Using Keep Aware, our clients have detected an attack type that we have dubbed “Notification Hijacking.” The attack involves malicious redirects that manipulate users to enable browser notifications. These notifications can then be used to deliver malware payloads, phishing attacks, or other malicious content. This blog post provides an analysis of browser notification attacks that we observed in client environments.
Keep Aware detected an attacker taking advantage of a legitimate but vulnerable website that is built using a content management system (CMS). Sites such as online shops or blogs allow their owners to use a CMS to post dynamic content for articles or catalog items. A vulnerable CMS or stolen credentials allow an attacker to post malicious content on the victim site. Such posts are usually hidden in legitimate content already on the website.
In the observed attack, malicious CMS content was masqueraded as a popular topic or frequently searched question so that the post showed up in search engine results. However, the post contained redirects to an attacker’s hosted site.
Once the user was on the attacker’s website, the attacker had control of the next interaction. In the Notification Hijacking that we have seen, this step relies on taking advantage of common user habits. It is popular for a website or page to require a captcha or some other verification before continuing. The Notification Hijacking attempts, seen below, replicate this behavior by adding a unique step: enabling notifications.
Once notifications were enabled, the user was redirected to the legitimate page they were searching for. The malicious site now had unrestricted access to push notifications to the user’s web browser.
It is important to note that the sender was one of the domains where the user enabled notifications. In this case, the notifications spoofed McAfee antivirus logos. The capitalized call to action evoked a sense of urgency. This could cause a person to try and immediately engage with the notification, possibly resulting in a malicious download, a follow-up phishing attempt, or credential theft.
In the attacks that we observed, 15-20 minutes passed before the first malicious notifications appeared. It is possible that the threat actors designed the attack this way so that users are less likely to associate these notifications with the site they were initially redirected to.
Keep Aware Prevention
This Notification Hijacking attack highlights the importance of increased visibility of browser-based attacks and addressing The Browser Blind Spot. Keep Aware has developed a solution to detect Notification Hijacking through a combination of methods:
- Leading Behavior: We have seen a number of attempts from benign searches and advertisements. Users click on search results to legitimate sites and CMSs; however, they are quickly redirected to unfamiliar and newly created, simple web pages.
- Social Engineering: In most of these cases, the attacker is trying to disguise a familiar habit like a captcha or a continue puzzle to have the user invest time into where they are trying to go. Keep Aware analyzes individual activities to determine the risk of social engineering.
- Notifications: Detecting that a site is requesting the user to enable notifications and establishing the risk and behavior of the associated website.
Attackers are continuously innovating to stay one step ahead of security teams and users. Keep Aware is committed to addressing the vulnerabilities found in the browser and building security into every workday.
–Ryan Cote, Head of Sales @ Keep Aware