You may have noticed that while browsing the web, a prompt appears on the top of your screen that asks your permission to allow or block notifications from the site.
These browser notifications or “push notifications” often appear on a mobile or desktop device when a user visits a website. If the user clicks “allow”, the site sends notifications of new content to a browser even when the user is not at that particular site.
Though this feature is a useful tool to receive updates, of late, abusive notification prompts were one of the top complaints Google received about Chrome. Cybercriminals have found a way to abuse browser notifications to phish for private information, install malware or adware, redirect people to malicious websites, and track activities.
Generally, in order to enable push notifications, permission is requested once. However sometimes, malicious notification approval requests are disguised as prompts. It asks to click “OK” to view videos or as “CAPTCHA” (Completely Automated Public Turing test to tell Computers and Humans Apart). If consent is provided, the choice is saved in the browser options. Sometimes, these notifications appear outside the browser – even when the desktop is locked. Unscrupulous firms pay site owners to install their notification scripts and then sell that communication pathway to scammers and online hucksters.
Examples of Malicious Notifications
- Fake anti-virus message
- Fake video error
- Fake “verify you are not a robot” scam
- Dispense unwanted advertisements
- Re-direct to malicious websites
Google instituted abusive notification protection with Chrome 84. Under this, a warning is sent by the browser if a user receives a notification from a website that has been previously reported of abusing permission requests/notifications. Additionally, some anti-virus vendors are also improving detection of such scams, but adequate defenses are currently lacking.
Best Practices to Mitigate Malicious Notifications
- Limit notifications.
- Be cautious when initially allowing notifications. Permission only needs to be granted once.
- Review and disable unnecessary existing notifications in operating systems and browsers. Visit PCrisk.com for a removal guide.
- Configure the default settings on desktops and browsers to reject notifications – they can be enabled or disabled globally or individually in a browser or operating system.
- Run the latest browser versions.
- Determine if your anti-virus software is aware of malicious notifications scams.
- Report notification scam websites to Google and Microsoft.