Keep Aware announces funding to challenge people-targeted threats | Read the post >>
Get Assessment
Browser Notifications Hijacking Blog

Browser Notifications Hijacking via DDoS-Protection Mimicry 

Key Findings:

  • DDoS challenge pages are mimicked to take advantage of a user’s general familiarity with captchas
  • Attackers are serving deceptive notifications designed to spur the user to click
  • All impersonating domains were young domains and, at one point, ranked in Cisco Umbrella’s top 1 million domains list
  • Legitimate captcha pages should not prompt you to allow notifications
  • Genuine DDoS challenge pages are hosted on the DDoS firm’s ASN

Overview

Keep Aware’s Threat Research team has identified a browser notifications hijacking campaign that impersonates a Russian-based distributed denial of service (DDoS) protection company’s challenge page. This campaign tricks the user into allowing browser notifications and subsequently bombards them with dubious notifications, masquerading as McAfee or Windows Defender alerts, falsely claiming that the user’s device is infected with viruses.

DDoS protection firms, such as CloudFlare, commonly employ a challenge page to protect their customer websites from bot traffic. Challenge pages require the user to confirm they are not a robot before granting them access to the site. DDoS-Guard, the Russian-based DDoS protection company being impersonated, appears to have a sketchy history of operations. However, this article focuses on the campaign spoofing this firm’s DDoS challenge page to socially engineer victims into subscribing to fake notifications. We will explore the attack sequence, discuss the potential risks, and provide key differences in fraudulent and legitimate DDoS-Guard challenge pages.

Attack Sequence: From Young Domains to Notifications Hijacking

This attack exploits victims’ general familiarity with captcha pages and similar prompts to ultimately trick the user into subscribing to fraudulent browser notifications. The figure below outlines the main steps in this campaign as seen by the victim.

Figure illustrating the attack sequence of this fake notification campaign.

For most of our customers who stumbled upon this campaign, the victim first navigated to a young domain (registered less than one year prior to the incident) and either clicked on a link or an ad that took them to a site impersonating DDoS-Guard’s challenge page. It’s noteworthy that each of these domains were young and, at least at one point in recent months, ranked on Cisco Umbrella’s Top 1M (i.e., the top 1 million) domain ranking list

On these impersonation pages, the user is presented with a fake captcha, as shown by the below screenshot. 

Screenshot of a fake DDoS-Guard page with a fake captcha.

Although this page appears to have a captcha, once the user clicks anywhere on the page, the user’s browser is subscribed to web notifications and the user is prompted to allow notifications.

HTML. Part of an impersonation page’s source code, which shows that clicking on the HTML body will call the “subscribeForNotifications” function.
Javascript. The subscribeForNotifications javascript function found on the impersonating pages. This javascript is executed once a user clicks anywhere on the page.

Screenshot of a spoofed challenge page – after the user clicked somewhere – prompting the victim to allow notifications

Within minutes of allowing notifications, the victim is spammed with notifications falsely claiming to be products like McAfee or Windows Defender. Notifications our research team has encountered include the following:

Screenshots of three unique notifications, delivered via the Chrome browser, falsely claiming to be either Windows Defender or McAfee and showing fake virus alerts.

 

For many computer users, seeing this type of alert pop up outside of a webpage will likely strike a sense of urgency and spur them to click on one of these notifications. If a victim clicks on any of them, the browser opens a new tab that, during our research, went to “olakoudos[.]xyz” and swiftly redirected to “goatmod[.]xyz”, which then also prompts the victim to subscribe to notifications from this site. 

Screenshot of goatmod[.]xyz prompting the victim to allow notifications and falsely claiming this action is needed to prove they are not a robot.

While the ultimate goal of this campaign remains unclear, we suspect it is generating ad revenue derived from victims clicking on the notifications. Additionally, it should be noted that these web notifications are produced via web subscriptions that have the capacity to gather personal and device-related data. Furthermore, engaging with deceptive or unexpected notifications exposes the user to the potential risks of downloading malware, falling for phishing attempts, or becoming a target for other subsequent cyberattacks.

Comparative Analysis: Impersonations vs Legitimate Pages

Even though the domains and URLs in this campaign vary, every DDoS-Guard impersonation page we’ve encountered share common characteristics:

  • they all use the same HTML code (with some small differences particularly in the subscribeForNotifications function’s variables),
  • they’re hosted on the same ASN (198068, PAGM-AS), and
  • they’re registered under the same registrar (NameCheap, Inc.).

Aside from cosmetic differences (such as differences in capitalizations), legitimate DDoS-Guard challenge pages include the following characteristics:

  • they have vastly different HTML code,
  • they use legitimate captcha web technologies, such as hCaptcha, 
  • they are hosted on a “DDOS-GUARD” ASN, such as 57724, and
  • they do not prompt the user to allow notifications from the site.

Conclusion

This impersonation and notifications hijacking campaign leverages users’ general familiarity with captchas to trick them into enabling notifications. Victims are then spammed with fraudulent notifications, likely for the purpose of generating ad revenue, but have the capability to lead to subsequent cyberattacks. The primary differences between the legitimate DDoS-Guard challenges pages and the impersonated sites, such as different hosting, the implementation of non-legitimate captcha technologies, and the forced prompt for allowing notifications, are key identifiers of this particular campaign.

Keep Aware, Preventing Notification Hijacking Attempts

Keep Aware’s browser security extension includes numerous detections, also known as “patterns”, aimed at safeguarding our customers from various forms of cyberattacks. These patterns, used in conjunction with our extension’s prevention capabilities, are designed to identify and block suspicious browsing activities, such as visits to pages that serve deceptive notifications or fraudulent captchas akin to those found in this campaign. To learn more about how Keep Aware mitigates notification hijacking attempts, refer to our recent article on the subject.

IOCs

IOCs, or indicators of compromise, related to this campaign are listed below.

Domains and URLs Spoofing DDoS-Guard Challenge Page

DomainURL
abdoser[.]co[.]inabdoser[.]co[.]in/ddos/dz.html
adsos[.]xyzadsos[.]xyz/ddos/dz.html
alebarda[.]co[.]inalebarda[.]co[.]in/4/
antipuls[.]comantipuls[.]com/00/
biserka[.]xyzbiserka[.]xyz/ddos/1fc.html
errossanksix[.]xyzerrossanksix[.]xyz/ddos/1zp.html
fulikgoat[.]co[.]infulikgoat[.]co[.]in/ddos/dz.html
guartian[.]co[.]inguartian[.]co[.]in/ddos/dz.html
macaroons[.]co[.]inmacaroons[.]co[.]in/bd/m/
paszxc[.]xyzpaszxc[.]xyz/adf[.]html
ruffcensaop[.]xyzruffcensaop[.]xyz/ddos/1at.html
teaserusdt[.]xyzteaserusdt[.]xyz/bm/
webav[.]co[.]inwebav[.]co[.]in/tt/
windesk[.]co[.]inwindesk[.]co[.]in/fs/

Other Relevant Domains

Domain
goatmod[.]xyz
pushtorm[.]net
olakoudos[.]xyz

Lead Threat Researcher

Erin Kuffel