Clickjacking Campaign Exploits European Cookie Law

cyber security

Malwarebytes warns of advertising scam tricking users via the European cookie popup notification

Security researchers have warned of a new ‘clickjacking’ campaign exploiting the European popup requirement.

The warning came in a blog posting from security firm Malwarebytes from the company noting that the exploit makes use of the controversial European law that requires web users to be notified when a website wants to install cookies on their machine.


Hacker, programmer, cyber crime, keyboard, computer © scyther5, Shutterstock 2014Clickjacking essentially tricks a user into performing undesired actions by clicking on a concealed link.

On a clickjacked page, the attackers typically conceal a transparent page within an authentic web page (or in this case, a cookie popup notification). The user thinks he is clicking the visible buttons (i.e. the cookie notification), but essentially the user is tricked into performing actions which they never intended to do.

“We’ve spotted an advertising campaign that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services),” explained Malwarebytes.

“A legitimate ad banner is loaded via an iframe and placed right on top of the warning message,” said Malwarebytes. “However, that ad is invisible to the naked eye because of a parameter within that iframe which sets its opacity to zero.”

“To that effect, when a user clicks anywhere on the pop up message it acts as though they clicked on the ad banner itself, which loads the advertiser’s website,” it said. “This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic. We have notified Google about this fraudulent scheme.”

Last year, the technology body techUK, in association with the Home Office’s Cyber Crime Reduction Partnership, warned that clickjacking was still one of the top cyber threats being faced by British firms.


Cookie MonsterThe European Cookie directive came into effect back in 2012, and will be familiar to many web surfers.

Essentially, when a user visits a web site, they are often presented with a popup that looks to gain a visitors consent about the use of cookies on that particular website.

The law’s introduction was controversial at the time, and in 2013 half of UK organisations said they were ignoring it.

Indeed, some companies went as far as to openly taunt ICO, the body tasked with enforcing this “ridiculous” law.

“The idea of this law is a noble one, it’s just a shame it was drafted by a team of technically illiterate octogenarians who couldn’t find a button on a mouse,” web firm Silktide said at the time.

Are you a security pro? Try our quiz!