A sophisticated malvertising campaign orchestrated by a threat actor known as D-Shortiez is exploiting a specific behavior in Apple’s WebKit browser engine to trap iOS Safari users on malicious scam pages. This cunning tactic, dubbed the “back-button hijack,” prevents victims from easily navigating away, forcing them onto fraudulent websites through a series of controlled redirects. The campaign highlights a persistent evolution in online advertising fraud, where attackers leverage subtle technical advantages to circumvent existing security measures.
The D-Shortiez campaign has been actively delivering millions of malicious ad impressions over the past six months, primarily targeting users in the United States, Canada, and parts of Europe. Researchers at Confiant identified the group’s operational signature and meticulously analyzed their payload. While the initial stages of the attack involve standard fingerprinting and tracking techniques, the core of the malicious operation lies in its advanced redirection mechanism and the exploitation of a browser vulnerability.
The Back-Button Hijack: How D-Shortiez Traps Safari Users
The most innovative and alarming aspect of D-Shortiez’s operation is its exploitation of the `popstate` event in WebKit-based browsers, specifically on iOS. The malicious script utilizes `window.top.history.pushState()` to inject a fabricated entry into the browser’s session history. Subsequently, an `onpopstate` event handler is attached to `window.top`, which intercepts any attempt by the user to press the back button. Instead of returning the user to their previous legitimate page, the handler redirects them to the scam URL, appending a “back” parameter to the malicious link.
This meticulously crafted exploit was designed to be stealthy, producing no unusual behavior on most major browsers when tested. However, Safari on iOS proved to be the critical exception, allowing the script to effectively lock the back button. This leaves users trapped on fraudulent pages with no straightforward means of escape, mirroring older browser-trapping techniques but executed with greater technical sophistication and reliability.
Initial analysis by researchers revealed that the redirect mechanics involved a nested try/catch block that initiated multiple simultaneous redirect attempts. This multi-pronged approach is a known tactic within the ad fraud ecosystem, devised to maximize the chances of success across different browser implementations and their unique responses to redirect calls.
The scale of the D-Shortiez campaign is substantial, with over 300 million malicious ad impressions served in the last six months. The targeting has been heavily focused on US audiences, with reach extending into Canada and various European countries. The iOS platform has been identified as the primary target, suggesting a deliberate focus on this ecosystem. The activity has maintained a consistent pace since August, but trend data indicates periodic, aggressive bursts of high-volume delivery followed by short pauses. This cadence suggests active management of the campaign to avoid detection.
The vulnerability enabling this back-button hijack was officially disclosed to Apple on September 29. Apple responded by issuing a security update for Safari on January 23, identified as HT213600. Users who have not yet applied this crucial update remain vulnerable to this specific exploit, potentially exposing them to recurring scam redirect loops.
The threat actor D-Shortiez operates by continuously seeking out and exploiting subtle technical advantages within the complex ecosystem of online advertising. For these malvertisers, even minor quirks in browser behavior or gaps in ad platform filtering can translate into significant improvements in campaign reach and longevity before being detected and shut down.
To mitigate the risks associated with this malvertising campaign, all iOS and Safari users are strongly advised to install the Apple security update HT213600 without delay. Additionally, security and ad operations teams should conduct thorough audits of their ad supply chains, specifically searching for redirect-based payloads. Blocking known D-Shortiez Indicators of Compromise (IOCs) at the DNS and network levels is also recommended. These IOCs are distributed across a wide network of wildcard subdomains, including but not limited to `.shop`, `.site`, `.homes`, `.beauty`, `.skin`, `.boats`, and `.cyou`, among other top-level domains.
Moving forward, the key next step for users is to ensure their devices are updated. For security professionals, ongoing vigilance in monitoring ad supply chains and blocking identified malicious domains will be critical. The continued evolution of malvertising tactics underscores the persistent need for robust security measures and rapid patching by platform providers to protect users from sophisticated online threats.