EU Cookie Law Notification Abused to Hijack Clicks for Invisible Ads

Posted on

Did you click on a cookie notification, or was that an ad?. Cyber-crooks have come up with a new way to fool users into clicking on ads instead of letting them access a website’s content, and this method relies on the EU Cookie Law notification.

In May 2011, the European Parliament adopted an EU Directive which said that individuals have the right to refuse the use of cookies, and so, website operators should show a notification on their sites to inform users if and how cookies are used.

Since then, all Internet users have come accustomed to these cookie usage notifications, some sites showing them to all visitors, not just those coming from European countries.

New clickjacking technique is hard to spot with the naked eye

According to cyber-security vendor Malwarebytes, a group of cybercrooks have found a way to abuse these innocent-looking notifications, tricking users into clicking on a hidden ad instead.

The scam is simple and quite ingenious. When accessing a website, a cookie usage notification is shown in the middle of a page inside a popup.

What users don’t know is that on top of this popup, the scammers also load an iframe with a Google ad inside. They then use the CSS property “opacity: 0” to make the ad invisible, letting the underneath notification show through.

The technique can also be used for malvertising campaigns

The ad is still there, but naked to the human eye. When the user clicks on any of the cookie notification’s buttons, he’s unwittingly clicking the ad, generating profits for the scammers, and redirecting the user to the ad’s target URL.

While this campaign is quite harmless in its current form, since it shows safe ads from legitimate companies, the trick behind it can easily be used to display malicious ads instead, cleverly redirecting users to dangerous Web pages where exploit kits infect users with malware.

Something tells us this isn’t the last time we hear about EU Cookie Law notifications being abused.

New EU Cookie Law clickjacking technique, visually explained

New EU Cookie Law clickjacking technique, visually explained



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s