Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com)

Posted by msmash on from the browsers-trend dept.

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

9 of 80 comments (clear)

  1. They've been using Content Shell from Google... by Anonymous Coward · · Score: 2, Informative

    for years. This is nothing new. Plus, PhantomJS is popular for attacking web sites.

  2. What for? by PopeRatzo · · Score: 2

    While this feature sounds very useful for developers

    I'm not a web developer. Can someone explain to me how this "headless" feature is useful for developers?

    --
    You are welcome on my lawn.
    1. Re:What for? by dtandersen · · Score: 4, Informative

      Imagine you're a developer and you want to see if your website works. You open your website in Chrome and run a few tests. As the website grows this starts to take a long time. So you automate the process by having software control the web browser. Headless mode is useful so you can run this automated process on a remote server with no monitor. Every time you check in code this automated test process runs and tests your website.

    2. Re:What for? by H3lldr0p · · Score: 4, Interesting

      Fine. Why not just have a developer's only release for those who want to run that? Something that's more than a bit that can be flipped manually.

      These people are already have to manage different codebases for the various branches and such. Why not play it safe and keep this headless thing separated from the mainstream user?

  3. Re:Unclick the checkbox. by Fly+Swatter · · Score: 5, Informative

    What checkbox? I don't see anything on the v59.0.3071.104 settings page that relates to headless. It is not "enable running background apps when google chrome is closed", as that has been available for a long time and is probably unrelated. Headless mode is started via command line option: "--headless". Care to explain where the setting to disable this is ?

  4. Is this my problem? by nine-times · · Score: 3, Interesting

    The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud.

    My first reaction to this is, I don't see why I should be concerned. Malware authors had the option of including a headless browser of their own to enable this, and now they can use the already-installed browser instead. So... if I do get this kind of malware, it'll install less crap on my system? Seems like a win to me.

  5. Re:OK, we know the downside... by rudy_wayne · · Score: 2

    What value to they bring to the computer user?

    Mozilla quite caring about users long ago. Google never cared about users in the first place.

    Now, it's just a big circle jerk. Adding more and more useless, pointless features because . . . . . because fuck you, that's why.

  6. Re:OK, we know the downside... by gman003 · · Score: 2

    I have found it extremely useful for the automated generation of PDFs on a server. Design it in HTML, with a print-specific stylesheet, then run a Chrome instance to "print" it to a PDF file.

    Granted, this is only a problem because the libraries PHP has for PDF generation are utter garbage, completely unusable for any large-scale project.

  7. Re:OK, we know the downside... by dinfinity · · Score: 3, Informative

    More reliable automated testing of web applications.
    https://en.wikipedia.org/wiki/...

    Typically used in combination with Selenium.