Malvertising Actor ‘D-Shortiez’ Exploits WebKit Back-Button Hijack in Forced-Redirect Campaign

Malvertising remains a lucrative vector for cybercriminals, and the D‑Shortiez campaign underscores the persistence of forced‑redirect scams. By embedding a lightweight JavaScript payload that manipulates the browser's history API, the group can trap users on scam pages without triggering typical security alerts. This approach sidesteps many modern defenses that focus on drive‑by downloads or exploit kits, instead relying on a subtle UI hijack that only activates in Safari’s implementation of the popstate event. The result is a seamless user experience that appears legitimate until the back button is pressed, at which point the malicious redirect fires repeatedly.

The technical elegance of the attack lies in its selective targeting. Safari and other iOS WebKit‑based browsers handle the onpopstate callback differently from Chrome or Firefox, allowing the malicious script to execute reliably while remaining inert elsewhere. Researchers observed that the payload also performs lightweight fingerprinting—collecting device type, geolocation, and browser version—to fine‑tune the final scam landing page, whether it displays fake antivirus warnings, gift‑card offers, or subscription traps. With more than 300 million ad impressions delivered in just half a year, the campaign demonstrates that even a single browser quirk can scale to massive ad‑fraud revenue streams.

Mitigation efforts must address both the browser flaw and the ad supply chain that propagates the malicious creatives. Apple has been notified and is expected to patch the popstate handling in an upcoming Safari update, but until then, security teams should advise users to close tabs rather than use the back button on suspicious sites. Publishers and ad networks need stricter JavaScript validation, real‑time domain reputation checks, and tighter controls over third‑party creatives to choke the infection vector. As attackers continue to repurpose legacy APIs, a proactive, layered defense—combining browser patches, network filtering, and vigilant ad‑tech hygiene—will be essential to curb the next wave of malvertising abuse.