D-Shortiez Exploits WebKit Vulnerability to Trap Safari Users in Malvertising Scheme
In a sophisticated malvertising campaign, the threat actor known as D-Shortiez has been exploiting a specific behavior in Apple’s WebKit browser engine to ensnare iOS Safari users on fraudulent websites, effectively preventing them from navigating away. This campaign represents a significant evolution in forced redirect attacks, combining traditional malvertising techniques with advanced browser manipulation to enhance persistence and effectiveness.
Understanding Forced Redirect Attacks
Forced redirect attacks have long been a staple in the arsenal of cybercriminals, involving the automatic redirection of users from legitimate websites to malicious ones without their consent. These attacks are typically executed through compromised advertisements or scripts embedded in web pages. While such tactics have faced increasing resistance due to improved security measures by advertising platforms and browser developers, threat actors like D-Shortiez continue to adapt, seeking out technical nuances to maintain the efficacy of their campaigns.
The D-Shortiez Campaign: A Technical Deep Dive
Confiant analysts have identified D-Shortiez as a group actively engaged in forced redirect campaigns that lead victims through malicious click-chains, ultimately landing them on scam pages. A detailed examination of the group’s payload revealed standard fingerprinting and tracking functions, which are common in such attacks. However, the redirect mechanism employed by D-Shortiez stands out due to its complexity and effectiveness.
The payload utilizes a nested try/catch block to initiate multiple redirect attempts simultaneously. This approach is designed to account for the varying responses of different browsers to redirect calls, thereby maximizing the likelihood of a successful redirection. Over the past six months, D-Shortiez has served more than 300 million malicious ad impressions, with a primary focus on U.S. audiences, extending into Canada and parts of Europe. The campaign has exhibited a pattern of aggressive bursts of high-volume delivery followed by brief pauses, indicating a strategic effort to manage its footprint and evade detection.
Exploiting the WebKit Back-Button Behavior
The most technically distinctive aspect of this campaign is how D-Shortiez exploits the WebKit browser engine’s handling of the `popstate` event to trap users on scam pages. The payload employs the `window.top.history.pushState()` function to insert a fake entry into the browser’s session history stack. An `onpopstate` event handler is then bound to `window.top`, intercepting any back-button presses and redirecting the user back to the scam URL, appending a back parameter, instead of returning them to the legitimate page they previously visited.
When tested across major browsers, this payload exhibited no unusual behavior in most environments. However, Safari on iOS was an exception. In this environment, the script functioned as intended, effectively disabling the back button and trapping users on the scam pages without a straightforward means of escape. This technique mirrors older browser-trapping methods but achieves the effect more subtly and reliably by leveraging specific behaviors of the WebKit engine.
Mitigation and User Recommendations
The vulnerability exploited by D-Shortiez was disclosed to Apple on September 29, and a security update was issued on January 23, identified as HT213600. Users who have not yet applied this update remain vulnerable to the back-button hijack technique employed in this campaign.
To protect against such threats, users are advised to:
– Update Devices Promptly: Ensure that all iOS and Safari updates are applied as soon as they become available to mitigate known vulnerabilities.
– Exercise Caution with Advertisements: Be wary of clicking on advertisements, especially those that seem suspicious or too good to be true.
– Use Security Software: Employ reputable security software that can detect and block malicious redirects and other forms of malvertising.
– Stay Informed: Keep abreast of the latest cybersecurity threats and best practices to enhance personal and organizational security postures.
By understanding the tactics employed by threat actors like D-Shortiez and taking proactive measures, users can significantly reduce the risk of falling victim to such sophisticated malvertising campaigns.
