{
	"id": "300f8f75-7ac5-4d60-b404-e49abb9b5ca5",
	"created_at": "2026-04-06T02:13:20.162176Z",
	"updated_at": "2026-04-10T03:21:40.494057Z",
	"deleted_at": null,
	"sha1_hash": "d5daf6a221ec82da234e4a7bac88bb239ffd3bdc",
	"title": "Be Very Sparing in Allowing Site Notifications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 922334,
	"plain_text": "Be Very Sparing in Allowing Site Notifications\r\nPublished: 2020-11-18 · Archived: 2026-04-06 01:36:03 UTC\r\nAn increasing number of websites are asking visitors to approve “notifications,” browser modifications that\r\nperiodically display messages on the user’s mobile or desktop device. In many cases these notifications are\r\nbenign, but several dodgy firms are paying site owners to install their notification scripts and then selling that\r\ncommunications pathway to scammers and online hucksters.\r\nNotification prompts in Firefox (left) and Google Chrome.\r\nWhen a website you visit asks permission to send notifications and you approve the request, the resulting\r\nmessages that pop up appear outside of the browser. For example, on Microsoft Windows systems they typically\r\nshow up in the bottom right corner of the screen — just above the system clock. These so-called “push\r\nnotifications” rely on an Internet standard designed to work similarly across different operating systems and web\r\nbrowsers.\r\nBut many users may not fully grasp what they are consenting to when they approve notifications, or how to tell\r\nthe difference between a notification sent by a website and one made to appear like an alert from the operating\r\nsystem or another program that’s already installed on the device.\r\nThis is evident by the apparent scale of the infrastructure behind a relatively new company based in Montenegro\r\ncalled PushWelcome, which advertises the ability for site owners to monetize traffic from their visitors. The\r\ncompany’s site currently is ranked by Alexa.com as among the top 2,000 sites in terms of Internet traffic globally.\r\nWebsite publishers who sign up with PushWelcome are asked to include a small script on their page which\r\nprompts visitors to approve notifications. In many cases, the notification approval requests themselves are\r\ndeceptive — disguised as prompts to click “OK” to view video material, or as “CAPTCHA” requests designed to\r\ndistinguish automated bot traffic from real visitors.\r\nhttps://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nPage 1 of 5\n\nAn ad from PushWelcome touting the money that websites can make for embedding their dodgy push notifications\r\nscripts.\r\nApproving notifications from a site that uses PushWelcome allows any of the company’s advertising partners to\r\ndisplay whatever messages they choose, whenever they wish to, and in real-time. And almost invariably, those\r\nmessages include misleading notifications about security risks on the user’s system, prompts to install other\r\nsoftware, ads for dating sites, erectile disfunction medications, and dubious investment opportunities.\r\nThat’s according to a deep analysis of the PushWelcome network compiled by Indelible LLC, a cybersecurity firm\r\nbased in Portland, Ore. Frank Angiolelli, vice president of security at Indelible, said rogue notifications can be\r\nabused for credential phishing, as well as foisting malware and other unwanted applications on users.\r\n“This method is currently being used to deliver something akin to adware or click fraud type activity,” Angiolelli\r\nsaid. “The concerning aspect of this is that it is so very undetected by endpoint security programs, and there is a\r\nreal risk this activity can be used for much more nefarious purposes.”\r\nhttps://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nPage 2 of 5\n\nSites affiliated with PushWelcome often use misleading messaging to trick people into approving notifications.\r\nAngiolelli said the external Internet addresses, browser user agents and other telemetry tied to people who’ve\r\naccepted notifications is known to PushWelcome, which could give them the ability to target individual\r\norganizations and users with any number of fake system prompts.\r\nIndelible also found browser modifications enabled by PushWelcome are poorly detected by antivirus and security\r\nproducts, although he noted Malwarebytes reliably flags as dangerous publisher sites that are associated with the\r\nnotifications.\r\nIndeed, Malwarebytes’ Pieter Arntz warned about malicious browser push notifications in a January 2019 blog\r\npost. That post includes detailed instructions on how to tell which sites you’ve allowed to send notifications, and\r\nhow to remove them.\r\nKrebsOnSecurity installed PushWelcome’s notifications on a brand new Windows test machine, and found that\r\nvery soon after the system was peppered with alerts about malware threats supposedly found on the system. One\r\nnotification was an ad for Norton antivirus; the other was for McAfee. Clicking either ultimately led to “buy\r\nnow” pages at either Norton.com or McAfee.com.\r\nhttps://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nPage 3 of 5\n\nClicking on the PushWelcome notification in the bottom right corner of the screen opened a Web site claiming my\r\nbrand new test system was infected with 5 viruses.\r\nIt seems likely that PushWelcome and/or some of its advertisers are trying to generate commissions for referring\r\ncustomers to purchase antivirus products at these companies. McAfee has not yet responded to requests for\r\ncomment. Norton issued the following statement:\r\n“We do not believe this actor to be an affiliate of NortonLifeLock. We are continuing to investigate this\r\nmatter. NortonLifeLock takes affiliate fraud and abuse seriously and monitors ongoing compliance.\r\nWhen an affiliate partner abuses its responsibilities and violates our agreements, we take necessary\r\naction to remove these affiliate partners from the program and swiftly terminate our relationships.\r\nAdditionally, any potential commissions earned as a result of abuse are not paid. Furthermore,\r\nNortonLifeLock sends notification to all of our affiliate partner networks about the affiliate’s abuse to\r\nensure the affiliate is not eligible to participate in any NortonLifeLock programs in the future.”\r\nhttps://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nPage 4 of 5\n\nRequests for comment sent to PushWelcome via email were returned as undeliverable. Requests submitted\r\nthrough the contact form on the company’s website also failed to send.\r\nWhile scammy notifications may not be the most urgent threat facing Internet users today, most people are\r\nprobably unaware of how this communications pathway can be abused.\r\nWhat’s more, dodgy notification networks could be used for less conspicuous and sneakier purposes, including\r\nspreading fake news and malware masquerading as update notices from the user’s operating system. I hope it’s\r\nclear that regardless of which browser, device or operating system you use, it’s a good idea to be judicious about\r\nwhich sites you allow to serve notifications.\r\nIf you’d like to prevent sites from ever presenting notification requests, check out this guide, which has\r\ninstructions for disabling notification prompts in Chrome, Firefox and Safari. Doing this for any devices you\r\nmanage on behalf of friends, colleagues or family members might end up saving everyone a lot of headache down\r\nthe road.\r\nSource: https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nhttps://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/"
	],
	"report_names": [
		"be-very-sparing-in-allowing-site-notifications"
	],
	"threat_actors": [],
	"ts_created_at": 1775441600,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5daf6a221ec82da234e4a7bac88bb239ffd3bdc.pdf",
		"text": "https://archive.orkl.eu/d5daf6a221ec82da234e4a7bac88bb239ffd3bdc.txt",
		"img": "https://archive.orkl.eu/d5daf6a221ec82da234e4a7bac88bb239ffd3bdc.jpg"
	}
}