Malicious Browser Push Notifications
Browser Push Notifications: Push notifications are small permission-based notification messages that notify users of new messages or updated content and have the ability to reach large audiences anywhere at any time. Desktop notifications are visual notifications that appear on your screen alerting you to new messages from visitors in an app, desktop notifications are shown even if you are browsing a different website or tab in another app.
Push notifications act differently then website pop-ups this is because they are independent of sites. Push notifications are associated with web browsers and apps and can be used with both desktop and mobile versions of web browsers.
Mozilla – “Web Push allows websites to notify users of new messages or updated content. While Firefox is open, websites who have been granted permissions can send notifications to your browser and display them on the screen. Users can easily allow or disable notifications and control how these notifications appear.”
https://support.mozilla.org/en-US/kb/push-notifications-firefox
The web notification opt-in process
Web notifications are a permission-based marketing channel. Before receiving a web push, users have to opt in to receive them.
The opt-in prompt comes from the user’s web browser. This prompt is called a browser-level opt-in prompt, or browser-based prompt.
Brands can handle the opt-in process in different ways with both the opt-in process and the timing of the opt-in ask.
Push notifications can be really useful when there used correctly to increase conversation rate to a website or app however they can be abused using various social engineering methods. Today we will take a look at some of the methods hackers are using to abuse web push notifications.
Push Notifications can be used to promote spam and misleading content. Recycling blog posts is not a bad thing although, it can become quite annoying seeing the same push notifications promoting the content you have already read.
The Notifications API
Push notifications are handled externally using The Notifications API.
“The Notifications API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background.
https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API/Using_the_Notifications_API
Due to the nature of The Notification API, hackers will often target push notification software using various social engineering techniques such as phishing, password reuse, waterhole attacks with their main goal to hijack the account that handles push notifications. This would allow the hacker to potentially send malicious push notifications to all push subscribers externally regardless of whether the website or blog is functioning correctly or is online. If you are sending push notifications to your users make sure that you are using a strong password and 2FA login in your marketing software.
Social Engineering Browser Push Notifications
Hackers have started to target push notifications via social engineering methods. Social engineers have started to abuse push notifications to get more push subscribers by overlaying and embedding convincing permissions buttons inside video and music content tricking users into thinking they are clicking allow to play the video or music on the website or confirm their age.
Push-notification.tools pop-ups
The Push-notification.tools pop-ups are a social engineering attack that tries to trick users into subscribing to its push notifications so that they can send unwanted advertisements directly to your desktop.
https://malwaretips.com/blogs/remove-push-notification-tools/
Push notifications can also be abused to gain a better traffic analytics score by recycling content and promoting users back to the website an excessive amount of times. This makes it look as if there have been a lot more recurring users.
Even though a lot of the websites and blogs using push notifications are secured by SSL HTTPS security certificates. Hackers could still send push notifications externally promoting a less secure website that is hosting malicious content or containing malicious code or links to malicious websites that are not encrypted.
Browser Push Notifications and marketing
Often push notifications will not be self-hosted as they can be hard to manage and can cause a lot of performance issues on servers. There are many companies on the market who are offering push notifications for free. How do these companies offer such a lucrative service for free? marketing companies will sell marketable user data to the highest bidder.
There’s a lot of genuine companies that offer push notification services that are transparent when it comes to data they collect. But that is not the case for others always look into the terms and conditions before installing any push notification plugins for your website or blog.
How to disable Push Notifications in your browser
Google Chrome
Brave
Firefox
Opera