More Malvertising Attacks Vs iOS Devices, Due to Limited Adblocking Options

Apple’s iOS platform has been touted as a better mobile OS than Android in the standpoint of security. However, contrary to the loyal followers of Apple, their hardware and their ecosystem, it is not impenetrable and not immune from security issues. ScamClub is a notorious group of hackers that are connected with adult content sites and malicious contents with the goal of hijacking user’s web sessions.

The group is in the news feeds again, as they were responsible for hijacking 300 million+ browser sessions in just 48 hours starting Nov 12, 2018, which enables them to feed the users with adult content and other scamming-related web redirects. These generated adverts harm the user while ScamClub earns money through its views.

Redirection websites are at best annoying as the users are forwarded to the sites they don’t intend to visit while showing adverts that generate income for the threat actors. A chain of redirects can be used, which almost always have an adult site or scam site as the final destination in the chain.

“On November 12 we’ve seen a huge spike in our telemetry. The difference is the volume. One of the reasons for the November 12 spike is that they were able to access a very large ad exchange. Previously they only had access to lower reputation ad networks which limited their visibility on premium websites,” explained Jerome Dangu, CTO of Confiant.

Confiant is a business consulting firm which was heavily affected on November 12, 2018, redirect attacks, as more than majority of their customers (57%) during the mysterious 48-hour window. They were redirected to spam or scam websites, with the iOS-device using customers being the most common users who reported the issue, all of them are US-based.

“We call them ScamClub due to the landing page domains they use (hipstarclub[.]com and luckstarclub[.]com). The landing page domains (hosting scams or adult content) have been very persistent. This group is really good at evading and they use multiple fast-changing redirection chains, but eventually always lead to one of those ‘starclub’ domains. It’s significant that such a high scale operation is able to persist with just 2 domains over such a long period of time,” said Dangu.

The ‘malvertising’, as they commonly referred to continue until November 13, most of the adverts have been taken down by some ad companies. This didn’t deter the ScamClub group, and they continued to target mostly their iOS-device using visitors.

“We’ve continued to see activity, to the scale of 300k hits per day, so the attacker is still active but back to its usual lower visibility ad networks. We expect they’ll continue to be active for the foreseeable future,” added Jerome Dangu.

The key to heavy focus against the iOS device was due to being a very vulnerable platform. A sizable number of Desktop OS users have been using ad blockers for decades, while Android browsers have ways to block adverts by using local-VPN hostname redirection app or ad blocking extensions for some browsers like Mobile Firefox. In iOS, with the way the architecture was developed by Apple, ad blocking is not a common action to take for a regular user.