A dark adtech empire fed by fake CAPTCHAs
126 comments
·June 12, 2025LegionMammal978
mapt
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
jeroenhd
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
ninkendo
I can think of exactly two use cases for web browser push notifications:
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
johnmaguire
I think notifications came about as part of Progressive Web Apps (PWA).
hsbauauvhabzb
IMO random websites prompting to access your location data is far more problematic
mtillman
The biggest problem there is that several browsers don't want to remember your response of "No" for more than one day. They want you to be constantly tracked. I'd like to be able to tell all browsers, never track my location or send me a notification from any website but that's not what they want. Orion by Kagi is a breath of fresh air in this department.
riddlemethat
DocuSign tracks your location when you sign a document unless you disable it in the browser. Learned that a few years ago.
cyanydeez
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
_Algernon_
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
privatelypublic
How do you do this? I'm looking to do it for the clipboard API. Browsers should be able to block copy and paste.
_Algernon_
In firefox: about:config -> dom.disable_beforeunload=true
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
AugustoCAS
A quick google shows this for FF (taken from a thread in StackOverflow):
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
QuantumGood
I have run into this. My notes: Google Chrome (Desktop & Android)
chrome://settings/content/notifications Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
KevinGlass
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
cortesoft
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
jeroenhd
Same reason you subscribe to their newsletters. To get discounts.
I don't understand why people would want that, but neither do I understand the people who actually enter their email address in those "subscribe to my newsletter" popovers.
tim--
Honestly, push notifications from a news site arguably is one of the few sites that I see having a reason to send push notifications.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
Google does have a way for Chrome users to not show the notification window (https://yespo.io/blog/google-chrome-will-now-block-abusive-b...) by default (https://support.google.com/webtools/answer/9799829?hl=en) but I really wish that this was flipped, so that Google would first need to approve sites to use notifications, similar to the Public Suffix List.
ryukoposting
I wonder how many people's browsers get push notifications from Temu, or Amazon.
zamadatix
I feel like the web would be a better place if "allow notifications" popups were only allowed for PWAs the user already installed. I.e. they have to manually interact with the page and then click the prompt acknowledging they want to install the site as an application on their computer before the site can start popping up windows from the browser asking for notification permissions.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
PaulHoule
What's "progressive" about installing software?
It's always saddened me that people failed to understand the web platform, and never more so than today when that platform could be on the verge of extinction.
Young people don't remember this: in the 1990s if a big corporation wanted to make a 1-line change to an application deployed to a fleet of desktops they'd have to update every single machine and to do so they'd probably have to hire at least 1 FTE and probably more for installer engineering and other makework.
With the web it is often
git pull
As it is I can find web sites with search, links from other sites, bookmarks and history. If you "install" applications you just clutter up your desktop with 300 icons for applications you don't really use which makes it hard to find the 2-3 that you really use.
codedokode
Instead of desktop notifications web apps should use pinned tabs and show a badge in the tab header.
layer8
That’s more a browser implementation issue though. Browser could offer that as a choice for how to handle notifications, on a per-website basis.
PaulHoule
Advocacy for "progressive web apps" always fell flat to me. There are a few reasons, such as web workers being a Rube Goldberg machine when people just wanted the kind of facility to control caches and fetching that Netscape Netcaster had in 1997. It was predictable to me that the usage breakdown of push notification was going to be
50% spam
49% scams
1% other
creeble
Elderly neighbor for me. Quite insipid; it took me a few minutes to realize that they were browser-based when I first got to the computer.
preinheimer
I think the “prove you’re human by hitting the button” attack is pretty clever.
With the range of different ways captchas are presented today I can see it getting a good % of folks.
a2128
It's our own fault for making the internet such a confusing Kafkaesque maze. Click this button, click that button, sign in to confirm you're not a bot, select the traffic signs, select the items that a rat would not eat, solve this maze to prove you're a human, type out the numbers hidden in these demonic noises, provide your phone number to prove you're real, compute proof-of-work, download this browser if you're having issues... The line between fraudster and modern tech company is honestly not clear anymore and especially not for people who don't care much about tech and just want to access something
pixl97
Evolution is messy and guided by random occurrences.
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
permo-w
never mind the fact that half these captchas are just excuses for orgs to sneakily extract some reinforcement learning data from you. last time I tried to sign into my microsoft account it made me do 6 captchas. SIX. not six like I failed 1 captcha six times, six like each captcha was iteratively marked i/6
miki123211
It's not just the captchas either, the "this GPS app needs access to your location" or "this photo taking app wants access to your camera" style pop-ups don't help either.
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
Sophira
The silly thing is, it was known before all these permission pop-ups were created that users will simply press "Yes", "OK", "Allow", "Agree", etc., on every dialogue they see simply in order to get rid of it. Many people -maybe even most people? - just see them as needlessly getting in the way of where they actually want to be.
So, given that we knew that, why the hell did we create more?
Mtinie
…but don’t click this button.
tsunamifury
[flagged]
pwdisswordfishz
Yes, you can. You would be wrong, though.
lionkor
Malicious compliance is usually intentional, yk?
dspillett
Nope. We can blame companies for deliberately implementing the requirements in the most inconvenient (and usually actually non-compliant) way possible, to make it an unpleasant process to disagree, and all too easy to accidentally agree, to being stalked by hundreds of "partners".
yard2010
You can blame anyone, really, but try to think about it this way: when a 5-years old child drives a car into a wall, you don't blame him, you blame the responsible adult in the passenger sit that says: "it's fine, go ahead, drive this car".
sensanaty
Or we can blame the literal scammers and other degenerates that lead businesses and have forced jurisdictions like the EU to implement these?
We've JUST unearthed yet another scandal from Meta, where they've been, surprise surprise, spying on people on Android. Cambridge Analytica, Yemen and countless other examples, all from this 1 company. And we're blaming the EU for trying to do anything against them, and not scumbags like Zuckerberg?
justusthane
> Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
byteknight
It bypasses a lot of the checks they do on the initial site when submitting to ad networks. It also allows custom redirections based on user agent, potential ip location, etc. Common in phishing.
out-of-ideas
reminds me of how okta and similar handle logging in. feels like 10thousand redirects later.. training users that behavior is okay
OkayPhysicist
I literally just implemented an Okta integration with an internal tool yesterday, so let me offer a little insight on why this happens. I have an existing tool. The guy in charge of it doesn't want me breaking anything, but we want to add an SSO flow to avoid having to login.
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
badmintonbaseba
Still better than the MS Teams website, which can get into a weird state and redirect in circles.
Xevion
I despise how my university's login system just redirects several times (sometimes getting stuck, reloading and redirecting multiples times, and then occasionally shitting me out on the logged out screen, wondering WTF happened).
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
immibis
One reason is to set session ID cookies on several different domains.
rrr_oh_man
> I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
Welcome to Microsoft/Live/Bing/Skype/Edge/...
mschuster91
The problem with university login systems - at least here in Germany/Europe - is this global federation system that's also backing EduRoam. Authentication flows there are insanely complex, not to mention dealing with known quirks of some university's implementation...
imp0cat
If only it were that simple. You can thank Apple, Google and their war on cookies for that.
weird-eye-issue
In addition to what the other comments said it also would allow for first-party cookies to be set for those domains
Not sure if that's the purpose but it could potentially be used for tracking, monetization, etc
Mtinie
Multiple impressions per interstitial domain, I imagine.
lionkor
A lot of microsoft services do this, too. Though, that's probably incompetence.
psychoslave
>While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
b0a04gl
> This is the new pop-up ad.
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
thyristan
This is, at least for browser notifications, just yet another result of generally atrocious browser UI decisions.
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
tempodox
It never ceases to amaze me how creativity gets ramped up to 11 when it comes to graft, theft and scam.
BMaronge
The article is a bit vague on some points, for example: the links bounce the visitor through a series of domain names... why exactly? What do the scammers gain by redirecting the visitor multiple times instead of just once? It is not explained.
coldpie
KrebsOnSecurity is a really weird website. I feel like I should be the perfect audience for it, as a software engineer who is very interested in security and reverse engineering, but every time I try to read their articles it just comes across as paragraphs and paragraphs of overwrought fluff with zero actual content. I guess their audience is someone with less technical knowledge who is impressed by empty phrases like "startling discovery" and "online hucksters and website hackers" and "resilient and incestuous". And that's all just in the first paragraph here. Get to the point, man.
bn-l
Huh that’s weird I feel the exact same way and should also be the natural audience.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
cpburns2009
I stopped reading his website after he started spreading disinformation about Ubiquiti.
HocusLocus
I've followed Krebs for years and appreciate this specific warning. I changed my dad's default Windows colors so when he was presented with fake system dialogues floating on web pages he'd spot them as different right away. But the "click allow to prove you're a human" might have caught him. Captcha-annoyed people are slightly easier to fool sometimes. Push wasn't a big thing then or I would have disabled it.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
null
tehwebguy
Once again grateful that at least one mobile platform doesn’t allow browser push notifications.
username223
> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
hakfoo
Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.
null
username223
Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.
Xevion
In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.
Notifications are just another convenient thing that me and you use every day.
Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.
jeroenhd
Because it's very useful.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)