New iPhone Security Alert: ‘iPhone Only’ Krampus-3PC Malware Campaign Confirmed

New iPhone Security Alert: ‘iPhone Only’ Krampus-3PC Malware Campaign Confirmed
featured image

This article originally appeared in Forbes on December 13, 2019.

iPhone users need to be alert to a new malware campaign that targets them, and only them

There is no doubt that when it comes to security, the iPhone is a pretty good choice of smartphone. That’s probably why so many infosecurity professionals, especially ethical hackers and security researchers, use one themselves. However, just because the iPhone runs a tight ship from the security perspective, that doesn’t mean that users are immune from attacks. Recent bugs that could allow an attacker to lock you out of your iPhone, vulnerabilities that could effectively brick the iPhone with a malicious iMessage and even security exploits present on a brand new iPhone 11 all prove that. Sure, there’s no doubting that the iPhone is less prone to the kind of shocking Android malware attacks we are so used to reading about. This doesn’t mean that iPhone users can afford to get complacent, though. It has been thought for the longest time that threat actors were producing malware variants specifically coded for iOS. Now one totally iPhone specific malware campaign has been spotted being actively exploited in the wild.

What is the Krampus-3PC malware campaign?

According to researchers from the Media Trust’s Digital Security and Operations team, the Krampus-3PC campaign targets iPhone users. And iPhone users alone. Suitably in time for the holiday season, hence the Krampus naming, the unique malware employed a whole raft of techniques to deliver the payload and avoid being picked up by conventional scanning and blocking technology. The Media Trust DSO report revealed that malvertising, also known as a badvert attack, was employed to distribute the Krampus-3PC malware. More than 100 popular publishing websites, including many online newspapers, are said to have inadvertently delivered up the malicious adverts from a legitimate advertising technology vendor.

What payload does Krampus-3PC drop onto iPhone users?

iPhone users browsing these sites and viewing these badverts would be attacked without any user interaction being required. As soon as the creative tag from the malicious advert was loaded, Krampus-3PC performed multiple checks to ensure the ad was being hosted and published according to its needs. It then injected a malicious script to trigger the second stage of checking. This confirmed if the browsing device was an iPhone before executing the payload URL. Only iPhone users got served this payload that redirected them to a malicious “reward” popup. If this failed, the persistence of Krampus-3PC took hold and triggered a secondary method of loading the payload URL into another browser tab. By hoovering up user session data, including cookie ID, Krampus-3PC could hijack the browser.

“If the user had other sites like their bank or favorite online retailer open,” the Media Trust DSO report stated, then Krampus-3PC could “gain access to the user’s account.”

Mitigating the Krampus-3PC exploit risk

Although the Media Trust report chose not to name the advertising platform that served the Krampus-3PC badverts, nor the publications that unwittingly displayed them to their iPhone owning readers, it is understood that the rogue advertiser has now been banned from that platform. However, that doesn’t mean that the Krampus-3PC threat will not be resurrected using a different platform to attack iPhone users. Indeed, given the levels of sophistication displayed here, I would be amazed if the criminal group behind it don’t look to leverage their investment again during the final stages of the holiday shopping season. As such, then, it’s crucial to stay on your guard especially as far as clicking on popup offers is concerned. Follow industry best practice for avoiding phishing scams, and check out these 26 iPhone security tips from 12 experts.