Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign (malwarebytes.org)

Posted by Soulskill on from the everyone-start-using-screen-readers dept.

An anonymous reader writes: Hackers have set up a clever new clickjacking campaign taking advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications. The criminals are placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero. So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.

3 of 84 comments (clear)

  1. Ffs by liqu1d · · Score: 4, Interesting

    The people running these spammy practises don't help themselves. All they're achieving is pushing more people to ad blocking software hurting the rest of us who don't run spammy ads and keep them as unobtrusive as possible. Bravo fuckwits.

  2. Hmmm ... by gstoddart · · Score: 3, Interesting

    So shit I don't allow (popups and scripts) being used to tell me that something else I don't allow (cookies) is being used to fool people into clicking ads they don't even see, from companies we shouldn't trust, so we can see ads for stuff we don't want, so some asshole can get revenue for ad clicks?

    And people wonder why we keep saying allowing arbitrary sites to execute scripts and Flash isn't a completely moronic practice??

    I'm sorry, but EVERYTHING about internet ads and how most sites work is in direct opposition to sensible security practice.

    Sorry, but this is precisely why I will continue to block the hell out of any form of ads, because I have no choice but to assume any 3rd party actor called in from a site I am visiting isn't a hostile actor ... and with sufficiently advanced incompetence, "hostile" takes on a very broad meaning.

    The internet got so thoroughly broken when ads came along it isn't funny. Because they seem to want to force us to use terribly insecure technologies on the chance that some small subset of the shit on the interwebs is what we want and can be trusted.

    --
    Lost at C:>. Found at C.
  3. Re:WTF is the "Cookie Law" by Midnight+Thunder · · Score: 3, Interesting

    Actually, why can't this be done by the browser? Browsers could easily have an option, whereby any time you access a new site or domain, that tries to set a cookie or use the local browser storage, you get warned.

    A better law could simply require sites to have an info page listing what is being tracked? Maybe a standard http://..../privacy/ or http://..../cookies/ section? Could make the advertisers uncomfortable :)

    --
    Jumpstart the tartan drive.