While the Apple developed WebKit browser engine powers Safari browser, and a host of other web browsers, including Google Chrome, BlackBerry Browser, and the Amazon Kindle browser.
According to Confiant, the first attack was recorded in June 2020 and leveraged on a bug that allowed any malicious third-parties to bypass the iframe sandboxing security in the Webkit browser engine to run malicious code.
How Malvertisers Exploied WebKit Zero-Day to Redirect Browser Users to Scam Sites?
The bug tracked as (CVE-2021–1801) could allow malicious third-parties to bypass the iframe sandboxing policy in the WebKit browser engine that powers Apple Safari and Google Chrome for iOS to run malicious code.
Over the past 90 days, ScamClub has successfully delivered over 50MM malicious impressions, maintaining a low baseline of activity augmented by frequent manic bursts, with as many as 16MM impacted ads being served in a single day, according to Confiant.
And ScamClub malvertisements are mainly defined by forced redirections to scam sites that offer prizes to “lucky” users, such as the all too ubiquitous “You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” pages.
Why Google SafeBrowsing and other browser-based security isn't Enough
Google SafeBrowsing was pretty late in reporting the landing pages as malicious, as the domain used in the scheme has been flying under the radar and not detected by Google SafeBrowsing.
However, Apple has issued a patch for WebKit with improved iframe sandbox enforcement as part of the latest security updates released for iOS 14.4 and macOS Big Sur, thus addressed the issue.