What Happens When Push Notifications Go Malicious?

Push notifications are a common feature that many websites use to keep users engaged. However, what happens when these notifications turn malicious? Renée Burton, Vice President of Threat Intel at Infoblox, recently shared her firsthand experience with this alarming trend. Here’s a look at how scammers exploit push notifications to deliver scams, including fake gift cards and sweepstakes.

****The Push Notification Trap****

Renée found that when users visit a website that requests permission to send notifications, they may unknowingly grant scammers a powerful tool. Cybercriminals take advantage of this by tricking users into accepting notifications, often without fully understanding the consequences. Once accepted, users are bombarded with misleading messages that redirect them to fraudulent content.

These misleading messages often pose as legitimate alerts from trusted brands like Google or Walmart. They may falsely claim that a user’s account has been hacked or that they have won a gift card. Engaging with these notifications can lead to downloading harmful apps or surrendering personal information.

****The Gift Card Scam****

As part of her investigation, Renée visited sites that employ push notification scams and observed how scammers entice users with promises of substantial winnings. A notification may claim the recipient has won a $10,000 Walmart gift card, prompting them to click on it. Instead of receiving a prize, users are redirected through multiple domains before landing on a fraudulent site.

To claim the gift card, users are asked to provide personal details, including their email and home address. In many cases, they must complete a survey before they can “win.” However, the survey never ends, keeping users trapped in a cycle of never-ending ads and data collection schemes.

Screenshot of a series of non-stop email spam pushing gift card scams (Credit: Renée Burton – Infoblox)

****The Survey Scam****

Renée discovered that survey scams are a prevalent tactic used by scammers. Upon clicking a notification that promises a prize, users are led to websites like reward-lockercom. These sites request personal details such as name, email, address, and phone number under the guise of confirming eligibility.

Once users provide this information, they are required to complete a series of surveys. Each survey leads to additional advertisements, and scammers keep them engaged with the illusion of an imminent reward. However, the prize never materializes, and users remain stuck in an endless loop of data harvesting.

****The Sweepstakes Scam****

Similar to survey scams, sweepstakes scams exploit users’ trust. Renée investigated fraudulent sites like zippywinnercom, which advertise lucrative sweepstakes that appear genuine. These sites lure users into believing they have won big prizes, but in reality, the odds of winning are practically nonexistent. Instead, users are funnelled into more surveys and deceptive schemes designed to extract personal information and generate ad revenue for scammers.

****The Bigger Picture****

Through her research, Renée uncovered that scammers use advanced techniques to evade detection. They employ domain cloaking and traffic distribution systems (TDSs) to deliver varied content, making it difficult for security teams to identify and mitigate these threats.

Infoblox has observed this malicious adtech (advertising technology) operating across various websites, including scientific research platforms, car dealership pages, and activist blogs. The problem is extensive, with millions of websites compromised by push notification scams each year.

****The Impact****

While some may dismiss these scams as minor nuisances, Renée’s findings highlight their severe consequences. Scammers harvest personal and financial information, keeping users locked in cycles of misleading ads and phishing attempts. The only beneficiaries of this system are the scammers themselves.

In conclusion, Renée’s research underscores the dangers of push notifications when misused by cybercriminals. While push notifications can be valuable engagement tools, they can also serve as a gateway for scams. Users should remain alert, avoid clicking suspicious notifications, and never share personal information in response to unsolicited alerts.