A new kind of spam is being observed in the field that uses the browser notification feature to trick users into subscribing to sites that will in turn bombard users with notifications usually related to click or add profit schemes.
Subscription notification request seen below:
Browser notification subscription requests are a legitimate feature that allows visitors of a site to be notified when there is new content available. It saves users the need to constantly refresh or keep open browser tabs. It also allows website operators to push new content notifications to their subscribers.
Typically the excerpt of Javascript code contained in the subscription request in Google Chrome browser looks like this:
The end user is used to seeing it in action as follows (view in a Chrome browser):
This code is responsible for notifications that will pop up during a user’s session. Some operating systems, like Mac OS, will show the notifications within their OS section. Unfortunately, because these javascript prompts are often served over tls/ssl sessions, many popular defense technologies do not detect them, creating a real risk to the user and the device.
Chrome notifications
Spam and other pests
According to bleepingcomputer, malicious actors are using these browser subscription notifications to mislead victims into installing extensions, adware, adult sites and other click fraud related vectors. Once the victim has accepted to subscribe to notifications, sites will spam the user with extensions, add-ons, fake software, search hijackers, etc, that may lead to system compromise and further infestation.
The following example shows the entire attack chain, starting from the push notification, to the search hijack/redirection. This particular site was careful to follow legal content guidelines, mimicking the look and feel from trusted sites. This site, however, contains redirect from Google search to their infected add-on.
The chain starts at sites advertising add ons for ‘easy email access’ as seen below.
Notification request
Once redirected to their site, a push notification subscription request is shown, which then pops up the “Emali Assistant” add-on along with their privacy kit.
Add on install push
If installed, when the user goes to Google.com a message shows up indicating his search will be redirected to a particular search page. (Notice the spam notifications on the lower right of browser window).
Search redirection
As most defense technologies have focused mainly on email spam, browsers are the most exposed application to the internet, and they are usually one of the main parts of the exploitation chain. The industries defenses at an endpoint level do not protect from these type of attack vectors as users will likely bypass controls, since these alerts and add ons will not trigger any antivirus or endpoint alert. Additionally, users will often pursue further installs as they are tricked into continuing bypassing security mechanisms as seen in the chain above. This type of spam is just one example of how malicious actors shift their attack vectors in response to effective the industry measures, still finding ways into a system.
What to do about browser spam?
Browser spam can be addressed by hardening browser install configuration from deployment and keeping browsers up-to-date.
Security awareness training is essential and will help users recognize tactics such as this and prompt them to question where their actions could lead them. Users can also unsubscribe from notifications as a whole, blocking all potential doors into redirects. Lastly, there are a few tools that can protect against aggressive javascript content pushes, such as NoScript.
Internet browsers are becoming a focus of malicious actors, as certain technologies defend against existing attack vectors. This technology is enhanced and becomes friendly for browser features, there is also a shift in the attack vectors and it is up to the user at the end to decide what to install or not. This is where security awareness training comes in. If users are educated and understand the latest tactics, organizations will be more successful in limiting exposure.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.