> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
I have run into this. My notes: Google Chrome (Desktop & Android)
chrome://settings/content/notifications
Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
I feel like the web would be a better place if "allow notifications" popups were only allowed for PWAs the user already installed. I.e. they have to manually interact with the page and then click the prompt acknowledging they want to install the site as an application on their computer before the site can start popping up windows from the browser asking for notification permissions.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
Advocacy for "progressive web apps" always fell flat to me. There are a few reasons, such as web workers being a Rube Goldberg machine when people just wanted the kind of facility to control caches and fetching that Netscape Netcaster had in 1997. It was predictable to me that the usage breakdown of push notification was going to be
50% spam
49% scams
1% other
and now people are just catching up to the obvious.
It's our own fault for making the internet such a confusing Kafkaesque maze. Click this button, click that button, sign in to confirm you're not a bot, select the traffic signs, select the items that a rat would not eat, solve this maze to prove you're a human, type out the numbers hidden in these demonic noises, provide your phone number to prove you're real, compute proof-of-work, download this browser if you're having issues... The line between fraudster and modern tech company is honestly not clear anymore and especially not for people who don't care much about tech and just want to access something
Evolution is messy and guided by random occurrences.
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
It's not just the captchas either, the "this GPS app needs access to your location" or "this photo taking app wants access to your camera" style pop-ups don't help either.
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
> Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
It bypasses a lot of the checks they do on the initial site when submitting to ad networks. It also allows custom redirections based on user agent, potential ip location, etc. Common in phishing.
I literally just implemented an Okta integration with an internal tool yesterday, so let me offer a little insight on why this happens. I have an existing tool. The guy in charge of it doesn't want me breaking anything, but we want to add an SSO flow to avoid having to login.
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
I despise how my university's login system just redirects several times (sometimes getting stuck, reloading and redirecting multiples times, and then occasionally shitting me out on the logged out screen, wondering WTF happened).
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
>While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
This is, at least for browser notifications, just yet another result of generally atrocious browser UI decisions.
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
The article is a bit vague on some points, for example: the links bounce the visitor through a series of domain names... why exactly? What do the scammers gain by redirecting the visitor multiple times instead of just once? It is not explained.
KrebsOnSecurity is a really weird website. I feel like I should be the perfect audience for it, as a software engineer who is very interested in security and reverse engineering, but every time I try to read their articles it just comes across as paragraphs and paragraphs of overwrought fluff with zero actual content. I guess their audience is someone with less technical knowledge who is impressed by empty phrases like "startling discovery" and "online hucksters and website hackers" and "resilient and incestuous". And that's all just in the first paragraph here. Get to the point, man.
Huh that’s weird I feel the exact same way and should also be the natural audience.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
I've followed Krebs for years and appreciate this specific warning. I changed my dad's default Windows colors so when he was presented with fake system dialogues floating on web pages he'd spot them as different right away. But the "click allow to prove you're a human" might have caught him. Captcha-annoyed people are slightly easier to fool sometimes. Push wasn't a big thing then or I would have disabled it.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.
Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
Great article but the fix is Adblock! Enable adblock everywhere for your family and friends at risk. Even if an ad sometimes slips through they since its out of the ordinary they are way less likely to click.
The problem with this is that many older people are reluctant to use web browsers that actually support true ad blocking. They are used to Chrome and don't want to use anything that is even remotely different. I have this argument with my mom on almost a daily basis. She is always messing up her phone or computer by clicking on something she shouldn't. I have installed firefox for her, but she refuses to use it.
iPads don't support notifications unless your family figures out how to use PWAs (they won't, Apple made sure of that). Also, there are various content blockers for iOS.
Unfortunately, because real alternative browsers are only supported in the EU (and even then with big asterisks), you won't see a normal browser engine powerful content blocking any time soon. The content filters you can download from the app store help, but they're not as powerful as uBO and friends.
EU required website operators to disclose certain uses of cookies and many of them chose the most obnoxious way possible. Perhaps more agreeable: every website that uses those banners should be disconnected from the internet.
They coulda said "Respect DNT or go to jail" but instead they broke the ultimate window.
For years I advocated, mostly successfully, to keep pop-ups, pop-unders, pop-ins and other abuse like that out of sites I worked on. Then the EU pulls this magic trick that transforms them into something required, and then "wholesome" so after that the dam breaks and it is common for a blog today to pop up three banners that want your email address, for pop-up ads to cover other pop-up ads, etc.
When your government is unresponsive like that the only choice is exit, no wonder the EU is overrun by populists that want out. If they don't want Frexit and Sprexit and Grexit they'd better think twice when they make another thoughtless law with terrible consequences.
> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
4 replies →
I think notifications came about as part of Progressive Web Apps (PWA).
IMO random websites prompting to access your location data is far more problematic
2 replies →
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
How do you do this? I'm looking to do it for the clipboard API. Browsers should be able to block copy and paste.
4 replies →
I have run into this. My notes: Google Chrome (Desktop & Android)
chrome://settings/content/notifications Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
20 replies →
I feel like the web would be a better place if "allow notifications" popups were only allowed for PWAs the user already installed. I.e. they have to manually interact with the page and then click the prompt acknowledging they want to install the site as an application on their computer before the site can start popping up windows from the browser asking for notification permissions.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
1 reply →
Instead of desktop notifications web apps should use pinned tabs and show a badge in the tab header.
1 reply →
Advocacy for "progressive web apps" always fell flat to me. There are a few reasons, such as web workers being a Rube Goldberg machine when people just wanted the kind of facility to control caches and fetching that Netscape Netcaster had in 1997. It was predictable to me that the usage breakdown of push notification was going to be
and now people are just catching up to the obvious.
Elderly neighbor for me. Quite insipid; it took me a few minutes to realize that they were browser-based when I first got to the computer.
I think the “prove you’re human by hitting the button” attack is pretty clever.
With the range of different ways captchas are presented today I can see it getting a good % of folks.
It's our own fault for making the internet such a confusing Kafkaesque maze. Click this button, click that button, sign in to confirm you're not a bot, select the traffic signs, select the items that a rat would not eat, solve this maze to prove you're a human, type out the numbers hidden in these demonic noises, provide your phone number to prove you're real, compute proof-of-work, download this browser if you're having issues... The line between fraudster and modern tech company is honestly not clear anymore and especially not for people who don't care much about tech and just want to access something
Evolution is messy and guided by random occurrences.
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
1 reply →
It's not just the captchas either, the "this GPS app needs access to your location" or "this photo taking app wants access to your camera" style pop-ups don't help either.
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
2 replies →
…but don’t click this button.
[flagged]
6 replies →
> Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
It bypasses a lot of the checks they do on the initial site when submitting to ad networks. It also allows custom redirections based on user agent, potential ip location, etc. Common in phishing.
reminds me of how okta and similar handle logging in. feels like 10thousand redirects later.. training users that behavior is okay
I literally just implemented an Okta integration with an internal tool yesterday, so let me offer a little insight on why this happens. I have an existing tool. The guy in charge of it doesn't want me breaking anything, but we want to add an SSO flow to avoid having to login.
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
Still better than the MS Teams website, which can get into a weird state and redirect in circles.
I despise how my university's login system just redirects several times (sometimes getting stuck, reloading and redirecting multiples times, and then occasionally shitting me out on the logged out screen, wondering WTF happened).
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
4 replies →
In addition to what the other comments said it also would allow for first-party cookies to be set for those domains
Not sure if that's the purpose but it could potentially be used for tracking, monetization, etc
Multiple impressions per interstitial domain, I imagine.
A lot of microsoft services do this, too. Though, that's probably incompetence.
>While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
> This is the new pop-up ad.
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
This is, at least for browser notifications, just yet another result of generally atrocious browser UI decisions.
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
It never ceases to amaze me how creativity gets ramped up to 11 when it comes to graft, theft and scam.
The article is a bit vague on some points, for example: the links bounce the visitor through a series of domain names... why exactly? What do the scammers gain by redirecting the visitor multiple times instead of just once? It is not explained.
KrebsOnSecurity is a really weird website. I feel like I should be the perfect audience for it, as a software engineer who is very interested in security and reverse engineering, but every time I try to read their articles it just comes across as paragraphs and paragraphs of overwrought fluff with zero actual content. I guess their audience is someone with less technical knowledge who is impressed by empty phrases like "startling discovery" and "online hucksters and website hackers" and "resilient and incestuous". And that's all just in the first paragraph here. Get to the point, man.
Huh that’s weird I feel the exact same way and should also be the natural audience.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
I stopped reading his website after he started spreading disinformation about Ubiquiti.
I've followed Krebs for years and appreciate this specific warning. I changed my dad's default Windows colors so when he was presented with fake system dialogues floating on web pages he'd spot them as different right away. But the "click allow to prove you're a human" might have caught him. Captcha-annoyed people are slightly easier to fool sometimes. Push wasn't a big thing then or I would have disabled it.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
Once again grateful that at least one mobile platform doesn’t allow browser push notifications.
> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.
Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.
3 replies →
Because it's very useful.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
Lost me at "Kremlin disinformation".
Krebs need to ditch the TDS.
His "Red Herring DNS flaw" garbage was when I realized that 90% of what he spits out is Gell-Mann amnesia.
Great article but the fix is Adblock! Enable adblock everywhere for your family and friends at risk. Even if an ad sometimes slips through they since its out of the ordinary they are way less likely to click.
https://firstpartyornoparty.org/
The problem with this is that many older people are reluctant to use web browsers that actually support true ad blocking. They are used to Chrome and don't want to use anything that is even remotely different. I have this argument with my mom on almost a daily basis. She is always messing up her phone or computer by clicking on something she shouldn't. I have installed firefox for her, but she refuses to use it.
Okay, my family has iPads. What should they use? Brave? lol
Adguard for Safari is excellent, it can be combined with Vinegar and Baking Soda:
Baking Soda: https://apps.apple.com/ca/app/baking-soda-tube-cleaner/id160...
Vinegar: https://apps.apple.com/us/app/vinegar-tube-cleaner/id1591303...
Adguard pro: https://adguard.com/en/adguard-ios-pro/overview.html
Orion has ad blocking built in and supports Firefox extensions.
I think the extension support is explicitly disallowed by Apple so shhh don’t tell anyone teehee!
iPads don't support notifications unless your family figures out how to use PWAs (they won't, Apple made sure of that). Also, there are various content blockers for iOS.
Unfortunately, because real alternative browsers are only supported in the EU (and even then with big asterisks), you won't see a normal browser engine powerful content blocking any time soon. The content filters you can download from the app store help, but they're not as powerful as uBO and friends.
UBOL is in testing now for iOS, but Apple has some bugs on their content blocking side. Reminder that adblockers are recommended by the FBI
Tablets not from Apple. That's your fault if you use that shit and can't block ads or install whatever you want.
2 replies →
Nextdns/similar.
Vpn with ad blocking built in
There are various ad blockers for Safari on the App Store.
3 replies →
Yes
[flagged]
[flagged]
[flagged]
[flagged]
[flagged]
A clever social engineering approach, but Kreb's trite alarmism overshadows the novelty.
Kinda wish the web had an ability to defend itself.
Put CAPTCHAs on your site: zero traffic.
EU adds those cookie banners to everything: EU should have been disconnected from the internet.
> EU adds those cookie banners to everything
EU required website operators to disclose certain uses of cookies and many of them chose the most obnoxious way possible. Perhaps more agreeable: every website that uses those banners should be disconnected from the internet.
They coulda said "Respect DNT or go to jail" but instead they broke the ultimate window.
For years I advocated, mostly successfully, to keep pop-ups, pop-unders, pop-ins and other abuse like that out of sites I worked on. Then the EU pulls this magic trick that transforms them into something required, and then "wholesome" so after that the dam breaks and it is common for a blog today to pop up three banners that want your email address, for pop-up ads to cover other pop-up ads, etc.
When your government is unresponsive like that the only choice is exit, no wonder the EU is overrun by populists that want out. If they don't want Frexit and Sprexit and Grexit they'd better think twice when they make another thoughtless law with terrible consequences.
2 replies →