An increasing number of websites are asking visitors to approve “notifications,” browser modifications that periodically display messages on the user’s mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notification scripts and then selling that communications pathway to scammers and online hucksters.
Notification prompts in Firefox (left) and Google Chrome.
When a website you visit asks permission to send notifications and you approve the request, the resulting messages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically show up in the bottom right corner of the screen — just above the system clock. These so-called “push notifications” rely on an Internet standard designed to work similarly across different operating systems and web browsers.
But many users may not fully grasp what they are consenting to when they approve notifications, or how to tell the difference between a notification sent by a website and one made to appear like an alert from the operating system or another program that’s already installed on the device.
This is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro called PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The company’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.
Website publishers who sign up with PushWelcome are asked to include a small script on their page which prompts visitors to approve notifications. In many cases, the notification approval requests themselves are deceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to distinguish automated bot traffic from real visitors.
An ad from PushWelcome touting the money that websites can make for embedding their dodgy push notifications scripts.
Approving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to display whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those messages include misleading notifications about security risks on the user’s system, prompts to install other software, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.
That’s according to a deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity firm based in Portland, Ore. Frank Angiolelli, vice president of security at Indelible, said rogue notifications can be abused for credential phishing, as well as foisting malware and other unwanted applications on users.
“This method is currently being used to deliver something akin to adware or click fraud type activity,” Angiolelli said. “The concerning aspect of this is that it is so very undetected by endpoint security programs, and there is a real risk this activity can be used for much more nefarious purposes.”
Sites affiliated with PushWelcome often use misleading messaging to trick people into approving notifications.
Angiolelli said the external Internet addresses, browser user agents and other telemetry tied to people who’ve accepted notifications is known to PushWelcome, which could give them the ability to target individual organizations and users with any number of fake system prompts.
Indelible also found browser modifications enabled by PushWelcome are poorly detected by antivirus and security products, although he noted Malwarebytes reliably flags as dangerous publisher sites that are associated with the notifications.
Indeed, Malwarebytes’ Pieter Arntz warned about malicious browser push notifications in a January 2019 blog post. That post includes detailed instructions on how to tell which sites you’ve allowed to send notifications, and how to remove them.
KrebsOnSecurity installed PushWelcome’s notifications on a brand new Windows test machine, and found that very soon after the system was peppered with alerts about malware threats supposedly found on the system. One notification was an ad for Norton antivirus; the other was for McAfee. Clicking either ultimately led to “buy now” pages at either Norton.com or McAfee.com.
Clicking on the PushWelcome notification in the bottom right corner of the screen opened a Web site claiming my brand new test system was infected with 5 viruses.
It seems likely that PushWelcome and/or some of its advertisers are trying to generate commissions for referring customers to purchase antivirus products at these companies. McAfee has not yet responded to requests for comment. Norton issued the following statement:
“We do not believe this actor to be an affiliate of NortonLifeLock. We are continuing to investigate this matter. NortonLifeLock takes affiliate fraud and abuse seriously and monitors ongoing compliance. When an affiliate partner abuses its responsibilities and violates our agreements, we take necessary action to remove these affiliate partners from the program and swiftly terminate our relationships. Additionally, any potential commissions earned as a result of abuse are not paid. Furthermore, NortonLifeLock sends notification to all of our affiliate partner networks about the affiliate’s abuse to ensure the affiliate is not eligible to participate in any NortonLifeLock programs in the future.”
Requests for comment sent to PushWelcome via email were returned as undeliverable. Requests submitted through the contact form on the company’s website also failed to send.
While scammy notifications may not be the most urgent threat facing Internet users today, most people are probably unaware of how this communications pathway can be abused.
What’s more, dodgy notification networks could be used for less conspicuous and sneakier purposes, including spreading fake news and malware masquerading as update notices from the user’s operating system. I hope it’s clear that regardless of which browser, device or operating system you use, it’s a good idea to be judicious about which sites you allow to serve notifications.
If you’d like to prevent sites from ever presenting notification requests, check out this guide, which has instructions for disabling notification prompts in Chrome, Firefox and Safari. Doing this for any devices you manage on behalf of friends, colleagues or family members might end up saving everyone a lot of headache down the road.
Readers, don’t miss Brian’s link to the analysis by Indelible:
https://www.indelible.global/post/pushbug-uncovering-widespread-push-notification-rfc-8030-abuse-in-the-wild
Their PDF detailing the approach is valuable reading.
Hmmm… what happens when PushWelcome finds some bigger customers, with domains people might actually want to visit?
https://trends.builtwith.com/widgets/push-notifications
Install this extension into Chrome and you won’t be bothered any longer. It’s free, and I have no affiliation with them at all … just a happy user.
I’m not a fan of the “install an extension to fix a security problem” approach. Extensions are frequently abandoned or sold to the very same scammers and scam advertising networks.
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/
I updated this story with a link to a Verge article that includes instructions for outright blocking all prompts to enable notifications. Those instructions work for Chrome, Firefox and Safari.
Extension are even more dangerous. The generally have permissions to read the contents of every page you visit. This can quickly become malicious. You have to “trust” the extension developers to not be evil and trust Google or Mozilla to continuously validate the extensions.
On Chrome, you can go to:
chrome://settings/content/notifications?search=notific
and remove sites you have allowed and/or turn off being asked
Thanks for that. For some reason I had push notifications allowed from eBay.
99% percent of the time, I block push notifications . There’s two sites that I allow push notifications from, and they’re both messaging sites. Neither is Facebook.
I wish there was a really easy “Disable all external notifications and never ask me to allow notifications” in Firefox/Chrome/etc or always have the check box on the browser Allow/Block dialog to always say “Block all and never ask me ever again” as there are a number of people who I help with computer issues who unknowingly allow notifications and get bombarded with these pop up/slide in notifications, and yes usually a lovely mix of pron spam, ED pills and work from home scams, to the point they can’t use their computers without being interrupted or having their mouse focus stolen by the notification and they have no idea what they did to get them or what’s causing them.
I’m usually able to explain how to go into browser Settings and block sites that they have accidentally allowed to send this cr*p but its such a pain in the as … bottom and it scares the living daylights out of people who just use their computers casually without a deep understanding of how it works and are terrified that they now have a virus or have been hacked.
Depends what you call easy. With Firefox, the notification request pop-up has an option to disable future request, I believe.
Also I’m assuming you must be aware of this, but in case anyone else wants to know:
Firefox: Options -> search “notif” -> Notification Settings -> click “Block all new requests” and in your case you probably also want the “Remove all websites” button.
Chrome: Main menu -> Settings -> search “notif” -> Site settings -> Notifications -> Untoggle “Sites can ask to send notifications” though I don’t see a quick “remove all” in Chrome.
Thank you! This last line in your post helped me to permanently turn off the notification option with Google Chrome. This request started popping up only recently when I visited websites and while I always say no, it was just annoying the **** out of me that they were even asking. If I really want notifications, I’ll sign up for the company’s email alerts.
thanks!
Ditto!
As Keilaron indicated, Firefox lets you control this issue. Also, look at the link to get “More Information” when you are at the Notifications to see what Firefox is doing. I am on a Mac, so you might have to look for some other title if you are on a PC.
How to tell if a website is in this network?
Just say no! Who thought this notifications crap is a feature?
For every experienced IT pro, there’s a roomful of hipsters with ‘bright ideas’
…and a miscreant who then takes advantage of the hipster’s “good idea”…rinse and repeat…
I use notifications on a select few websites and they are super useful.
I personally disable the permission prompt (including for every other permissions that you have control of) by default, enabling the feature only on a per-site basis, when I see fit.
It’s part of Progressive Web App support — enabling a web site to function like a native application.
Is it a good thing? Maybe. Maybe not.
As things in browsers are abused, browser security can be adjusted to respond. Chrome now has an option for “quieter messaging” for this feature.
The browser form factor is still better than Flash Applications, Java Web Start, and Java Applets (especially the signed stuff) and various other things.
Some things are eventually removed from the web platform. (JWS/Java Applets are deprecated, and Flash dies in just over a month.)
And likewise in Firefox go to:
about:preferences#privacy
Scroll down to the Permissions section and you will find a notifications category with a button labeled Settings…
You can review, disable, or remove sites granted notification permissions.
P.S. To disable Firefox asking for notifications…
Near the bottom of the same dialog where you review, disable, or remove; there is a checkbox to block notification permission requests.
My intuition on any of these things is that if the application has to ask, and you weren’t seeking it out to begin with, the answer ought to be “no.”
…”you’ve already won – it’s free! click here to get notified”…
…not…
As if I needed an excuse at the end of the year to continue my financial support of Brian Krebs — here it is!
I have sent your article to my family and friends to warn them of this new threat. Thanks for helping me keep them safe.
Notifications are useful if you use web based email. Corporate hosted GMail needs them or else you will never get your meeting reminders.
Other sites…forgetaboutit!
I catch a lot of negative feedback for this, but I believe that web based email should not be used. Use an email client (MUA) instead. Browsers have a far greater attack surface than an email client.
I run my own email server and don’t use RoundCube or SquirrelMail because they themselves increase the attack surface from the server side. Look at the CVEs of those programs. When I used a hosting service, my email was hacked by a RoundCube exploit.
Less is more.
Mail applications are as vulnerable as Web browsers, if not more so (since they generally incorporate a full web browser plus have to handle a hole bunch of email / attachment stuff). Unfortunately, users tend to be even less willing to restart them to upgrade.
While I personally use a standalone mail client at work, I’m quite happy to let employees use the web version instead.
If the web browser people use isn’t secure, we’re already in trouble. If they aren’t running a native email client, it’s one less thing I need to worry about.
The three or four major browsers should be blocking crap like this
Firefox upgraded to version 83 today !
I was just getting used to version 82!
Really got to wonder at the choice of version number vs updates. Do they really need to change the high level number for what seems to be a minor fix? The browser doesn’t even look different from version 81
there can be major changes (and there generally is in a major version ) without UI changes.
at least in Chrome each milestone has its huge lot of changes.
99.9% of the time I decline approving these notifications.
The ones I do approve are from major organizations I know well and use a lot. I have often thought that these notifications were a possible malware entry point. So I am very careful and judicious.
I am sure “normal” users have not given this issue a thought.
I very much appreciate that guide, I’ve done all that on my Win7 machine, but I now have a Win10 machine & getting all the bad ideas off of it has been overwhelming. Adobe Flash is still to be removed
Is there a way to download a Win10 OS with all the crap already removed? It would save me a load of time.
I understand that other items like installing Firefox will bring on a new onslaught of security holes to patch ie – address bar sending all my mistakes to google, HTML5 canvas data harvesting, search suggestions keeping a fingerprint of my web usage, ect
Much of your customization will be for applications, not the operating system.
Have a look at your Application data directory for your user profile. %APPDATA%.
Chrome and Firefox have their settings there… if you want, you can just copy them to the new system.
Upgrading the OS can also allow you to transfer profiles over, which should retain your security and privacy settings.
I found that I have declined several hundreds of these notifications and approved none. Finally found and set the new “Block all and for all time” settings in all browsers as outlined in the Verge article.
I wonder how much time I could have saved if this had been the default notification setting from the beginning?
Why isn’t this stuff handled (and prosecuted) as a criminal offense? Unjustified statements like “Your PC is infected” or “Your Norton Subscription Has Expired” with the intent to trick the user to buy an expensive subscription looks like a clear case of wire fraud to me. Website owners willingly supporting this fraud by including the corresponding scripts on their sites could possibly be charged as well (accessory to a crime).
…in many cases the actual perp is offshore in a place that we can’t extradite from, so we could charge them but not lock them up or fine them…
…say what you will about Ukraine, but that’s one of the places…
It appears you are not a lawyer, as this has no resemblance to “wire fraud”. Legal hint: “wire” doesn’t mean anything/everything over the internet. It refers to “wire money transfers”. Which can be broadly interpreted as “financial transactions”.
Advertisements CAN LEGALLY LIE TO YOU!
This has always been true with few exceptions. Laws have cracked down on television and radio advertisement. But affiliation advertisement is a gray area where they can legally get away with a lot.
That is why you see how Norton was able to deflect responsibility because they aren’t the ones directly advertising. They accurately describe that this practice is forbidden by affiliate agreements. And the only legal remedy is to “terminate the affiliation”.
Since these scammers aren’t actually selling the product or service… they cannot be held criminally liable for the type of fraud you are thinking (taking money on false pretenses). They get paid just by showing ads…. whether or not a customer actually buys the product.
How is it that Norton denies placing that dodgy ad where the screenshot clearly shows their logo with the wording “your computer is infected with 5 viruses!”
I seriously can’t believe that people install Norton or MacAfee these days. Or even pay for any anti virus at all. They are utterly useless. And a waste of money. If someone doesn’t understand how internet safety works then either get them an iPad or a Chromebook. Definitely DO NOT have them use a windows system!
While I’m not a fan of either antivirus product (Windows Defender is good enough, thank you), it’s pretty easy for a fraudster to also perform trademark infringement / copyright infringement by making a picture of either company’s logo.
…perhaps you did not read the story carefully, or don’t understand how referrer works on the Internet – pushwelcome.com gets credit for referring the sale to norton or mcafee however they make the referral (pain, pestilence, etc.) – and then you are referred to the norton or mcafee site for the actual sale…
…hence the comment “we take this abuse seriously”…
…i do agree with you that the windows defender is adequate and free so one should never have to pay for a/v…
when does the brian krebs paper version is coming out?
im sure the it could be the one of the best paper magzines or newspaper look like looking …it could be main reading material at lunch time in business like google ,amazon , and etc.
Brian,
Do you ever run these type of tests on Macs or Unix based systems [yes I understand OSX is Unix derivative]. Wondering if there holes in OSX.
Not often, but it’s important to note that these notifications will install in your browser if you consent whether you’re using Mac, Windows or Linux.
As Mr Krebs has warned his readership so often,
if you did not install it nor axe for it, avoid at all
cost.
Reading KOS on a weekly bases, helps to mitigated
these troubling issues.
Fortunately, this problem will go away soon.
Starting in Chrome 86, Google started introducing features that block misleading permission requests. They will also make it harder for websites to ask for push permission if the deny rate is very high.
FYI –
The certificate for your website expired today. Visitors are getting a cert warning.
Came to say the same thing.
the tls/ssl blew up
I always turn off notifications in the browser settings. Can’t see any reason to get them. Also turn them off, by default, for any computer I set up. I ask the client if they want to receive the requests. Not one has said yes. But even when I turn off notifications in Chrome, I still sometime receive them. Why is this still an issue?
Also, just an FYI, this site is now saying it is not secure. I get the warning in both Chrome and Firefox.
Hmm? Microsoft edge reports KOS as an unsafe site, despite the fact that I just updated the browser. I hesitate to ask Brian to comment just now. This even though the https is evident?!
Well… it went away, so it must have been a handshake error…I should have just shut up and closed and opened the tab; but I’ve never run into it before!
I’ve often wondered why notifications were even added to browsers in the first place. I have yet to see a use case justifying it. Some folks mentioned corporate email interfaces or things where you want a meeting reminder. So go ahead and install an extension for that rather than adding more crap to the browsing experience for everyone else. If I am near a relative’s computer, I will look for a chance to just go into their browser and globally disable them. That’s one less support call I am going to get later.
Is that the same goes on for OneSignal that people use mostly on WordPress? My visitors complaining about increse in Irrevalent notifications. Any clue?
I think it was such an annoying window. Great care should be taken when clicking these pop-ups.
Well now, an article I have something to add to! Notifications are the new pop-ups.
I’m a support tech at a school district. This article mimics close to 99% of my pop-up/spam/malware tickets I get from users.
My users don’t check what notifications they are accepting! It’s always some spammy source I need to remove from their profile. We’re a Google district so I’ve gone ahead and disabled notifications for Google Chrome for students completely in GSUITE because it got so bad, and I’m hovering over the red button for staff.
It really is spam, and more likely than not inappropriate for the audience. Nothing quite like a panicked call from a 2nd grade teacher because a notification popped an image of a half-naked woman on the large format display while kids are being instructed. Sure enough there’s some BS source in the allowed notifications list. She clicked on some coupon site once.