Security researchers have warned of a new ‘clickjacking’ campaign exploiting the European popup requirement.
The warning came in a blog posting from security firm Malwarebytes from the company noting that the exploit makes use of the controversial European law that requires web users to be notified when a website wants to install cookies on their machine.
On a clickjacked page, the attackers typically conceal a transparent page within an authentic web page (or in this case, a cookie popup notification). The user thinks he is clicking the visible buttons (i.e. the cookie notification), but essentially the user is tricked into performing actions which they never intended to do.
“We’ve spotted an advertising campaign that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services),” explained Malwarebytes.
“A legitimate ad banner is loaded via an iframe and placed right on top of the warning message,” said Malwarebytes. “However, that ad is invisible to the naked eye because of a parameter within that iframe which sets its opacity to zero.”
“To that effect, when a user clicks anywhere on the pop up message it acts as though they clicked on the ad banner itself, which loads the advertiser’s website,” it said. “This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic. We have notified Google about this fraudulent scheme.”
Last year, the technology body techUK, in association with the Home Office’s Cyber Crime Reduction Partnership, warned that clickjacking was still one of the top cyber threats being faced by British firms.
Essentially, when a user visits a web site, they are often presented with a popup that looks to gain a visitors consent about the use of cookies on that particular website.
The law’s introduction was controversial at the time, and in 2013 half of UK organisations said they were ignoring it.
Indeed, some companies went as far as to openly taunt ICO, the body tasked with enforcing this “ridiculous” law.
“The idea of this law is a noble one, it’s just a shame it was drafted by a team of technically illiterate octogenarians who couldn’t find a button on a mouse,” web firm Silktide said at the time.
Are you a security pro? Try our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…