As governments and companies become aware of cyber threats and close the door on certain methods, cyber criminals are constantly evolving to find a new way to attack.
The latest example, according to a recent report by WatchGuard, is a new type of browser-based social engineering. This has come after recent attempts by various web browsers to protect against pop-up abuse, which hackers have used in the past to redirect people to malicious websites. Now, instead, cybercriminals are using the browser notification feature to do the same thing.
Examples of notification-based phishing
The report highlights a few specific cases where domains have been set up specifically to enable this type of hack. For example, a fake streaming website targeting those looking to stream live sports. Once on the site, users are prompted to enable browser notifications which enables the threat actors to hijack web browsers and force malicious pop-ups and redirects through. Users might also be directed to other parts of the site to complete forms to register for an account or sign up for paid membership. This allows the cybercriminals to get these people’s credit card details.
Another example the report highlighted was an SEO poisoned website (when a cyber criminal abuses links and redirects to simulate legitimate traffic to a website so that it ranks highly on search engine results). In this case the website tried to trick genuine visitors into enabling browser notifications by concealing the prompt as a CAPTCHA request.
In addition to these examples, threat actors can display fake security risk notifications or types of bait to trick victims into installing malicious software or paying inflated prices for ‘malware protection services’.
Be aware of browser notifications
As the report emphasises, this type of social engineering is becoming increasingly common so it’s important to read any notification that pops up in your browser. Don’t just click on it. And be careful with the websites you visit, particularly if they are unknown to you and unsecured.