Cybersecurity company Kaspersky is highlighting a rise in fake browser notifications this year, according to a press release.
The company said affected users have tripled every month in 2019. In June, Kaspersky noticed a Google calendar scheme that tried to trick users into giving away personal information. The push scams work similarly, and ask people to sign up for subscriptions they don’t want, or to download software with unwanted consequences.
The malicious notifications affected 1,722,545 users in January, and that number rose to 5,544,530 by September.
“Browser push notifications were introduced several years ago as a useful tool that kept readers informed with regular updates, but today they are often used to bombard website visitors with unsolicited advertisements or even encourage them to download malicious software,” the company said.
Because of their ease of use, push notifications are becoming more and more popular as a means to trick users into giving away personal information. They use common techniques like phishing or other social engineering actions, and often steal information.
A user needs to give consent for these types of attacks, and malicious hackers often use what seem like innocuous ways of trickery to make that happen. For example, a simple CAPTCHA box, which many sites use to prove that someone is actually human, can be used falsely. Other alerts will include a fake notification about a system update.
“We have seen a rise in push notifications being abused, as attackers continue to creatively adapt new technologies in order to trick users,” said Artemy Ovchinnikov, a security researcher at Kaspersky. “Because this feature is so widespread and easy to take advantage of through social engineering schemes, we have seen a rapid growth in the number of affected users. Push notifications are a very useful tool for users that help them stay on top of important things that interest them. Yet, as with anything on the internet, users have to remain attentive and cautious when interacting with pop-ups and only allow push notifications if they are completely sure the alerts are useful and come from trusted sources.”