Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign (malwarebytes.org) 84
An anonymous reader writes: Hackers have set up a clever new clickjacking campaign taking advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications. The criminals are placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero. So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.
Block 'em all. (Score:2, Insightful)
Blockity blockity blockity. When the advertisers clean their own house, then I'll stop blocking them.
I'm not holding my breath here.
AC
NoScript or hosts: take your pick (Score:4, Informative)
Services such as ClarityRay defeat your blocking.
But there are two ways around ClarityRay: either block access to the servers that serve these scripts or block the browser from executing any scripts. Sites are unlikely to hide text from no-script users because that also hides text from search engines.
Re:NoScript or hosts: take your pick (Score:5, Insightful)
What's Clarity Ray?
Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.
And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.
Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.
Re:NoScript or hosts: take your pick (Score:5, Informative)
What's Clarity Ray?
Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.
And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.
Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.
ClarityRay is an Israeli "ad security" company, acquired by Yahoo last year - ClarityRay Battles Ad Blockers With $500K In Funding [techcrunch.com]. Fun quote from TFA - “We believe ad-blocking today is a lot like how pirate MP3s were before iTunes: they point to a valid consumer need, but do so in an unsustainable manner business wise,” says co-founder and CEO Ido Yablonka. Though if you are also running NoScript it's hard to see how they can do anything meaningful.
And you are spot on about the whole transitive trust aspect. Just because I may trust "site x" that doesn't mean that I trust the dozen other sites "site x" have partnered with who are trying to send me ads and scripts.
Re: (Score:2)
Sites that use JavaScript to load content can easily be fixed by changing your user agent to the one used by the Google spider. They play nice when it's Google.
Re: (Score:2)
How does it do that? By disallowing my access to a site?
Ok. Accepted.
NEXT!
Re: (Score:3)
Pretty much.
The only way to defeat ad blockers is to wait for verification that the ad was served before you deliver content.
Then you have to hope that users are willing to add an exception for your site to allow ad and a plethora of shitty scripts and tracking crap in order to see your content.
There have been exactly two cases where I've allowed ads to allow content:
1 - Watching South Park episodes on the official site.
2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier.
In bo
Re: (Score:2)
"There have been exactly two cases where I've allowed ads to allow content:
1 - Watching South Park episodes on the official site.
2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier."
I bet you regret the Siffi case.
Re: (Score:2)
No, I'm mostly liking The Expanse so far. It's not quite what I was hoping for, but it's more than I was expecting.
I also mostly like Dark Matter, I liked Childhood's End, and am on the fence about 12 Monkeys.
These aren't like Continuum, Magicians, Alphas, Eureka, or whatever else they shit out.
Re: (Score:2)
NEXT!
Say you search for something using a generic web search engine such as DuckDuckGo or Google. Then you discover that the top three relevant results also disallow your access because they detect an ad blocker. Now you have wasted your time on three different sites, and you just want the web to work. Now what do you do?
Re: (Score:2)
Find a better adblocker that gets around it.
Re: (Score:2)
Not true. I have no script and many very common sites are completely blank until I turn on some scripts.
Re: (Score:2)
Which sites? And do they remain blank if you also turn off CSS?
Re: (Score:2)
Not sure. Pages aren't completely blank but generally only have a header from whatever site it is but the article is blank. I'd have to start browsing random sites again to find one. And I have no idea how to enable/disable css. Just reporting that when I browse normally with noscript I see pages without the main body of the text until I start enabling scripts one by one.
Ffs (Score:5, Interesting)
Re: (Score:2, Troll)
All ads are bad. These ads are worse. But all ads are bad.
Re: (Score:2)
Some advertisements are OK, as long as they are truthful, informative, not overly intrusive and in more non jarring fashion aligned to the content that delivers them. Those ads are fine, drop outside of that and those web sites, advertising agencies and advertisers deserve script blocking. Some advertisers end up suffering pretty badly for going with the wrong agencies and producing the worst sort of intrusive ads. Remember people, it is the internet and not the store and people will remember exactly why a
Re: (Score:2)
They are helping themselves; they're making money from advertisers. Advertiser don't like it, but the spammers don't care. And I don't care, as run adblocking software on every device I own. What's hurting advertisers is adverts, which nobody ever wants to see. Yes, you can argue it's how sites make money. I don't care about that either. I'd rather pay a (micro)subscription than have random companies getting in my face trying to sell me shit I don't want or need.
Re: (Score:2)
Tragedy of the commons. It's easier to slaughter the weak ones than to grow a sustainable hurd.
ABP? (Score:3)
Re:ABP? (Score:4, Informative)
If the ad detection filter can catch it then the invisible ad will be stopped.
Re: (Score:2)
Well, speaking personally, I use ABP's "Select element to hide" function on all those EU cookie banner pop-ups - if I can't just ignore them (and rather than close them via clicking 'OK') - so that would probably select the malvertisement.
Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?
Re: (Score:2)
Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?
The sites could just stop tracking non-logged-in users, then they would not have to put up cookie warnings.
Self destructing cookies combined with I don't care about cookies solve most of the problem though.
WTF is the "Cookie Law" (Score:1)
Being just your average guy from across the pond over here in the state, I have absolutely no idea what this whole "Cookie Law" bullshit is even about. Thus, here is a source: https://cookiepedia.co.uk/eu-c... [cookiepedia.co.uk]
Can someone tell me who the hell thought of this directive? And why put the burden on every single web site owner, instead of putting the burden on the very few user against commonly used?
Re:WTF is the "Cookie Law" (Score:4, Interesting)
Actually, why can't this be done by the browser? Browsers could easily have an option, whereby any time you access a new site or domain, that tries to set a cookie or use the local browser storage, you get warned.
A better law could simply require sites to have an info page listing what is being tracked? Maybe a standard http://..../privacy/ [....] or http://..../cookies/ [....] section? Could make the advertisers uncomfortable :)
Re:WTF is the "Cookie Law" (Score:4, Funny)
Re: (Score:1)
The only shocking thing about it is how easy manipulation of public opinion through mass media still is.
Re: (Score:1)
Re: (Score:2)
You can do these things, but you have to take ownership of it, and you have to be fairly diligent about it.
My mom? Probably not so much.
So, someone came up with a strategy whereby if they just said "we set teh cookies", then they're covered. That it might be cookies from 10 external partners which add nothing at all to your overall experience, well, that's a little detail to gloss over.
I block the heck out of this crap, use extensions to block stuff, and keep blacklisting stuff or adding rules to Chrome.
Re: (Score:2)
Firefox has that option, then it's possible to configure if it shall be denied, accepted or just valid for the session. I usually select the last because it looks to the site as if the cookie was successfully set but next visit after a browser restart it's not there anymore. And I also try to avoid third-party cookies as much as possible.
Re: (Score:2)
Do you ever restart your browser? I mean other than for kernel or browser updates?
Self destructing cookies gets this right. That add-on should be built-in functionality with an opt-out for the few who don't want it.
Re: (Score:1)
And why put the burden on every single web site owner, instead of putting the burden on the very few user against commonly used?
I would love to give an answer here, but I can't really get my head around what you mean with that last part.
The idea behind the law is that the users should be informed if a page tracks them, and ensure that it is an opt in system rather than opt out.
It would probably have been better if the browser behaved a bit like noscript but with cookies instead of scripts, but politicians seldom finds a good solution.
Anyway, the burden is put on the single web site owner because he is the one who wants to track the
Re: (Score:2)
on the very few user against commonly used?
Huh?
Did you mean "user agents"? If so, how is a browser supposed to determine which cookies are, or are not, strictly necessary for a particular action requested by the user?
Re: (Score:2)
Apologies for the source but here's a bit of a humorous summary of the Cookie law as implemented in the UK [churchm.ag].
Re: (Score:2)
"The "Cookie Law" is not really about cookies and is widely misinterpreted. It merely affirms that these two principles apply to websites - if you are collecting personally identifying data about your visitors you need to let them know first."
The problem is, of course, that the "Cookie Law" neither affirms those rights nor was intended to do so, just pretend. Like going through the movements but still not dancing.
Re: (Score:2)
Re: (Score:2)
Because "collecting personal data" is also interpreted to mean cookies of pretty much any kind, meaning it applies to almost all website.
That is because almost all websites collect personal data. They could just stop doing that; they have no legitimate reason to do so. Then the cookie warnings would go away.
Re: (Score:2)
Re: (Score:2)
Because it is the bloody server owner who inflicts the tracking cookies on its users. Therefore it's their responsibility to make sure that the users are informed about being fucked over.
Privacy & Data Protection (Score:2)
The entire EU is covered a common Data Protection law to ensure peoples' privacy is respected by companies collecting private data. Some idiotic jobsworths have interpreted this have chosen to interpret this that everybody must opt-in to visit a website.
There is no such requirement in the directive, here is the UK Information Commissioner guidance on what is required.
https://ico.org.uk/for-organis... [ico.org.uk]
Re: (Score:2)
The problem is that @ opacity 0%, it's still being rendered and the software believes it to be visible.....it's just that it's as visible as good quality glass covering a picture....it's there, but you eyes look through it.
Re: Need a WYSIWYG browser (Score:2)
And even if transparent overlays were treated as a special case, all they would have to do is set the ad to 1% opacity.
Re: (Score:2)
But the fix would be equally easy, just block things set a both 0% and 1% opacity!
Oh wait...
Re: (Score:2)
My initial thought as well. The difficult part is: what opacity is invisible? For example: a frame with a single background colour and no border may just be interpreted as part of the legitimate widget for clicking.
somebody remind me why we all run adblockers? (Score:1)
Please.
Need a good HOSTS file (Score:5, Funny)
Re: (Score:2)
"How the hell is the ad supposed to retrieve data from we_know_everything_about_you.com when your hosts file points we_know_everything_about_you.com to 0.0.0.0?"
By retrieving the data from 98.62.81.5
Re: (Score:1)
Re: (Score:2)
Neither did uBlock Origin. /. has its own ads. :(
Re: (Score:3)
As a bonus, the maintainer should be grumpy.
But I don't want to maintain anything.
Hmmm ... (Score:4, Interesting)
So shit I don't allow (popups and scripts) being used to tell me that something else I don't allow (cookies) is being used to fool people into clicking ads they don't even see, from companies we shouldn't trust, so we can see ads for stuff we don't want, so some asshole can get revenue for ad clicks?
And people wonder why we keep saying allowing arbitrary sites to execute scripts and Flash isn't a completely moronic practice??
I'm sorry, but EVERYTHING about internet ads and how most sites work is in direct opposition to sensible security practice.
Sorry, but this is precisely why I will continue to block the hell out of any form of ads, because I have no choice but to assume any 3rd party actor called in from a site I am visiting isn't a hostile actor ... and with sufficiently advanced incompetence, "hostile" takes on a very broad meaning.
The internet got so thoroughly broken when ads came along it isn't funny. Because they seem to want to force us to use terribly insecure technologies on the chance that some small subset of the shit on the interwebs is what we want and can be trusted.
I Was Immediately Suspicious (Score:2)
When I first began seeing these "Cookies Exist" banners, (I see a lot of them, using a European server through my VPN), I was immediately suspicious. I mean, who needs to be told web sites use cookies? Why do you have to click something? I was surprised to find out this was an actual EU law. Glad my initial paranoia's been vindicated, though.
Why? (Score:2)
Why are we at this point? Why let ads be HTML+CSS+Javascript in the first place?
Forcing ads to go back to being simple PNG or JPEG images with an HREF link would solve a lot of problems. Non-annoying, static images would probably lower the number of people installing ad blockers too.
In case you missed it.... (Score:2)
...some amusing background on the cookie law https://silktide.com/the-stupi... [silktide.com]
Aside from degrading the web experience for millions of users, costing companies money better spent on accessibiity or security improvements and trashing analytics, it was only a matter of time before someone caught on to the nefarious possibilities of a popup that the user has been conditioned to see (and accept without scrutiny).
This law was one of the bloody stupidest moves in the history of technology and serves only to reinfo
Re: In case you missed it.... (Score:1)
Accepting clicks on invisible things (Score:2)
How about: browsers do not accept clicks on items with less than 100% opacity? Or at least something like 50% opacity? I can't think of a legitimate reason to make user click on something invisible, so there's no reason to make anything invisible clickable.
I don't care about cookies (Score:1)
There's a browser extension for people who wish to hide the nonsense cookie notices:
http://www.kiboke-studio.hr/i-... [kiboke-studio.hr]