I think the “prove you’re human by hitting the button” attack is pretty clever.
With the range of different ways captchas are presented today I can see it getting a good % of folks.
> Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
> This is the new pop-up ad.
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
>While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
This is, at least for browser notifications, just yet another result of generally atrocious browser UI decisions.
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
It never ceases to amaze me how creativity gets ramped up to 11 when it comes to graft, theft and scam.
> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
The article is a bit vague on some points, for example: the links bounce the visitor through a series of domain names... why exactly? What do the scammers gain by redirecting the visitor multiple times instead of just once? It is not explained.
I've followed Krebs for years and appreciate this specific warning. I changed my dad's default Windows colors so when he was presented with fake system dialogues floating on web pages he'd spot them as different right away. But the "click allow to prove you're a human" might have caught him. Captcha-annoyed people are slightly easier to fool sometimes. Push wasn't a big thing then or I would have disabled it.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
Once again grateful that at least one mobile platform doesn’t allow browser push notifications.
Lost me at "Kremlin disinformation".
Krebs need to ditch the TDS.
His "Red Herring DNS flaw" garbage was when I realized that 90% of what he spits out is Gell-Mann amnesia.
Great article but the fix is Adblock! Enable adblock everywhere for your family and friends at risk. Even if an ad sometimes slips through they since its out of the ordinary they are way less likely to click.
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
A clever social engineering approach, but Kreb's trite alarmism overshadows the novelty.
Kinda wish the web had an ability to defend itself.
Put CAPTCHAs on your site: zero traffic.
EU adds those cookie banners to everything: EU should have been disconnected from the internet.
> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)