Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign

An anonymous reader writes: Hackers have set up a clever new clickjacking campaign taking advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications. The criminals are placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero. So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.

Block 'em all.

Blockity blockity blockity. When the advertisers clean their own house, then I'll stop blocking them.

I'm not holding my breath here.

AC

Ffs

[liqu1d]

The people running these spammy practises don't help themselves. All they're achieving is pushing more people to ad blocking software hurting the rest of us who don't run spammy ads and keep them as unobtrusive as possible. Bravo fuckwits.

Re:Ffs

[cfalcon]

All ads are bad. These ads are worse. But all ads are bad.

Re:Ffs

[Threni]

They are helping themselves; they're making money from advertisers. Advertiser don't like it, but the spammers don't care. And I don't care, as run adblocking software on every device I own. What's hurting advertisers is adverts, which nobody ever wants to see. Yes, you can argue it's how sites make money. I don't care about that either. I'd rather pay a (micro)subscription than have random companies getting in my face trying to sell me shit I don't want or need.

Re:Ffs

[rtb61]

Some advertisements are OK, as long as they are truthful, informative, not overly intrusive and in more non jarring fashion aligned to the content that delivers them. Those ads are fine, drop outside of that and those web sites, advertising agencies and advertisers deserve script blocking. Some advertisers end up suffering pretty badly for going with the wrong agencies and producing the worst sort of intrusive ads. Remember people, it is the internet and not the store and people will remember exactly why about you ad that drove them to hate a product.

Re:Ffs

[AmiMoJo]

Tragedy of the commons. It's easier to slaughter the weak ones than to grow a sustainable hurd.

ABP?

[FatdogHaiku]

So, would Ad Blocker Plus stop an invisible ad? I would hope so as long as the code calls an ad... visible or not...

Re:ABP?

[Z00L00K]

If the ad detection filter can catch it then the invisible ad will be stopped.

Re:ABP?

[Blue+Stone]

Well, speaking personally, I use ABP's "Select element to hide" function on all those EU cookie banner pop-ups - if I can't just ignore them (and rather than close them via clicking 'OK') - so that would probably select the malvertisement.

Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?

Re:ABP?

[amorsen]

Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?

The sites could just stop tracking non-logged-in users, then they would not have to put up cookie warnings.

Self destructing cookies combined with I don't care about cookies solve most of the problem though.

NoScript or hosts: take your pick

[tepples]

Services such as ClarityRay defeat your blocking.

But there are two ways around ClarityRay: either block access to the servers that serve these scripts or block the browser from executing any scripts. Sites are unlikely to hide text from no-script users because that also hides text from search engines.

Re:NoScript or hosts: take your pick

[gstoddart]

What's Clarity Ray?

Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

Re:NoScript or hosts: take your pick

[Opportunist]

How does it do that? By disallowing my access to a site?

Ok. Accepted.

NEXT!

Re:NoScript or hosts: take your pick

[Jahta]

What's Clarity Ray?

Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

ClarityRay is an Israeli "ad security" company, acquired by Yahoo last year - ClarityRay Battles Ad Blockers With $500K In Funding. Fun quote from TFA - “We believe ad-blocking today is a lot like how pirate MP3s were before iTunes: they point to a valid consumer need, but do so in an unsustainable manner business wise,” says co-founder and CEO Ido Yablonka. Though if you are also running NoScript it's hard to see how they can do anything meaningful.

And you are spot on about the whole transitive trust aspect. Just because I may trust "site x" that doesn't mean that I trust the dozen other sites "site x" have partnered with who are trying to send me ads and scripts.

Re:NoScript or hosts: take your pick

[sexconker]

Pretty much.

The only way to defeat ad blockers is to wait for verification that the ad was served before you deliver content.
Then you have to hope that users are willing to add an exception for your site to allow ad and a plethora of shitty scripts and tracking crap in order to see your content.

There have been exactly two cases where I've allowed ads to allow content:
1 - Watching South Park episodes on the official site.
2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier.

In both cases I just used IE instead of FF and muted and browsed elsewhere whenever the ads came on.

Re:NoScript or hosts: take your pick

[nospam007]

"There have been exactly two cases where I've allowed ads to allow content:
1 - Watching South Park episodes on the official site.
2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier."

I bet you regret the Siffi case.

Re:NoScript or hosts: take your pick

[Darinbob]

Not true. I have no script and many very common sites are completely blank until I turn on some scripts.

Re:NoScript or hosts: take your pick

[sexconker]

No, I'm mostly liking The Expanse so far. It's not quite what I was hoping for, but it's more than I was expecting.
I also mostly like Dark Matter, I liked Childhood's End, and am on the fence about 12 Monkeys.

These aren't like Continuum, Magicians, Alphas, Eureka, or whatever else they shit out.

Re:NoScript or hosts: take your pick

[tepples]

Which sites? And do they remain blank if you also turn off CSS?

Re:NoScript or hosts: take your pick

[tepples]

NEXT!

Say you search for something using a generic web search engine such as DuckDuckGo or Google. Then you discover that the top three relevant results also disallow your access because they detect an ad blocker. Now you have wasted your time on three different sites, and you just want the web to work. Now what do you do?

Re:NoScript or hosts: take your pick

[Darinbob]

Not sure. Pages aren't completely blank but generally only have a header from whatever site it is but the article is blank. I'd have to start browsing random sites again to find one. And I have no idea how to enable/disable css. Just reporting that when I browse normally with noscript I see pages without the main body of the text until I start enabling scripts one by one.

Re:NoScript or hosts: take your pick

[Opportunist]

Find a better adblocker that gets around it.

Re:NoScript or hosts: take your pick

[AmiMoJo]

Sites that use JavaScript to load content can easily be fixed by changing your user agent to the one used by the Google spider. They play nice when it's Google.

somebody remind me why we all run adblockers?

Please.

Need a good HOSTS file

[110010001000]

I was thinking of this the other day: we need someone who can maintain a good HOSTS file that we can all subscribe to. Anyone know of anyone like that? As a bonus, the maintainer should be grumpy.

Re:Need a good HOSTS file

[radarskiy]

"How the hell is the ad supposed to retrieve data from we_know_everything_about_you.com when your hosts file points we_know_everything_about_you.com to 0.0.0.0?"

By retrieving the data from 98.62.81.5

Re:Need a good HOSTS file

[GrumpySteen]

As a bonus, the maintainer should be grumpy.

But I don't want to maintain anything.

Re:Need a good HOSTS file

[e5150]

See also: http://someonewhocares.org/hos... http://pgl.yoyo.org/adservers/... (not hosts formatted: https://spam404bl.com/spam404s... and http://mirror2.malwaredomains.... ) I'm using a shell script to aggregate those into a blacklist used by dnsmasq for my LAN (altough it is somewhat discouraging to see how often my android devices tries to phone home when on my wifi).

Re:Need a good HOSTS file

[antdude]

Neither did uBlock Origin. /. has its own ads. :(

Re:Need a WYSIWYG browser

[SQLGuru]

The problem is that @ opacity 0%, it's still being rendered and the software believes it to be visible.....it's just that it's as visible as good quality glass covering a picture....it's there, but you eyes look through it.

Hmmm ...

[gstoddart]

So shit I don't allow (popups and scripts) being used to tell me that something else I don't allow (cookies) is being used to fool people into clicking ads they don't even see, from companies we shouldn't trust, so we can see ads for stuff we don't want, so some asshole can get revenue for ad clicks?

And people wonder why we keep saying allowing arbitrary sites to execute scripts and Flash isn't a completely moronic practice??

I'm sorry, but EVERYTHING about internet ads and how most sites work is in direct opposition to sensible security practice.

Sorry, but this is precisely why I will continue to block the hell out of any form of ads, because I have no choice but to assume any 3rd party actor called in from a site I am visiting isn't a hostile actor ... and with sufficiently advanced incompetence, "hostile" takes on a very broad meaning.

The internet got so thoroughly broken when ads came along it isn't funny. Because they seem to want to force us to use terribly insecure technologies on the chance that some small subset of the shit on the interwebs is what we want and can be trusted.

Re:WTF is the "Cookie Law"

[Midnight+Thunder]

Actually, why can't this be done by the browser? Browsers could easily have an option, whereby any time you access a new site or domain, that tries to set a cookie or use the local browser storage, you get warned.

A better law could simply require sites to have an info page listing what is being tracked? Maybe a standard http://..../privacy/ or http://..../cookies/ section? Could make the advertisers uncomfortable :)

Re:WTF is the "Cookie Law"

And why put the burden on every single web site owner, instead of putting the burden on the very few user against commonly used?

I would love to give an answer here, but I can't really get my head around what you mean with that last part.

The idea behind the law is that the users should be informed if a page tracks them, and ensure that it is an opt in system rather than opt out.
It would probably have been better if the browser behaved a bit like noscript but with cookies instead of scripts, but politicians seldom finds a good solution.
Anyway, the burden is put on the single web site owner because he is the one who wants to track the users.
It makes sense to put the burden on the one who benefits from it, otherwise you repeat the whole DMCA crap that is open for abuse without any reason for the one who benefits to hold back.

Re:WTF is the "Cookie Law"

[wonkey_monkey]

on the very few user against commonly used?

Huh?

Did you mean "user agents"? If so, how is a browser supposed to determine which cookies are, or are not, strictly necessary for a particular action requested by the user?

Re:WTF is the "Cookie Law"

[Coisiche]

Apologies for the source but here's a bit of a humorous summary of the Cookie law as implemented in the UK.

Re:WTF is the "Cookie Law"

[LQ]

Here in UK, we're having a referendum this year or next on leaving the EU. It's this sort of bureaucratic nonsense that pushes people to vote to leave.

Re:WTF is the "Cookie Law"

[gstoddart]

You can do these things, but you have to take ownership of it, and you have to be fairly diligent about it.

My mom? Probably not so much.

So, someone came up with a strategy whereby if they just said "we set teh cookies", then they're covered. That it might be cookies from 10 external partners which add nothing at all to your overall experience, well, that's a little detail to gloss over.

I block the heck out of this crap, use extensions to block stuff, and keep blacklisting stuff or adding rules to Chrome. But I wouldn't expect your average user to be willing to do that.

The problem is the default position of the web is everybody wants you to run the browser in the most insecure, wide open method possible to allow their precious pile of shit to work as envisioned.

Me, I see a page which tells me I need to enable javascript, or turn on cookies ... and the back button is all they'll see. Because I have no intention of trusting most web sites, and not at all their third part ad/analytics companies.

Re: Need a WYSIWYG browser

[bondsbw]

And even if transparent overlays were treated as a special case, all they would have to do is set the ad to 1% opacity.

Re:Need a WYSIWYG browser

[Mikkeles]

My initial thought as well. The difficult part is: what opacity is invisible? For example: a frame with a single background colour and no border may just be interpreted as part of the legitimate widget for clicking.

Re:WTF is the "Cookie Law"

[Z00L00K]

Firefox has that option, then it's possible to configure if it shall be denied, accepted or just valid for the session. I usually select the last because it looks to the site as if the cookie was successfully set but next visit after a browser restart it's not there anymore. And I also try to avoid third-party cookies as much as possible.

Re:WTF is the "Cookie Law"

The only shocking thing about it is how easy manipulation of public opinion through mass media still is.

Re:WTF is the "Cookie Law"

[turbidostato]

"The "Cookie Law" is not really about cookies and is widely misinterpreted. It merely affirms that these two principles apply to websites - if you are collecting personally identifying data about your visitors you need to let them know first."

The problem is, of course, that the "Cookie Law" neither affirms those rights nor was intended to do so, just pretend. Like going through the movements but still not dancing.

I Was Immediately Suspicious

[sudon't]

When I first began seeing these "Cookies Exist" banners, (I see a lot of them, using a European server through my VPN), I was immediately suspicious. I mean, who needs to be told web sites use cookies? Why do you have to click something? I was surprised to find out this was an actual EU law. Glad my initial paranoia's been vindicated, though.

Why?

[U2xhc2hkb3QgU3Vja3M]

Why are we at this point? Why let ads be HTML+CSS+Javascript in the first place?

Forcing ads to go back to being simple PNG or JPEG images with an HREF link would solve a lot of problems. Non-annoying, static images would probably lower the number of people installing ad blockers too.

Re: Need a WYSIWYG browser

[U2xhc2hkb3QgU3Vja3M]

But the fix would be equally easy, just block things set a both 0% and 1% opacity!

Oh wait...

Re:WTF is the "Cookie Law"

[JaredOfEuropa]

This law is the worst, dumbest idea in the history of bad ideas. Actually the intention itself isn't bad, but the law is. Because "collecting personal data" is also interpreted to mean cookies of pretty much any kind, meaning it applies to almost all website. Thus on almost every bloody site you visit, you first have to click through this stupid and pointless warning. The net effect has been pretty much zero; and as the article suggests it may actually be dangerous: people are now so used to clicking away these warnings that the do so without really looking at them. Thankfully an increasing number of companies and organisations are starting to ignore this law.

In case you missed it....

[VoiceOfDoom]

...some amusing background on the cookie law https://silktide.com/the-stupi...

Aside from degrading the web experience for millions of users, costing companies money better spent on accessibiity or security improvements and trashing analytics, it was only a matter of time before someone caught on to the nefarious possibilities of a popup that the user has been conditioned to see (and accept without scrutiny).

This law was one of the bloody stupidest moves in the history of technology and serves only to reinforce the unfortunate attitude that clicking a box can equate to "informed consent". A classic case of confusing the success of a mechanism with the desired outcome.

Re: In case you missed it....

[Frankzy]

You mean money better spent on the boards paychecks

Re:WTF is the "Cookie Law"

[amorsen]

Because it is the bloody server owner who inflicts the tracking cookies on its users. Therefore it's their responsibility to make sure that the users are informed about being fucked over.

Re:WTF is the "Cookie Law"

[amorsen]

Do you ever restart your browser? I mean other than for kernel or browser updates?

Self destructing cookies gets this right. That add-on should be built-in functionality with an opt-out for the few who don't want it.

Re:WTF is the "Cookie Law"

[amorsen]

Because "collecting personal data" is also interpreted to mean cookies of pretty much any kind, meaning it applies to almost all website.

That is because almost all websites collect personal data. They could just stop doing that; they have no legitimate reason to do so. Then the cookie warnings would go away.

Re:WTF is the "Cookie Law"

[tlhIngan]

This law is the worst, dumbest idea in the history of bad ideas. Actually the intention itself isn't bad, but the law is. Because "collecting personal data" is also interpreted to mean cookies of pretty much any kind, meaning it applies to almost all website. Thus on almost every bloody site you visit, you first have to click through this stupid and pointless warning. The net effect has been pretty much zero; and as the article suggests it may actually be dangerous: people are now so used to clicking away these warnings that the do so without really looking at them. Thankfully an increasing number of companies and organisations are starting to ignore this law.

Well, the intention is that the consumer is to start questioning why. I mean, if I go a browse a few pages, not logging in or anything, WHY is it setting cookies? Why does it need to track me? Fine, sure, if I log in, you need a cookie to track that. But if I'm a guest, why are you doing it? Why do you need session cookies when I'm just pulling information?

I mean, we asked why people stored cookies just to view static web sites. And most web content is static - if I'm finding information out about a car, I don't need a cookie to track me as I view the options and features and specifications.

Etc. etc. etc.

Privacy & Data Protection

[Martin+S.]

The entire EU is covered a common Data Protection law to ensure peoples' privacy is respected by companies collecting private data. Some idiotic jobsworths have interpreted this have chosen to interpret this that everybody must opt-in to visit a website.

There is no such requirement in the directive, here is the UK Information Commissioner guidance on what is required.

https://ico.org.uk/for-organis...

Accepting clicks on invisible things

[wvmarle]

How about: browsers do not accept clicks on items with less than 100% opacity? Or at least something like 50% opacity? I can't think of a legitimate reason to make user click on something invisible, so there's no reason to make anything invisible clickable.

Re:WTF is the "Cookie Law"

[hucker75]

There are thousands of such petty issues, and some not so petty. But it's the principal of the thing, we will not be ruled by someone in another country. Oh and it's not petty getting a banner on every single website I visit, it's as annoying as ads. Anyone got an adblocker that blocks cookie notices?

I don't care about cookies

[Patabugen]

There's a browser extension for people who wish to hide the nonsense cookie notices:
http://www.kiboke-studio.hr/i-...