Threat Watch

ScamClub Malvertising Leveraged Zero-Day Vulnerability in Browsers

Originally reported by BleepingComputer, the malvertising group ScamClub leveraged a zero-day vulnerability in the WebKit browser engine in order to distribute payloads that redirected to gift card scams through malicious iframes. WebKit is used by Chrome and Safari browsers, and has received a patch to remove this vulnerability as of December 2, 2020. The vulnerability was assigned the identifier CVE-2021-1801. In a research report originally published by Confiant, researcher/security engineer Eliya Stein discovered that the ScamClub malvertising relied on bypassing the WebKit iframe sandboxing through a previously undiscovered vulnerability. 

ANALYST NOTES

As originally discussed in the Confiant writeup, this vulnerability requires no user interaction to trigger the iframe redirection URL. Due to this, Binary Defense recommends educating users on common scams, such as gift card scams. Additionally, Binary Defense recommends the use of a 24/7 SOC monitoring solution, whether that is an internal team or a managed security service provider such as Binary Defense’s own Security Operations Task Force.

More information can be found at the BleepingComputer article: https://www.bleepingcomputer.com/news/security/malvertisers-exploited-browser-zero-day-to-redirect-users-to-scams/

Confiant blog: https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba