iPhone users who visited certain publishing websites that were compromised by a malvertising campaign may have gotten an unwelcome visit from the holiday Krampus.
No, not the mythical monster that punishes naughty children around Christmastime. In this case, we're referring to Krampus-3PC, a new mobile malware that seeks out victims' device and session cookie information and in some cases redirects users to a malicious pop-up designed to phish sensitive data from them.
The Media Trust's Digital Security & Operations (DSO) team last October first detected Krampus-3PC redirecting iPhone users who visited certain online publishing websites. Since that time, more than 100 such sites – many of them U.K.-based newspapers and international weekly news magazines – have been compromised via malicious ads that were distributed via an unknowing accomplice: the adtech provider Adtechstack.
Site visitors who viewed these ads were silently attacked, without any user action necessary. Once the ad’s creative tag was loaded, the Krampus-3PC malware would gather device and user session data and perform a series of checks to determine if the victim fit the attackers' profile for malicious redirection, The Media Trust explained in a company blog post this week.
First, the malware checked if the ad was both hosted by Adtechstack and running on a targeted website. If so, then it injected a script that performed a second check to ensure the user device was an iPhone.
Devices that did not pass any of checks were not redirected. But if a device met all of the attackers' parameters, then Krampus-3PB would execute a payload URL and send gathered user data to a command-and-control server. Exfiltrated data would include phone numbers, which were used later to send phishing texts, and cookie IDs, which would allow the attackers to hijack the browser and even gain access to any online accounts that the victim had open on the device (for instance, accounts registered with retailers and banks).
Using the cookie ID information, the payload URL would hijack the victim's browser, redirecting users to a phishing pop-up in the form of fraudulent promotional offer. One such offer promised a £200 gift card if the user completed an online deal, while another was a free gift giveaway that required the user to answer three questions and fill out contact details. If the original redirection technique failed, the malware had a back-up plan in place: opening up the malicious URL into a new tab.
The Media Trust noted that Krampus-3PC's use of obfuscation techniques is markedly similar to another browser-hijacking malware called Ghostcat-3PC, which the had reported on earlier this year.