Think twice before accepting notifications on Chrome: threats on the rise


Clicking the “Allow” button online is asking for trouble. Dubious websites exploit push notification functionality to serve ads, malware, or phish users' credentials. And the trend shows that these attacks are on the rise.

Many websites ask for permission upon arrival to show notifications. Accustomed to agreeing on generic prompts, many users unknowingly put themselves at risk.

Sometimes, a single permission is all it takes to white-list the delivery of malware, warns Oren Koren, Co-Founder of the cybersecurity firm Veriti.

ADVERTISEMENT

“It’s a super easy and common attack method that’s under the radar. How many times have you heard the question, ‘I get lots of strange popups on my laptop, I can't find the virus,“ he said.

What’s usually happening is that malicious notifications breed inside the user‘s browser profile. Even a brand-new laptop inherits all these popups once a user logs into his browser again.

A simple but effective attack vector

The attack works pretty simply, but its consequences are not limited to predatory ads.

Firstly, a user surfing the internet comes to a website where the browser will pop up an alert, asking to show notifications for the website. If the user approves, this site will start pushing notifications on any tab in the browser, even amongst system notifications, whether it is phone or computer. These notifications appear on the main computer or phone screen, similar to OS notifications.

Fake notification

“That can be a simple and efficient delivery method for malware. The unique part is that it is embedded to the user profile that is connected to the browser. That means that if the user logs in with his private user to the browser in his workstation, he will download this malicious notification directly into his working network without realizing it,” Koren warns.

Push notifications often employ social engineering tactics to strike fear into users by warning about virus infections or other problems, and vice versa, as they can try to exploit the trust of seemingly familiar websites.

ADVERTISEMENT

Example: Omnatour.com

After the user grants permission for notifications, as stated by Koren, cyber attackers can transform these notifications into malicious tools, employing them for various purposes, including serving ads and spreading malware infections.

“The user doesn't need to press anything for the attacker to run the code,” he explains. “The main risks are that notification will lure the user into giving his username and password (mimic a login page), javascript will run an exploit in the browser level to get privilege escalation, also password and browser profile grabbing, redirects to actual infecting websites or downloading a malicious file.”

He shared statistics that from a single website called Omnatour, the attacks affected thousands of users each day, and in the last few months, such attacks have occurred twice as often compared to the beginning of the year. The US was the most targeted market, followed by Australia.

omnatour

In total, the website had access to 65,000 end devices daily.

Omnatuor.com is a site that redirects the browser to ads for unwanted browser extensions, surveys, adult sites, online web games, fake software updates, and unwanted programs, according to malwaretips.com. These advertisements will be shown often enough to become intrusive and potentially harmful to the computer if the wrong program is downloaded.

While legitimate notifications are a valuable tool to alert users about updates, news, potential security risks, or required actions, thread actors use pop-ups for ads and inappropriate content as an attack vector to spread viruses, ransomware, etc.

“Because this is a generic prompt, the majority of web users agreed with it without knowing that they have given Omnatuor.com complete access to the push notification feature. The attackers will make use of this situation to display aggressive types of pop-up ads on the browser window. Sadly, the display of excessive ads could be the basis for malware infection,” Koren said.

Users may receive malicious notifications from legitimate websites that suffered hacker attacks, which may often convey political messages and offensive images.

ADVERTISEMENT

Check who’s allowed to send you notifications

Even for experts, it may be hard to tell fake and genuine notifications apart, as cyber criminals are cunning and careful to increase their chances of success. Watching for the usual suspects such as poor grammar, unprofessional language, low-quality logos, poorly scaled images, or suspicious URLs, is always a good idea.

Users should be selective about which websites they visit and the notifications they allow.

“Avoid clicking on suspicious links or pop-ups,” Koren shares a rule of thumb.

Oren Koren

If you accidentally allowed unwanted notifications, you can check them in the browser’s settings. You can also type a short URL into the browser address bar to get to settings directly and clean the list from any non-relevant notifications:

For Chrome: “chrome://settings/content/notifications” (without quotation marks)

For Microsoft Edge: “edge://settings/content/notifications”

For Firefox: “about:preferences#privacy”

For Safari: go to “Settings…”, choose the tab “Websites,” then select Notifications in the “General” section. There, you will find websites that are allowed to show alerts in the Notification Centre.

ADVERTISEMENT

Koren advises companies: “The most important part – use a secured browser or business version of your favorite browser.”

This will empower to determine whether a user can log in to their personal account or switch between profiles based on policy definitions."