium websites. In only 48 hours after the spike was noticed, around 57% of Confiant’s customers were affected. It was immediately clear that the campaign has a much larger reach than before.
Dangu added that malicious ads looked very much like regular Android apps. However, in reality, they hijacked iOS devices based in the US, and have redirected them to other websites designed for stealing personal and financial data.
Confiant managed to block nearly 5 million of 300 million redirects. In addition, the company reported that 96% of those affected are iOS users, while 99.5% of them are based in the US. On Tuesday, November 13, the ad exchange removed infected ads, but the damage was done, and ScamClub continued its operations. However, Dangu also reported that the visibility of infected ads is down to the minimum now that the big ones were removed.
According to Dangu, the group was named ScamClub because of domains used as landing pages — hipstarclub[.]com and luckstarclub[.]com. These are the same ones that offer scam and adult content, and Confiant has found them to be quite persistent. So far, the group managed to evade efforts to stop their campaign, and they became good at using different redirection chains.
One of the most impressive aspects of the scam is that ScamClub managed to remain active for so long with only 2 domains employed. The domains were not reported as malicious for a long time, which has caused Dangu to express dissatisfaction with security vendors.
It supposedly took weeks before the domains were blacklisted on Google, while numerous security vendors still haven’t flagged them as malicious. This is especially surprising considering the fact that the campaign has already been going on for around three months, Dangu explained that this is likely due to the fact that ScamClub uses code that can make a difference between the loading of a website in a virtual environment and loading of a website on a real device.
That way, the code would not be executed during tests, but as soon as an iOS device arrives, it takes it to one of the two domains. It is also believed that the group is targeting only mobile iOS devices due to numerous ad-blocks that desktop browsers are using these days. A simple ad-block tool would make a campaign such as this completely powerless, and so ScamClub had to limit itself to mobile devices alone. While there are ad blocks for iOS and Android, most users do not install them on their devices as they do not feel the need to do so.