Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com)

Posted by msmash on from the browsers-trend dept.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

40 of 80 comments (clear)

  1. They've been using Content Shell from Google... by Anonymous Coward · · Score: 2, Informative

    for years. This is nothing new. Plus, PhantomJS is popular for attacking web sites.

  2. Re:Malicious to who? by Anonymous Coward · · Score: 1

    If it's using up my clock cycles, memory, and bandwidth without my consent then it's malicious, no matter how minor the impact may be.

  3. Headless mode? by Eyezen · · Score: 1

    I think we have that already - it's called a service or daemon

    1. Re:Headless mode? by nullchar · · Score: 1

      I try to avoid my problems, so I prefer all my daemons to be headless so we can't have any conversations.

  4. OK, we know the downside... by QuietLagoon · · Score: 1

    There has to be an upside. So I'll ask, why are features such as this being added? What value to they bring to the computer user?

    1. Re:OK, we know the downside... by Anonymous Coward · · Score: 1

      Day-to-day computer user - i do not know. For developers, it allows for automated front-end testing.

    2. Re:OK, we know the downside... by MrL0G1C · · Score: 1, Insightful

      I don't think Mozilla are too interested in users, they're in some fantasy land where users don't matter. Several of their recent past actions support this fact and it's led to users not being too interested in Firefox IMO.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    3. Re:OK, we know the downside... by rudy_wayne · · Score: 2

      What value to they bring to the computer user?

      Mozilla quite caring about users long ago. Google never cared about users in the first place.

      Now, it's just a big circle jerk. Adding more and more useless, pointless features because . . . . . because fuck you, that's why.

    4. Re:OK, we know the downside... by gman003 · · Score: 2

      I have found it extremely useful for the automated generation of PDFs on a server. Design it in HTML, with a print-specific stylesheet, then run a Chrome instance to "print" it to a PDF file.

      Granted, this is only a problem because the libraries PHP has for PDF generation are utter garbage, completely unusable for any large-scale project.

    5. Re:OK, we know the downside... by dinfinity · · Score: 3, Informative

      More reliable automated testing of web applications.
      https://en.wikipedia.org/wiki/...

      Typically used in combination with Selenium.

    6. Re: OK, we know the downside... by corychristison · · Score: 1

      I'm of the mind that these browser vendors should ship two editions of the browsers:
      - one for developers with all of the bells and whistles.
      - a trimmed down 'end user' edition with all of the developer tools removed.

      I know firefox has a version specific to developers, but the regular builds still include most of the developer tools.

      Or better yet, ship the developer tools as an addon/plugin for those who want it.

    7. Re:OK, we know the downside... by Thud457 · · Score: 1

      Chrome's not done until EMACS will run.
      Wait. That's not how it goes...

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    8. Re:OK, we know the downside... by gman003 · · Score: 1

      I'll keep that in mind. We've had good enough results with Chrome so far that I don't think immediately jumping ship is necessary, but I suspect we might hit performance issues as we scale up. Chrome is not exactly a lightweight even in headless mode.

    9. Re: OK, we know the downside... by corychristison · · Score: 1

      I use wkhtmltopdf.

      It comes with two versions. One for pdf generation, and one for image generation. I use both quite extensively in a few projects.

      The official packages from wkhtmltopdf to not require an X server. If you build from source, you'll need to apply a patch (provided in the sources).

  5. What for? by PopeRatzo · · Score: 2

    While this feature sounds very useful for developers

    I'm not a web developer. Can someone explain to me how this "headless" feature is useful for developers?

    --
    You are welcome on my lawn.
    1. Re:What for? by dtandersen · · Score: 4, Informative

      Imagine you're a developer and you want to see if your website works. You open your website in Chrome and run a few tests. As the website grows this starts to take a long time. So you automate the process by having software control the web browser. Headless mode is useful so you can run this automated process on a remote server with no monitor. Every time you check in code this automated test process runs and tests your website.

    2. Re:What for? by H3lldr0p · · Score: 4, Interesting

      Fine. Why not just have a developer's only release for those who want to run that? Something that's more than a bit that can be flipped manually.

      These people are already have to manage different codebases for the various branches and such. Why not play it safe and keep this headless thing separated from the mainstream user?

  6. Re:Unclick the checkbox. by Fly+Swatter · · Score: 5, Informative

    What checkbox? I don't see anything on the v59.0.3071.104 settings page that relates to headless. It is not "enable running background apps when google chrome is closed", as that has been available for a long time and is probably unrelated. Headless mode is started via command line option: "--headless". Care to explain where the setting to disable this is ?

  7. That will give other browsers some much needed... by MindPrison · · Score: 1

    ...attention.

    Because honestly, if not even the adblockers will be able to do something about that, then it's bye bye Firefox on my part - I've been a loyal "customer" for the longest time, but hey - this gives the other lesser known browsers on the market some much needed attention, are you listening "insert-unknown-up-and-coming-popular-browser-team"?

    --
    What this world is coming to - is for you and me to decide.
  8. Is this my problem? by nine-times · · Score: 3, Interesting

    The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud.

    My first reaction to this is, I don't see why I should be concerned. Malware authors had the option of including a headless browser of their own to enable this, and now they can use the already-installed browser instead. So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.

    1. Re:Is this my problem? by Yaztromo · · Score: 1

      So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.

      Hey, why don't we just pre-install the malware in that case? That way it won't have to install any crap on your system -- it will already be there!

      Yaz

    2. Re:Is this my problem? by viperidaenz · · Score: 1

      and they'll be able to click more ads before you hit your mobile data cap, because the initial download was smaller.

    3. Re:Is this my problem? by nine-times · · Score: 1

      Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.

      But I don't even know if it'll have that effect. If you're writing malware and you want it to be effective, you probably don't want to rely on specific 3rd-party software already being installed. They'll probably keep bundling their own headless browser anyway.

      But maybe I'm missing something...?

    4. Re:Is this my problem? by Yaztromo · · Score: 1

      Well... because then you'd have malware. A big part of my point was that malware authors have already been able to include a headless browser if they wanted to, so it doesn't seem like this really changes their ability to have their malware perform click-fraud. It just means that, if you're unfortunate enough to get click-fraud malware, it won't also download their headless browser.

      Detection may be more difficult. If Chrome is your browser of choice, then having Chrome processes running on your computer won't be all that unusual. An automated process scanner and/or manually looking at a process list may not show anything out of the ordinary. So while seeing "phantomjs.exe" in your process list may set off some alarm bells, "chrome.exe" won't have the same effect.

      As well, something like PhantomJS is rarely up-to-date with the latest web technologies. Even though it's based off WebKit, it's based off an older rendering/JS engine. Malware authors can't aways rely on automated software updates to keep the things up-to-date at the best of times, but Chrome is pretty aggressive at keeping itself updated, and is quite aggressive at staying on top of the latest web standards. Having that available saves the malware authors a lot of time and effort -- effectively the user will keep the core part of their malware up-to-date for them, and they can rely on having the latest and greatest rendering and Javascript engines at their fingertips.

      Will that matter much in the real world? It's currently hard to tell. Obviously people who willingly install trojan horse style malware aren't the most savvy of users, so perhaps it doesn't make a lot of difference in terms of number of malware instances deployed. But it might make that malware harder for the average user to easily detect, and it might make malware more effective in terms of being able to keep up with the latest web standards and Javascript features and optimizations. I agree that the article makes this sound more series than it probably will be. Time will tell I suppose.

      Yaz

  9. Re:Unclick the checkbox. by Cajun+Hell · · Score: 1

    You could simply unclick the checkbox in settings that enables this feature

    The people who use the convenience of a fully-scripted browser to trick adservers into thinking humans clicked the ads, are probably not going to opt to forego that convenience.

    To use an absurdly extreme example, you're saying, "bank robber, you could simply deposit money into the bank and then make normal withdrawals instead of robbing." You should expect most bank robbers to decline your suggestion, and I think the people who commit click-fraud will be similarly uninterested in your "don't do that" advice.

    --
    "Believe me!" -- Donald Trump
  10. I have an idea by viperidaenz · · Score: 1

    Unless the app is an actual web browser, restrict it to communication with a single domain via TLS.
    So great, Chrome is a browser. but when running as an embedded browser or headless, it should only be able to communicate with a single domain associated with the app it is running in.

    If someone really wants to make a browser app, they can bundle it with a browser engine instead of embedded WebView, or at least make it a permission request to communicate with other domains.

  11. Re:Malicious to who? by Anonymous Coward · · Score: 1

    This attitude is why apps become more bloated over time. Why optimize when your users can be forced to upgrade?

    That's off-topic, though. I don't care if it doesn't have much impact, if software is doing something without my consent, and for it's own benefit at my expense it's malware, no matter how small that expense. Sadly, though, by that definition most software is malware.

  12. And I just installed Firefox Focus by Trax3001BBS · · Score: 1

    " When Focus is running in the background, we'll remind you through a notification and you can easily tap to erase your ..." https://blog.mozilla.org/blog/...

    Fell for the hyper babble I guess, thread did get me noscripts(.net).

  13. god bless OCD by Thud457 · · Score: 1

    Some guy named Clifford Stoll would like to talk to you about a $0.75 accounting discrepancy in the computer usage accounts.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  14. Re:Unclick the checkbox. by Gavagai80 · · Score: 1

    The problem is it's a way to keep the people with the compromised machines from becoming aware that they have compromised machines.

    --
    This space intentionally left blank
  15. Thick Clients by Mybrid · · Score: 1

    This is inevitable with the current trend of having the web browser be a thick client.

    The trend is to put as much code as possible, i.e. thick client, in Javascript. Now, suppose one wants to leverage that code as middleware? Taa daa! Headless mode. We've been down this road before with client/server, thick/thin clients.

    What makes Javascript particularly impossible to reproduce is the fast moving, every changing set of libraries. This will put pressure on the business logic sitting in all the Javascript to become middleware so as to capitalize on ones investment. As they say, what's old is new again.

    I predict within the next 2 years headless browsers as middleware will be common place.

  16. Even stupider by JustAnotherOldGuy · · Score: 1

    Even stupider is Firefox "policy" which now *refuses* to load Google's page because it claims the "domain certificate is misconfigured". You can't add an exception, period. In other words, there is NO WAY to browse Google with Firefox now.

    Now I may be wrong, but I think those dudes at Google know a thing or two about web stuff, so I guess using Firefox for my day-to-day stuff is now a no-go. Brilliant, Firefox, just fucking brilliant.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Even stupider by pop+ebp · · Score: 1

      Google works fine for me on Firefox.
      You really should check if you are being MITM'ed.

  17. That's not adware by SLi · · Score: 1

    Adware is something that shows ads to you, by adding them or by replacing other ads by them. This has something to do with ads, but that is not sufficient to make this adware. If we define malware as something you would not agree to have on your computer, this is plain old malware, and I'd argue not one of the worst sorts.

    Part of me is actually happy that the ad industry is facing problems with fraudulent clicks, even if I would not want this on my own computers. (Having said that, I might want something that clicks ads randomly.)

  18. Headless browsers have been around for 20 years! by Tony+Isaac · · Score: 1

    Microsoft had a COM interface (IHtmlWebBrowser) nearly 20 years ago. When .NET came around, they offered the same headless functionality in the form of the WebBrowser object. The concept isn't new, the only thing that's new is that Chrome and Firefox are finally copying an old IE feature!

  19. Useless bacgkround processes... by Anonymous Coward · · Score: 1

    This is exactly what we need to have a more secure OS. Make a lot of useless crap running on the background while we are playing minesweeper. Did we just forget about SMBv1 running in the background by default even on standalone workstations?

  20. Sounds scary but required malware could do worse! by Picodon · · Score: 1

    Correct me if I’m wrong but if I have malware on my machine that’s capable of starting up my web browser in headless mode (a.k.a. arbitrary executable), well I probably have much more serious issues to address ASAP!

  21. Re:Sounds scary but required malware could do wors by Anonymous Coward · · Score: 1

    Correct me if I'm wrong

    OK

    You're wrong.

    You're corrected.

    All it takes is a 3rd-party banner-ad or something similar and usually innocuous on a normally-trustworthy website that's been hijacked to run a short piece of script to open a headless instance and have it happily continue to run and remain 'open' and 'clicking' ads long after you've closed the visible instance you were using.

    Or maybe doing something else. Depends on what the attacker wants. Maybe subscribing you to a bunch of MLP/furry/yiff-porn E/snail-mail lists and 'hookup' services.

    So many possibilities...

  22. Re:Unclick the checkbox. by Waccoon · · Score: 1

    I don't trust checkboxes, anyway. I hardly trust anything anymore -- open source or not.

    Firefox has a checkbox for offline storage that reads, "Tell me when a website asks to store data for offline use". The problem is, the browser will only inform you if the data being saved is larger than a specific amount, and the browser allows data to be written in small chunks. As a result, if you enable this feature, the browser will happily save lots of offline data without ever informing you, let alone asking your permission. I had this checkbox turned on (it's off by default) and I would still regularly find dozens of megs of offline data saved. To "properly" enable the checkbox, you have to go to about:config and change multiple settings, including the exact cutoff limits. The GUI checkbox doesn't do squat.

    All browsers, even Firefox, are resorting to these silly tactics to keep you from actually controlling what the browser can do. Don't get me started about how Opera used to regularly break the feature to disable updates (and constantly changed the command-line options), in an attempt to force updates even if you didn't want them.

  23. Why not? by allo · · Score: 1

    Advertisers want clicks, I do not want to see their shit. So my headless firefox is allowed to click (with a separate profile because of tracking cookies and so on) and I can support the websites which cry because of my adblocker.
    If anyone objects, he should stop crying. Either they want me to load their ad or they do not want me to.