We’ve spotted an advertising campaign that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services).
The rogue actors behind this fraudulent activity are cleverly leveraging a European law on the use of cookies to seemingly prompt visitors to answer a question.
“The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. All websites owned in the EU or targeted towards EU citizens, are now expected to comply with the law.”
Source: https://www.cookielaw.org/the-cookie-law/
We took apart one such page to describe exactly how it works.
A legitimate ad banner is loaded via an iframe and placed right on top of the warning message. However, that ad is invisible to the naked eye because of a parameter within that iframe which sets its opacity to zero.
To that effect, when a user clicks anywhere on the pop up message it acts as though they clicked on the ad banner itself, which loads the advertiser’s website.
While simple, this technique, also known as clickjacking, is pretty effective at generating clicks that look perfectly legitimate and performed by real human beings as opposed to bots.
This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic. We have notified Google about this fraudulent scheme.
IOCs:
Ad network involved:
- popcash.net
Domains involved:
- featurewebhosting.com
- elitewebhostings.com
- bestcartoday.info
- hotcartop.online
- ivirtualcloudhost.com
Network traffic example:
COMMENTS
Pingback: European Cookie Law, Meet Clickjacking - Customer Servant Consultancy()
Pingback: Clickjacking in cookie law popup windows. Duh. | WebDevLaw blog()
Pingback: 4 – Websites use EU cookie law to trick users into clicking invisible ads()
Pingback: Clics frauduleux sur Adsense via la loi européenne sur les Cookies | Portail d'information générales()
Pingback: Cyber crooks abuse legitimate EU Cookie Law notices in clever clickjacking campaign | OSINFO()
Pingback: EU Cookie Law Notification Abused to Hijack Clicks for Invisible Ads | Axxera Security Blog()
Pingback: Clickjacking Campaign Plays on European Cookie Law | Malwarebytes | CYBERSEECURE |()
Pingback: Clickjacking Campaign exploits the European Cookie LawSecurity Affairs()
Pingback: Clickjacking Campaign exploits the European Cookie Law - Systerity()
Pingback: Clickjacking Campaign exploits the European Cookie Law | OSINFO()
Pingback: Weekendowa Lektura 2016-01-09 – bierzcie i czytajcie | Zaufana Trzecia Strona()
Pingback: Podvodníci začali zneužívat evropský “sušenkový zákon“ » Kyber bezpečnost()
Pingback: Klickbetrug-Kampagne hinter Cookie-Warnung versteckt | Allofus: News, Tipps, Tricks und Fotos()
Pingback: ‘Clickjacking’ campaign abuses European browser cookie law – istrategist()
Pingback: Fraudulent advertisers hide banners behind cookie warnings, reports Malwarebytes.org | Personalised Communication()
Pingback: Rozmáhající se clickjacking maskovaný za koláčkovou lištu – 404M.COM()
Pingback: Clickjacking Campaign Plays on European Cookie Law | La Cybercriminalité sous toutes ses formes avec Jean-Paul Pinte()
Pingback: Steptoe Cyberlaw Podcast – Interview with Senator Tom Cotton | Steptoe Cyberblog()
Pingback: Arriva il banner ingannevole che sfrutta la normativa sui cookie ~ Sicurezza Informatica()
Pingback: Veille Cyber N60 – 18 janvier 2016 |()
Pingback: Veille sur la cybercriminalité de Jean-Paul PINTE, cybercriminologue, Maître de conférences, Enseignant chercheur à l’Université Catholique de Lille, auteur du blog http://Cybercriminalite.wordpress.com – 15/01/2016()
Pingback: “点击劫持”伪造Cookie提示弹窗诱使用户点击 | 小橙子科技()
Pingback: “点击劫持”:伪造Cookie提示弹窗诱使用户点击 | 邪恶十六进制()
Pingback: San Bernardino y las puertas traseras » Politikon()
Pingback: .dencuentro | El punto de encuentro para el estudio de lo político()
Pingback: Could European cookie law be a threat to cybersecurity? – TechnoLlama()