Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security The Internet Technology

Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign (malwarebytes.org) 84

An anonymous reader writes: Hackers have set up a clever new clickjacking campaign taking advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications. The criminals are placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero. So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.
This discussion has been archived. No new comments can be posted.

Attackers Abuse Legitimate EU Cookie Law Notices In Clickjacking Campaign

Comments Filter:
  • Block 'em all. (Score:2, Insightful)

    by Anonymous Coward

    Blockity blockity blockity. When the advertisers clean their own house, then I'll stop blocking them.

    I'm not holding my breath here.

    AC

    • by tepples ( 727027 ) <tepples@ g m ail.com> on Friday January 08, 2016 @01:01PM (#51262671) Homepage Journal

      Services such as ClarityRay defeat your blocking.

      But there are two ways around ClarityRay: either block access to the servers that serve these scripts or block the browser from executing any scripts. Sites are unlikely to hide text from no-script users because that also hides text from search engines.

      • by gstoddart ( 321705 ) on Friday January 08, 2016 @01:39PM (#51263001) Homepage

        What's Clarity Ray?

        Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

        And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

        Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

        • by Jahta ( 1141213 ) on Friday January 08, 2016 @02:01PM (#51263213)

          What's Clarity Ray?

          Honestly, I have no idea why people accept sites should by default be allowed to run scripts, or the 15 sites they cross link to should run scripts just because you loaded the page.

          And, FYI, I've seen an increasing number of sites which render their content with javscript, and you only see a blank page without it. Of course, if you know how to view the page source and don't much care about the formatting the text is usually right there.

          Me, I'd just as soon punch the average web site administrator in the nose as assume I have any reason to allow them to run scripts. My default position on scripts is "piss off", and I'll enable them if I think I care or trust you. But your third parties? They can always piss off.

          ClarityRay is an Israeli "ad security" company, acquired by Yahoo last year - ClarityRay Battles Ad Blockers With $500K In Funding [techcrunch.com]. Fun quote from TFA - “We believe ad-blocking today is a lot like how pirate MP3s were before iTunes: they point to a valid consumer need, but do so in an unsustainable manner business wise,” says co-founder and CEO Ido Yablonka. Though if you are also running NoScript it's hard to see how they can do anything meaningful.

          And you are spot on about the whole transitive trust aspect. Just because I may trust "site x" that doesn't mean that I trust the dozen other sites "site x" have partnered with who are trying to send me ads and scripts.

        • by AmiMoJo ( 196126 )

          Sites that use JavaScript to load content can easily be fixed by changing your user agent to the one used by the Google spider. They play nice when it's Google.

      • How does it do that? By disallowing my access to a site?

        Ok. Accepted.

        NEXT!

        • Pretty much.

          The only way to defeat ad blockers is to wait for verification that the ad was served before you deliver content.
          Then you have to hope that users are willing to add an exception for your site to allow ad and a plethora of shitty scripts and tracking crap in order to see your content.

          There have been exactly two cases where I've allowed ads to allow content:
          1 - Watching South Park episodes on the official site.
          2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier.

          In bo

          • "There have been exactly two cases where I've allowed ads to allow content:
            1 - Watching South Park episodes on the official site.
            2 - Watching the first 4 episodes of The Expanse on syfy.com before the TV premier."

            I bet you regret the Siffi case.

            • No, I'm mostly liking The Expanse so far. It's not quite what I was hoping for, but it's more than I was expecting.
              I also mostly like Dark Matter, I liked Childhood's End, and am on the fence about 12 Monkeys.

              These aren't like Continuum, Magicians, Alphas, Eureka, or whatever else they shit out.

        • by tepples ( 727027 )

          NEXT!

          Say you search for something using a generic web search engine such as DuckDuckGo or Google. Then you discover that the top three relevant results also disallow your access because they detect an ad blocker. Now you have wasted your time on three different sites, and you just want the web to work. Now what do you do?

      • Not true. I have no script and many very common sites are completely blank until I turn on some scripts.

        • by tepples ( 727027 )

          Which sites? And do they remain blank if you also turn off CSS?

          • Not sure. Pages aren't completely blank but generally only have a header from whatever site it is but the article is blank. I'd have to start browsing random sites again to find one. And I have no idea how to enable/disable css. Just reporting that when I browse normally with noscript I see pages without the main body of the text until I start enabling scripts one by one.

  • Ffs (Score:5, Interesting)

    by liqu1d ( 4349325 ) on Friday January 08, 2016 @12:54PM (#51262629)
    The people running these spammy practises don't help themselves. All they're achieving is pushing more people to ad blocking software hurting the rest of us who don't run spammy ads and keep them as unobtrusive as possible. Bravo fuckwits.
    • Re: (Score:2, Troll)

      by cfalcon ( 779563 )

      All ads are bad. These ads are worse. But all ads are bad.

      • by rtb61 ( 674572 )

        Some advertisements are OK, as long as they are truthful, informative, not overly intrusive and in more non jarring fashion aligned to the content that delivers them. Those ads are fine, drop outside of that and those web sites, advertising agencies and advertisers deserve script blocking. Some advertisers end up suffering pretty badly for going with the wrong agencies and producing the worst sort of intrusive ads. Remember people, it is the internet and not the store and people will remember exactly why a

    • by Threni ( 635302 )

      They are helping themselves; they're making money from advertisers. Advertiser don't like it, but the spammers don't care. And I don't care, as run adblocking software on every device I own. What's hurting advertisers is adverts, which nobody ever wants to see. Yes, you can argue it's how sites make money. I don't care about that either. I'd rather pay a (micro)subscription than have random companies getting in my face trying to sell me shit I don't want or need.

    • by AmiMoJo ( 196126 )

      Tragedy of the commons. It's easier to slaughter the weak ones than to grow a sustainable hurd.

  • by FatdogHaiku ( 978357 ) on Friday January 08, 2016 @01:00PM (#51262667)
    So, would Ad Blocker Plus stop an invisible ad? I would hope so as long as the code calls an ad... visible or not...
    • Re:ABP? (Score:4, Informative)

      by Z00L00K ( 682162 ) on Friday January 08, 2016 @01:06PM (#51262705) Homepage

      If the ad detection filter can catch it then the invisible ad will be stopped.

    • Well, speaking personally, I use ABP's "Select element to hide" function on all those EU cookie banner pop-ups - if I can't just ignore them (and rather than close them via clicking 'OK') - so that would probably select the malvertisement.

      Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?

      • by amorsen ( 7485 )

        Bloody EU legislators legislating mandatory spam pop-ups. What the actual F?

        The sites could just stop tracking non-logged-in users, then they would not have to put up cookie warnings.

        Self destructing cookies combined with I don't care about cookies solve most of the problem though.

  • Being just your average guy from across the pond over here in the state, I have absolutely no idea what this whole "Cookie Law" bullshit is even about. Thus, here is a source: https://cookiepedia.co.uk/eu-c... [cookiepedia.co.uk]

    Can someone tell me who the hell thought of this directive? And why put the burden on every single web site owner, instead of putting the burden on the very few user against commonly used?

    • by Midnight Thunder ( 17205 ) on Friday January 08, 2016 @01:21PM (#51262821) Homepage Journal

      Actually, why can't this be done by the browser? Browsers could easily have an option, whereby any time you access a new site or domain, that tries to set a cookie or use the local browser storage, you get warned.

      A better law could simply require sites to have an info page listing what is being tracked? Maybe a standard http://..../privacy/ [....] or http://..../cookies/ [....] section? Could make the advertisers uncomfortable :)

      • by LQ ( 188043 ) on Friday January 08, 2016 @01:30PM (#51262915)
        Here in UK, we're having a referendum this year or next on leaving the EU. It's this sort of bureaucratic nonsense that pushes people to vote to leave.
      • You can do these things, but you have to take ownership of it, and you have to be fairly diligent about it.

        My mom? Probably not so much.

        So, someone came up with a strategy whereby if they just said "we set teh cookies", then they're covered. That it might be cookies from 10 external partners which add nothing at all to your overall experience, well, that's a little detail to gloss over.

        I block the heck out of this crap, use extensions to block stuff, and keep blacklisting stuff or adding rules to Chrome.

      • by Z00L00K ( 682162 )

        Firefox has that option, then it's possible to configure if it shall be denied, accepted or just valid for the session. I usually select the last because it looks to the site as if the cookie was successfully set but next visit after a browser restart it's not there anymore. And I also try to avoid third-party cookies as much as possible.

        • by amorsen ( 7485 )

          Do you ever restart your browser? I mean other than for kernel or browser updates?

          Self destructing cookies gets this right. That add-on should be built-in functionality with an opt-out for the few who don't want it.

    • by Anonymous Coward

      And why put the burden on every single web site owner, instead of putting the burden on the very few user against commonly used?

      I would love to give an answer here, but I can't really get my head around what you mean with that last part.

      The idea behind the law is that the users should be informed if a page tracks them, and ensure that it is an opt in system rather than opt out.
      It would probably have been better if the browser behaved a bit like noscript but with cookies instead of scripts, but politicians seldom finds a good solution.
      Anyway, the burden is put on the single web site owner because he is the one who wants to track the

    • on the very few user against commonly used?

      Huh?

      Did you mean "user agents"? If so, how is a browser supposed to determine which cookies are, or are not, strictly necessary for a particular action requested by the user?

    • Apologies for the source but here's a bit of a humorous summary of the Cookie law as implemented in the UK [churchm.ag].

    • by amorsen ( 7485 )

      Because it is the bloody server owner who inflicts the tracking cookies on its users. Therefore it's their responsibility to make sure that the users are informed about being fucked over.

    • The entire EU is covered a common Data Protection law to ensure peoples' privacy is respected by companies collecting private data. Some idiotic jobsworths have interpreted this have chosen to interpret this that everybody must opt-in to visit a website.

      There is no such requirement in the directive, here is the UK Information Commissioner guidance on what is required.

      https://ico.org.uk/for-organis... [ico.org.uk]

  • Please.

  • by 110010001000 ( 697113 ) on Friday January 08, 2016 @01:17PM (#51262783) Homepage Journal
    I was thinking of this the other day: we need someone who can maintain a good HOSTS file that we can all subscribe to. Anyone know of anyone like that? As a bonus, the maintainer should be grumpy.
  • Hmmm ... (Score:4, Interesting)

    by gstoddart ( 321705 ) on Friday January 08, 2016 @01:21PM (#51262809) Homepage

    So shit I don't allow (popups and scripts) being used to tell me that something else I don't allow (cookies) is being used to fool people into clicking ads they don't even see, from companies we shouldn't trust, so we can see ads for stuff we don't want, so some asshole can get revenue for ad clicks?

    And people wonder why we keep saying allowing arbitrary sites to execute scripts and Flash isn't a completely moronic practice??

    I'm sorry, but EVERYTHING about internet ads and how most sites work is in direct opposition to sensible security practice.

    Sorry, but this is precisely why I will continue to block the hell out of any form of ads, because I have no choice but to assume any 3rd party actor called in from a site I am visiting isn't a hostile actor ... and with sufficiently advanced incompetence, "hostile" takes on a very broad meaning.

    The internet got so thoroughly broken when ads came along it isn't funny. Because they seem to want to force us to use terribly insecure technologies on the chance that some small subset of the shit on the interwebs is what we want and can be trusted.

  • When I first began seeing these "Cookies Exist" banners, (I see a lot of them, using a European server through my VPN), I was immediately suspicious. I mean, who needs to be told web sites use cookies? Why do you have to click something? I was surprised to find out this was an actual EU law. Glad my initial paranoia's been vindicated, though.

  • Why are we at this point? Why let ads be HTML+CSS+Javascript in the first place?

    Forcing ads to go back to being simple PNG or JPEG images with an HREF link would solve a lot of problems. Non-annoying, static images would probably lower the number of people installing ad blockers too.

  • ...some amusing background on the cookie law https://silktide.com/the-stupi... [silktide.com]

    Aside from degrading the web experience for millions of users, costing companies money better spent on accessibiity or security improvements and trashing analytics, it was only a matter of time before someone caught on to the nefarious possibilities of a popup that the user has been conditioned to see (and accept without scrutiny).

    This law was one of the bloody stupidest moves in the history of technology and serves only to reinfo

  • How about: browsers do not accept clicks on items with less than 100% opacity? Or at least something like 50% opacity? I can't think of a legitimate reason to make user click on something invisible, so there's no reason to make anything invisible clickable.

  • There's a browser extension for people who wish to hide the nonsense cookie notices:
    http://www.kiboke-studio.hr/i-... [kiboke-studio.hr]

"We live, in a very kooky time." -- Herb Blashtfalt

Working...