There’s no denying that push ads have taken over the digital advertising ecosystem. Unfortunately, as push ads grow in popularity, so does the threat to the visitors to publisher’s websites. As in many cases, when publishers develop new, innovative methods of engagement, cybercriminals trail closely behind with plans to exploit these innovations.
What are push notification ads?
Push notification ads are ads disguised to look like push notifications from an ap. They enable better engagement with users than traditional ads.
Push notifications are small, pop-up messages that mobile apps send to a device, for example, to give the user an update, or notify users about new content, login attempts, or a new message. They can even appear when the app isn’t open.
Push advertising delivers ads to users’ desktop or mobile devices in a format that resembles push notifications. They are effective in user engagement, and have grown increasingly popular in the digital advertising world.
There are two types of push notification ads: mobile and web browser. However, because they resemble SMS notifications, push ads are more familiar and natural to users on a mobile device.
Legitimate publishers and advertisers send repeated push notifications with relevant offers or updates. However, cybercriminals leverage the new format to send out malicious bait and gain access to a user’s device or account, even when they don’t have leaked credentials.
Like other types of malicious ads, a push ads attack uses social engineering tactics to trick users into downloading unwanted software, purchasing fake products and services, or giving up valuable personal information.
Social engineering is the manipulation of human emotion to serve the purpose of a malicious actor. The term describes the wide range of malicious activities that use psychological manipulation to trick users into making security mistakes. Social engineering attacks lead users to believe they are downloading or accessing a legitimate service or approving other legitimate authentication requests.
They are hard to prevent because they take advantage of user carelessness, curiosity, and desire, and rely on human error rather than software vulnerabilities. Therefore, typical security tools and resources don’t offer effective ways to protect a user.
What is a push notification attack?
A push notification attack tricks users into subscribing to push notifications and then bombards the users with ads for scam sites and malvertising.
In most push notification attacks, threat actors start by baiting users with ads about ‘news’, cash prizes, advertisements for goods and services, and more. The purpose is often not for users to be convinced by the ads, but to allow malicious actors to exploit a pay-per-view payment program. And if the hackers can also steal some user data while they’re at it, all the better.
On mobile and desktop, these malicious attacks feature browser hijacking and full-screen hijacking. That means that when a user clicks somewhere on the page other than the buttons to allow or block a push notification this causes the browser to switch to full-screen mode. Suddenly the user winds up in a loop of push notifications, which prevents the user from doing anything else on their phone or device, with the only escape being consenting to receive the push notification.
This distinct social engineering attack tries to trick users into unwittingly subscribing to push notifications. Once they have done so, the attacker can send unwanted advertisements directly to users’ devices. These push notification campaigns flood users with malvertising, by bouncing users to scam sites, including the forced download of malware, or similar vicious threats.
How hackers trigger and send push notifications
Threat actors use tactics like ad cloaking to circumvent security mechanisms and expose users to dangerous or disruptive content like push notification spamming.
Hackers use a variety of tactics to evade security mechanisms and send repeated push notifications. In cloaking techniques, the bad actors launch an ad creative and landing pages, that appear legit and cloaks the real URLs for the creative and landing page in the code. When the ad scanner looks at the ad tag, it only sees the legitimate content and therefore doesn’t block the ad.
However, when the ad loads on the publisher’s page, the hackers swap the ad with a clickbait ad. If a victim clicks on the ad at that point, they fall into the push notification trap.
What is an MFA fatigue attack or push bombing?
MFA attacks impersonate legitimate MFA platforms and then bombard users with push messages to exhaust users.
Many organizations today use multi-factor authentication (MFA), a security method that requires that a user provide two or more verification factors in every login attempt in order to gain access to a website, device, or account. Implementing multi-factor authentication like Microsoft Authenticator for example, is a good way to protect login data and corporate resources, as the authentication process makes it very difficult for a user to let an attacker gain access to a phone or account.
MFA authentication often uses push notifications on a user’s phone as a method of verification. Whenever there is a login request for an account associated with a user, he or she gets a push notification on their phone. If the user did, in fact, make the login request, all they have to do is tap a button on their phone and they immediately have access to their account, without needing to remember a complex password, fill out a form, use a valid username, or go through a complex login process to verify their identity.
This type of MFA is a convenient way for a user to approve a login attempt or authentication request, since most people have their phone with them at all times, making access easy and offering security against “man in the middle” attacks.
A favorite tactic for a threat actor looking to get around MFA security is with a multi-factor authentication fatigue attack (sometimes called push bombing). MFA fatigue attacks use brute force, sending non-stop ads disguised to look like MFA push notifications until the exhausted user approves the fake MFA request and provides valid credentials.
Threat actors like these brute forcing MFA attacks because most victims of MFA fatigue don’t realize that it is a fraudulent notification. Since having a push notification spamming repeatedly is annoying and since the messages look exactly like the type of MFA push notifications or access requests they receive on other apps, victims generally don’t perceive MFA fatigue attacks as a threat. The threat actor or attacker obtains valid credentials easily, and can then use the stolen credentials or password to access the victim’s account on web applications or to circumvent other security mechanisms.
MFA fatigue attack example
Uber was hit with an MFA authentication attack in September 2022, one of a long list of large and small companies that have been impacted.
Companies large and small can be targeted by an MFA fatigue attack. In September 2022 the ride-share giant Uber was attacked using a password that the hacker had secured. Since Uber employee accounts have multi-factor authentication, having the password was not enough to penetrate Uber systems. However, the attacker didn’t stop there and impersonated Uber IT support to launch an MFA fatigue attack.
When the victim, bombarded by push requests finally gave his or her MFA credentials, the threat actor was able to access Uber’s internal network and scan the company’s intranet for sensitive information, including getting ahold of admin credentials.
Uber is not an anomaly. Twitter, Mailchimp, Robinhood, and many other large companies have fallen victim to this type of MFA authentication attack.
MFA fatigue attack mitigation and prevention
Blocking and replacing the ads that lead to an MFA attack is the best way to protect website visitors from falling victim to an attack.
Companies that have implemented an MFA system like Microsoft Authenticator often have a false sense of security, thinking that simply having an MFA will protect users from any login attempts from attacker access. They don’t realize that the MFA itself, whether it’s Microsoft Authenticator or another MFA platform, may unintentionally enable an attacker.
The best way to prevent MFA attacks is by getting one step ahead of the attacker, and preventing access to the ad, rather than in the login or access request stage. In order to do that, publishers need ad verification technology based on blocklists, real-time image and text analysis, and landing page analysis. These types of advanced ad verification solutions identify ads promoting push notification and MFA attacks, and replace them with clean ads in real time, before the user is exposed to security and quality risks.
While push ads are a popular way for publishers to engage their readers, publishers must recognize the growing risk and take the necessary steps to ensure that visitors to their website are protected. That includes implementing verification technology to ensure only quality ads are served.
GeoEdge specializes in automating security and quality assurance. The real-time ad verification solution specializes in blocking a range of bad ads, including latent, non-compliant, or otherwise performance-damaging ad creatives.