{"id":15570,"date":"2019-06-13T11:10:12","date_gmt":"2019-06-13T19:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/06\/13\/news-9319\/"},"modified":"2019-06-13T11:10:12","modified_gmt":"2019-06-13T19:10:12","slug":"news-9319","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/13\/news-9319\/","title":{"rendered":"Adware and PUPs families add push notifications as an attack vector"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 13 Jun 2019 18:36:14 +0000<\/strong><\/p>\n

Some existing families of potentially unwanted programs and adware have added browser push notifications to their weapons arsenal. Offering themselves up as browser extensions on Chrome and Firefox, these threats pose as useful plugins then haggle users with notifications.<\/p>\n

A family of search hijackers<\/h3>\n

The first I would like to discuss is a large family of Chrome extensions that were already active as search hijackers, but have now added a notifications service from a provider hailing from a domain blocked for fraud by Malwarebytes. What that means is you can now expect browser notifications inviting you to come gamble at an online casino or advertisements selling you get-rich schemes that use pictures of celebrities to gain your trust.<\/p>\n

This family is detected under the PUP.Optional<\/a> umbrella, meaning that Malwarebytes flags them for misconduct but recognizes they offer some kind of functionality and are upfront about the fact that they will change your search settings. The third part of Malwarebytes\u2019 detection name usually refers to the name of the extension. So this one is called PUP.Optional.StreamAll<\/a>.<\/p>\n

\n
\"permissions<\/figure>\n<\/div>\n

The extensions in this family are search hijackers\u2014they redirect users to Yahoo! search results when searching from the address bar. The websites behind all the extensions in this family are presented in three different styles that are completely interchangeable:<\/p>\n

\"version<\/figure>\n

Version 1 is a basic design kindly guiding you through the steps of installing the Chrome extension.<\/p>\n

\"version<\/figure>\n

Version 2 shows a circle that fills with color until it reaches 100 percent and then tells you it is ready to install the extension.<\/p>\n

\"version<\/figure>\n

Version 3 is a bit more \u201cin your face\u201d and lets you know you really shouldn\u2019t miss out on this extension. It does come in a few slightly different color schemes.<\/p>\n

The three websites posted above all lead to StreamAll, the same Chrome extension that I have used as an example for this family. In fact, they all redirect to this extension in Chrome’s web store at some point:<\/p>\n

\"streamall
A stunning lot of users, which never ceases to amaze me.<\/em> <\/figcaption><\/figure>\n

Another thing the members of this family have in common is a “thank you” screen after installing one of their extensions, already busy pushing promotional deals. This one has a blue background but can also be fully white.<\/p>\n

\"Thank<\/figure>\n

Their offer to receive notifications is made as soon as you reach one of their sites:<\/p>\n

\"\"<\/figure>\n

These prompts have also been added to member sites of this family that didn’t promote push notifications earlier on.<\/p>\n

If you accept this offer you can find the resulting permission in the Settings<\/strong> menu > click on Advanced<\/strong> > under Privacy and Security<\/strong> > select Site settings<\/strong> > select Notifications<\/strong>.<\/p>\n

The number of extensions in this family is rather large, but here is a list of removal guides I created for the most active ones at the moment of writing:<\/p>\n