A cybercriminal group known as D-Shortiez has been executing a persistent malvertising campaign by exploiting a WebKit browser behavior to trap iOS Safari users on fraudulent pages. This method leaves users with minimal options to exit these scam sites.
The Evolution of Forced Redirect Attacks
While forced redirect attacks have been part of online ad fraud for years, D-Shortiez’s approach distinguishes itself through a technical twist: a back-button hijack. This method strips users of their ability to return to previous pages after landing on malicious sites.
Historically, forced redirect campaigns have become less common as ad platforms and browser developers enhance their security measures. However, malvertisers continue to exploit minor technical loopholes to extend the lifespan and reach of their operations.
D-Shortiez’s Campaign Tactics
Analysts at Confiant have identified D-Shortiez as a group actively engaging in these forced redirect operations, which lead victims to familiar online scams. The campaign begins with routine fingerprinting and tracking processes, which do not initially raise alarms.
What caught researchers’ attention was the redirect mechanism, specifically a nested try/catch block in the script that manages forced redirection by triggering multiple redirect attempts at once. This tactic exploits differences in how browsers handle redirects to increase the chances of success.
Impact and Exploitation of the WebKit Popstate Event
Over the past six months, D-Shortiez has distributed over 300 million malicious ad impressions, primarily targeting audiences in the United States, with some reach into Canada and Europe. The campaign’s rhythm has been characterized by bursts of high-volume activity followed by short pauses, suggesting strategic management of their operations.
The most notable technical aspect is how D-Shortiez manipulates the browser’s popstate event to trap Safari users. By inserting a fake entry into the session history stack using window.top.history.pushState(), and catching back-button presses with an onpopstate event handler, the group effectively locks users into scam pages.
Security Measures and Recommendations
The vulnerability was reported to Apple on September 29, and a patch was released on January 23, identified as HT213600. Users who have not yet updated their Safari browsers remain vulnerable to this exploit.
iOS and Safari users are strongly advised to install the security update HT213600 immediately to protect against this back-button hijack. Additionally, security teams should audit and secure their ad supply chains and block known D-Shortiez domains at the DNS and network levels.
Stay informed by following us on Google News, LinkedIn, and X for the latest updates, and consider setting CSN as a preferred source on Google.
