A number of phishing attacks in the form of browser notifications are gaining popularity, as per Kaspersky study. Security researchers say the share of users hit by browser notification scams continues to grow month-on-month this year. The monthly number of users affected has grown from 1,722,545 in January to 5,544,530 in September 2019. In the first three quarters this year, the cybersecurity firm says it protected more than 14 million users fraudulent, unwanted browser notifications.
Push notifications via browsers are supposed to keep regular readers or visitor of a website with regular updates. But these days, browser notifications are often used to bombard website visitors with unwanted ads, pop-ups or even encourage users to download malicious software, security researchers warn. In August, Google Calendar invitations scam affected Google Calendar users worldwide who had reported that they received spam event reminders about fake events in Google Calender across devices.
Web browsers explicitly seek users' consent before sending notifications. But hackers have come up with some tricks that rather force people to enable browser notifications. Some of the lesser-known tricks by attackers that make people fall for notification scams are as follows: As researchers have warned, attackers pass subscription consent off as another action like a CAPTCHA. In some cases, attackers switch ‘accept’ and ‘decline’ buttons on notification alerts mid-action.
Attackers also show notifications from phishing copies of popular websites and show fraudulent subscribe pop-ups on websites.
"We have seen a rise in push notifications being abused, as attackers continue to creatively adapt new technologies in order to trick users. Because this feature is so widespread and easy to take advantage of through social engineering schemes, we have seen a rapid growth in the number of affected users," said Artemy Ovchinnikov, security researcher at Kaspersky.
"As with anything on the internet, users have to remain attentive and cautious when interacting with pop-ups and only allow push notifications if they are completely sure the alerts are useful and come from trusted sources," Ovchinnikov added.
Meanwhile, Firefox is changing the way it handles notifications and annoying pop-ups with Firefox 72. In a nutshell, Firefox wants to prevent website notification spam automatically. Cracking down on the notification clutter in Firefox has been on Mozilla's to-do list since April. Firefox 72 will release in January 2020.