How Push Notifications Are Exposing Readers to a New Breed of Cyber Attack
It should come as no surprise to anyone involved in the digital advertising ecosystem that fraudsters are always looking for new methods to target users with sophisticated digital attacks. As soon as innovative new ways of engaging with users are developed, cyber criminals aren’t far behind with a method for exploiting these innovations, particularly when there’s money to be made. Now, as push notification ads grow in popularity, a new threat to user security is growing within the format: push lockers.
Upon identifying these push notification specific lockers, between February and March AdSecure — an ad security verification tool and my employer — saw a 563% increase in the detection of browser locker attacks, and at the time of writing this article, we have protected our partners from more than 20 unique push lockers in under 24 hours.
While push notifications are a popular way for publishers to engage their readers, publishers must recognize the growing risk and take the necessary steps to ensure that their readers are protected. That includes working with ad partners who have the necessary technology to identify these cyber security threats and thwart them.
What Is a Push Notification Ad?
Push notification ads are simple clickable messages, accompanied by a small image, that are delivered to desktop browsers or mobile devices, but only once a user has consented to receiving them. This is a key point, as the users have agreed to see the ads, leaving the perception that they are less intrusive than traditional formats, and develop a higher level of engagement from the user.
Push notifications work by displaying an initial permission request — managed by the browser — when a user is visiting a site for the first time. Once the user agrees to receive these push notifications, they will receive them based on the frequency set out by the advertiser. Should a user opt not to see push notifications, the browser logs this choice as well, and they won’t be asked to subscribe to them again.
What Is a Push Locker?
The push notification format, while relatively new, is growing in popularity within the online marketplace for all the reasons mentioned previously: users have to opt-in to see them at all, and with that consent comes a higher rate of engagement. Brands using push notifications are seeing increased click through rates, and just as marketers are seeing the clear benefits the format provides, cyber criminals are becoming wise to the potential for driving malicious campaigns straight to users screens. What has developed out of these sinister intentions is a new form of browser locker specifically designed around the natural behavior of a push ad.
When you make the choice to opt-in, or out, of receiving push notifications on a particular site, the browser manages the request and saves the choice. However, it’s the way the browser saves this choice — either by domain, or subdomain — that can expose the user to trouble.
What happens if the user opts out, but the website redirects him automatically to another subdomain? Can you guess what’s coming? This allows the user to be prompted again to accept the push notification. So naturally, he declines this new request, and then he's sent to yet another subdomain and asked again, and again, and again. Suddenly he is trapped in an endless looping push notification nightmare, and he can only escape it by giving in and “consenting” to receive the push notification.
Incredibly annoying, right? But this is tame compared to what other push lockers are capable of.
What Types of Push Lockers Are Out There?
There are various types of push lockers, some more sophisticated than others. Here are two examples:
Crypto currency mining is a popular way for cyber criminals to hijack a user's browser so that the user is unaware that his computer power is being secretly used to mine crypto currency for the hijacker. A push locker will keep the user locked on the consent page until he accepts the push, all the while quietly mining crypto currencies in the background.
Users who opt in are then redirected to a new offer page which also launches the cryptocurrency miner, leaving the user with no safe option to take. When this type of push locker is implemented on a mobile browser, the entire device is rendered useless for the owner, again until he is forced to consent. In all cases, the looping push notification locks the user into an action that he absolutely does not want to take, and puts him at severe risk of exposure to exploit flaws or other security breaches.
If a user clicks somewhere on the page other than the buttons to allow or block a push notification this causes the browser to switch to full screen mode. That prevents the user from doing anything else until he accepts the push notification, which in turn leads the user to a scam offer, or the forced download of malware, or a similar security threat.
What's the Solution?
The relative speed at which push lockers have appeared on the scene has caught some ad verification providers off guard. They either weren’t aware of the problem quickly enough, or they aren’t using the modern technology needed to detect push lockers with any degree of consistency and precision.
Push lockers are sophisticated and pernicious, and in order to catch them early and often, the ad verification scanning technology being used needs to be based on the most modern browser technology available, particularly a crawler powered by Chrome, as Google's browser is the most commonly used.
As more publishers and ad platforms begin to work with the push notification ad format, push locker attacks will spread across the digital ads landscape. As a publisher, make sure that your partners are working with an ad verification provider that has the resources and the knowledge needed to track down push lockers and keep them from hurting your end users.