“ScamClub” gang outed for exploiting iPhone browser bug to spew ads

Digital ad company Confiant, which claims to “improve the digital marketing experience” for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub.

According to Confiant, this group is behind a massive number of those annoying and scammy popup campaigns you will almost certainly have seen, where you visit an apparently honest web page and then get pestered with online surveys.

We’ve warned our readers many times about the risks of online surveys – even ones that don’t obviously or explicitly lead to attempted malware infections.

At best, you will often end up giving away a surprising amount of personal data, typically in return for a minuscule chance of winning a free product (fancy phones, high-value gift cards and games consoles are typically used as lures).

Or you may end up on the wrong end of a “survey-and-offer ladder”, where you have to “take advantage” of ever-more expensive offers to qualify for a prize, which means making numerous purchases along the way – and therefore giving out your credit card data over and over again.

In one example we analysed, by sharing personal data right now, you would “win” the “advantage” of making at least 10 more purchases within 20 days, in categories called Silver, Gold and Platinum, to qualify for a prize worth as little as £100.

We couldn’t even see what those Gold or Platinum purchases might be up front, but with eight Platinums to buy, and a typical Silver purchase (needed to “get on the ladder” in the first place) running at about £2.50, we’re guessing that we’d have spent a lot more than the value of the prize that we might eventually have qualified for but still not actually won…

…and if we bailed out at any point, or were subsequently found to have provided information at any stage that was deemed “inaccurate”, we’d have been disqualified anyway.

Scamming by exploit

According to Confiant, the ScamClub crew took things to an even more aggressive level by actively targeting a bug in Apple’s WebKit browser engine, the compulsory software core that every browser on your iPhone, including Safari, is required to use.

(Browsers not based on WebKit aren’t permitted in the App Store, even if those browsers are based on other web rendering engines on other platforms.)

The bug, dubbed CVE-2021-1801, was patched by Apple in recent updates to iOS and iPadOS (version 14.4) and macOS (Big Sur version 11.2 and Security Update 2021-001 for Catalina and Mojave).

Confiant says that the vulnerability, although nowhere near serious enough to allow remote code execution or any kind of major privilege escalation such as exfiltrating data belonging to other apps, nevertheless gave these rogue advertisers a chance to evade security restrictions that the WebKit sandbox was supposed to enforce.

The sandbox restrictions were supposed to prevent Apple users from being pestered by this ad group’s web redirects, but the vulnerability, it seems, allowed the ScamClub to fetch and present dubious ad content from third-party servers that should have been blocked, and that you wouldn’t have approved if you’d explicitly been asked.

Deliberately exploiting a vulnerability to achieve a cybersecurity bypass that you jolly well knew wasn’t supposed to happen, even if you don’t use it to commit subsequent crimes such as implanting malware but simply for your own convenience, is against the law in many jurisdictions.

Google, for example, found that out nearly 10 years ago when it was hit with a multimillion dollar fine for using a security bypass trick against Apple users to set browser cookies that Safari would otherwise have blocked.

What to do?

• Get those Apple updates if you haven’t done so already. If you’re an iOS 13 user, please note that the latest security update for iOS 13 is iOS 14.4. There is no separate, supported channel for iOS 13 updates as there is with iOS 12. (Don’t shout at us. We’re just the messengers.)
• Watch out for online surveys, no matter how harmless they seem. You will often give away a pile of personal data only to find that you need to give away even more, including making online credit card purchases through websites you wouldn’t normally trust, to stay “on track” for your “prize”. Even if you bail out half way through, you can’t recall any of the data you have already handed over. Watch the video below for excellent advice.
• Know your privacy limits, and stick to them. If you have friends or family who are in the habit of filling in surveys because they think they’re mostly harmless, show them this article.
• Don’t use tricks or subterfuge in your own online marketing. It’s not just consumers and potential customers whom you may anger – the regulators in your part of the world may be losing their patience with overly aggressive marketing tricks, too.