Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign

An anonymous reader writes: Hackers have set up a clever new clickjacking campaign taking advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications. The criminals are placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero. So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.

Ffs

[liqu1d]

The people running these spammy practises don't help themselves. All they're achieving is pushing more people to ad blocking software hurting the rest of us who don't run spammy ads and keep them as unobtrusive as possible. Bravo fuckwits.

NoScript or hosts: take your pick

[tepples]

Services such as ClarityRay defeat your blocking.

But there are two ways around ClarityRay: either block access to the servers that serve these scripts or block the browser from executing any scripts. Sites are unlikely to hide text from no-script users because that also hides text from search engines.

Re:NoScript or hosts: take your pick

[gstoddart]

What's Clarity Ray?

Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

Re:NoScript or hosts: take your pick

[Jahta]

What's Clarity Ray?

Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

ClarityRay is an Israeli "ad security" company, acquired by Yahoo last year - ClarityRay Battles Ad Blockers With $500K In Funding. Fun quote from TFA - “We believe ad-blocking today is a lot like how pirate MP3s were before iTunes: they point to a valid consumer need, but do so in an unsustainable manner business wise,” says co-founder and CEO Ido Yablonka. Though if you are also running NoScript it's hard to see how they can do anything meaningful.

And you are spot on about the whole transitive trust aspect. Just because I may trust "site x" that doesn't mean that I trust the dozen other sites "site x" have partnered with who are trying to send me ads and scripts.

Re:ABP?

[Z00L00K]

If the ad detection filter can catch it then the invisible ad will be stopped.

Need a good HOSTS file

[110010001000]

I was thinking of this the other day: we need someone who can maintain a good HOSTS file that we can all subscribe to. Anyone know of anyone like that? As a bonus, the maintainer should be grumpy.

Hmmm ...

[gstoddart]

So shit I don't allow (popups and scripts) being used to tell me that something else I don't allow (cookies) is being used to fool people into clicking ads they don't even see, from companies we shouldn't trust, so we can see ads for stuff we don't want, so some asshole can get revenue for ad clicks?

And people wonder why we keep saying allowing arbitrary sites to execute scripts and Flash isn't a completely moronic practice??

I'm sorry, but EVERYTHING about internet ads and how most sites work is in direct opposition to sensible security practice.

Sorry, but this is precisely why I will continue to block the hell out of any form of ads, because I have no choice but to assume any 3rd party actor called in from a site I am visiting isn't a hostile actor ... and with sufficiently advanced incompetence, "hostile" takes on a very broad meaning.

The internet got so thoroughly broken when ads came along it isn't funny. Because they seem to want to force us to use terribly insecure technologies on the chance that some small subset of the shit on the interwebs is what we want and can be trusted.

Re:WTF is the "Cookie Law"

[Midnight+Thunder]

Actually, why can't this be done by the browser? Browsers could easily have an option, whereby any time you access a new site or domain, that tries to set a cookie or use the local browser storage, you get warned.

A better law could simply require sites to have an info page listing what is being tracked? Maybe a standard http://..../privacy/ or http://..../cookies/ section? Could make the advertisers uncomfortable :)

Re:WTF is the "Cookie Law"

[LQ]

Here in UK, we're having a referendum this year or next on leaving the EU. It's this sort of bureaucratic nonsense that pushes people to vote to leave.