# Malvertiser “ScamClub” Bypasses Iframe Sandboxing With postMessage() Shenanigans [CVE-2021–1801]

**blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-**
1c998378bfba

Eliya Stein February 16, 2021

[Eliya Stein](https://medium.com/@eliyastein?source=post_page-----1c998378bfba--------------------------------)
[Follow](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fsubscribe%2Fuser%2F2c3f3d52c6be&operation=register&redirect=https%3A%2F%2Fblog.confiant.com%2Fmalvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba&user=Eliya+Stein&userId=2c3f3d52c6be&source=post_page-2c3f3d52c6be----1c998378bfba---------------------follow_byline-----------)
Feb 16, 2021


5 min read

Stock Photo Via Unsplash.com
This blog post is about the mechanics of a long tail iframe sandbox bypass found in a
payload belonging to the persistent malvertising attacker that we call ScamClub.

## A Word About ScamClub


-----

Active for at least several years now, ScamClub malvertisements are defined mainly by
forced redirections to scams that offer prizes to “lucky” users, like the all too ubiquitous
“You’ve won a Walmart giftcard!” or “You’ve won an iPhone!” landing pages.

For example:


-----

-----

-----

-----

ScamClub campaigns have been covered by us in depth over the years, but a great
reference if you need a refresher is this post from 2018:

## Malvertising Attack Hijacks 300 Million Sessions Over 48 Hours

### Nov 12th Malvertising Attack Serves Adult Content and Gift Card Scams

blog.confiant.com

On the tactics side, this attacker historically favors what we refer to as a “bombardment”
strategy. Instead of trying to fly under the radar, they flood the ad tech ecosystem with tons of
horrendous demand well aware that the majority of it will be blocked by some kind of
gatekeeping, but they do this at incredibly high volumes in the hopes that the small
percentage that slips through will do significant damage.

## The Payload


-----

A typical ScamClub payload has a few layers to it, starting with an ad tag that loads a
malicious CDN hosted dependency . This of course is usually obfuscated in absurd ways in
attempt to evade url blocklists.

Here’s a recent example:

As the payload unfurls to pull in additional layers, we are met with a mess of obfuscated
nonsense that usually expands to thousands of lines of code — mostly decoy of course. A
full walkthrough of a ScamClub payload is beyond the scope of this blog post, but rather we
will focus on four lines of code that piqued our curiosity.

Here they are recreated:
```
function receiveMessage(event) {             top.location.href =
"http://[malicious giftcard scam]";        
}window.addEventListener("message", receiveMessage);

```
The thing is, it’s very normal for malvertisers to spray a bunch of redirect attempts in a single
payload that try to do the redirect in different ways. It’s not uncommon to see a multilayered
try catch statement try multiple top level redirects, pop-ups, etc.

The reason some attackers chose to do this is because they have partial control at best
when it comes to what device or platform the payload is running on, and they want to
maximize their monetization opportunity as best they can.

For example, one browser version might block redirect attempts from cross-origin frames,
while the prior version lets them through, so they try all of the things including known
bypasses that might have since been patched.

However, none of this explains the event listener… or does it?

We investigate by eliminating the noise and stage a simple html file that implements a crossorigin sandboxed frame and a button that dispatches our event. (payload.html is our event
listener).
```
<iframe src="" id='targ' sandbox="allow-forms allow-pointer-lock allow-popups-toescape-sandbox allow-popups allow-same-origin allow-scripts allow-top-navigation-byuser-activation"></iframe>
<script> 
 function do_it(){    var wn = document.getElementsByTagName('iframe')
[0].contentWindow;         wn.postMessage('Hello!', '*');  }do_it();
</script><input id="clickMe" type="button" value="clickme" onclick="do_it();" />

```
The `allow-top-navigation-by-user-activation` sandbox attribute, which is often lauded as one
of the most vital tools in an anti-malvertising strategy should in theory prevent any redirection
unless a proper activation takes place. Activation in this context typically means a tap or a


-----

click inside the frame.

This means our proof of concept shouldn’t work under any circumstances. The clickMe
button is outside of the sandboxed frame after all. However, if it does redirect, that means we
have a browser security bug on our hands, which turned out to be the case when tested on
WebKit based browsers, namely Safari on desktop and iOS.

## The Long Tail

If you’re following along, this is probably where you might shrug your shoulders and say “But
so what? It’s not like these guys can place a clickable message dispatcher on the publisher
site outside of their ad frame!”

This is true, but that doesn’t mean the ScamClub event listener is a complete shot in the
dark. In modern web applications, messages are flying around all the time, usually with
wildcard destinations, often on user interaction.

Combined with ScamClub’s large volumes and broad targeting that hits dozens of different
websites, it’s all about the increased efficacy of spawning a successful redirect — even if
we’re talking about a single digit percentage increase, that can mean tens of thousands of
impacted impressions over the duration of a single campaign.

ScamClub was busy in January 2021

Over the last 90 days, ScamClub has delivered over 50MM malicious impressions,
maintaining a low baseline of activity augmented by frequent manic bursts — with as
many as 16MM impacted ads being served in a single day


-----

## Disclosure Timeline

June 22, 2020 — Confiant Security Team observes event listeners in ScamClub redirect
payload.

June 23, 2020 — Bug report submitted to Apple Security. Google Chrome team also notified
(Chrome on iOS uses WebKit).

[Dec 2, 2020 — Patched https://trac.webkit.org/changeset/270373/webkit](https://trac.webkit.org/changeset/270373/webkit)

Feb 1, 2021 — CVE assigned and published as part of Apple’s security update:
[https://support.apple.com/en-us/HT212147](https://support.apple.com/en-us/HT212147)

## IOCs

Recent IOCs are all available as STIX here:

[https://github.com/WeAreConfiant/security/blob/master/stix-feeds/scamclub.stix.json](https://github.com/WeAreConfiant/security/blob/master/stix-feeds/scamclub.stix.json)

S3 hosted JavaScript payloads:


-----

```
xmou.s3.us east 2.amazonaws.com/mou.jsimpve.s3.amazonaws.com/create.jsdgoi.s3.us
east-2.amazonaws.com/goi.jsyflx.s3.us-east-2.amazonaws.com/flx.jsmiil.s3.us-east2.amazonaws.com/iia.jsdjian.s3.amazonaws.com/jia.jsaimppv.s3.amazonaws.com/jiy.jsaylei
east2.amazonaws.com/pan.jsdkjieg.s3.amazonaws.com/jieg.jsadlya.s3.amazonaws.com/lya.jsyddo
east-2.amazonaws.com/xop.jsaqkol.s3.amazonaws.com/kol.jsimpvv.s3.us-east2.amazonaws.com/dsd.jsmqyuj.s3.amazonaws.com/yuj.jswpbgm.s3.amazonaws.com/bgm.jspzhufm
ap-southeast-1.amazonaws.com/lr.jskiyy.s3-ap-southeast1.amazonaws.com/ki.jsoummm.s3.amazonaws.com/ou.jsgsyyd.s3.amazonaws.com/gs.jsqqpm.s3.a
ap-southeast1.amazonaws.com/nx.jszpdk.s3.amazonaws.com/zp.jsmrptm.s3.amazonaws.com/mr.jsktzmy.s3ap-southeast-1.amazonaws.com/kt.jsnzdpy.s3-ap-southeast1.amazonaws.com/nz.jsvpydy.s3-ap-southeast-1.amazonaws.com/vp.j

```
Domains:
```
goodluckpig.spacegoodluckman.spacegoodluckguy.spacegoodluckdog.spaceluckytub.xyzluckyg

```

-----