clickjacking Cyber crooks abuse legitimate EU Cookie Law notices in clever clickjacking campaign

[steven36]

Cyber crooks have set up a clever new clickjacking campaign that takes advantage of pop-up alerts that European users are (by now) accustomed to see: the "EU Cookie Law" notifications.

 

Since May 2012, websites owned in the EU or targeted towards EU citizens are required to get visitors' consent to be able to place a cookie on their computer. They comply by showing pop-up notices that require the user to make a choice.

The criminals are exploiting this fact by placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero (click on the screenshot to enlarge it):

 

 

So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.

"While simple, this technique, also known as clickjacking, is pretty effective at generating clicks that look perfectly legitimate and performed by real human beings as opposed to bots," Malwarebytes' Jerome Segura explains.

"This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic."

The campaign does not currently present a danger to the visitors themselves, and Google has been notified and has likely put a stop to it by now.

Still, similar campaigns that will likely pop up in the future might not be so benign - the ads the users inadvertently click on could be malicious, taking users to websites hosting malware or exploit kits.

 

Source

[straycat19]

Kind of reminds me of an old trick from the mid 90's where you could send a user a link and it opened up 1500 popup ads.  Not only was it a real pain to click on each one to close it, but at 2 cents a popup it amounted to a lot of income.  When one ad exploit is stopped they always find another and Pay Per Click ads have been around so long and been so abused that nothing astounds anyone in the IT field any more.  And as long as their is no adverse effect on the system this type of irritating action is actually more of a nuisance than a threat, which could be called nuisanceware.