The security impact of detecting potentially unwanted programs is sometimes fuzzy, but in our experience, it helps reduces help desk costs. 

Small Victories: The ROI of PuP Detection 

Potentially Unwanted Programs (PuPs) generally have no real security impact. In most cases, they are more of an annoyance than a real threat (even if the threat can be real, as described in our previous post). So, why does CYDEF take the time to report theses PuPs to customers?  

The bulk of the reason is that the software is not supposed to be present and generally exposes the customer to unnecessary risk. Sometimes we also manage to improve the customer’s life by reducing their help desk costs. 

This week, we’ll talk about an obscure functionality in Chrome that we have seen abused by malicious actors to mimic the results of adware and how our ability to detect those helped customers reduce their help desk costs. 

The New Way to Show Unwanted Ads 

Back in the early days of the Internet, users were often targeted with a swarm of annoying pop-up messages showing them publicity. The practice was so prevalent that there is even a Wikipedia page about popup ads.  However, as ad-blocking software and script prevention software proliferated, these “enthusiastic” advertisers had to shift to a different tactic. 

The new tactic used to show users annoying ads does not rely on Javascript, but relies instead on web push notifications. While browsing the Internet, you have assuredly been asked by a site if the site could send you a notification to grab your attention if a breaking news happened or your favorite content creator uploaded a new video. These notifications appear on the user’s screen even if the connected web page is not opened in the browser. This power is obviously only used for good. 

Grabbing your attention, often without your consent, is precisely what advertisers want. Furthermore, advertisers quickly realized that push notifications are even more powerful than Javascript. After all, you needed to be on the page (or at least have your web browser open if they had some JS persistence) for them to bombard you with ads. This is no longer the case with push notifications. This enables the advertisers to send down more ads, but also makes it harder for users to stop the ads from appearing.  

How can you tell if a pop-up ad that just showed up in your notifications is from a web site you visited weeks ago? 

How CYDEF Detects Spurious Push Notifications 

With our SMART-Monitor service, we find a fair amount of spurious notification cases. In the general case, our SMART-Monitor service does not track user web traffic. However, spurious notifications show up in our telemetry because they are programmatic calls to the web browser and not a user normally surfing the web. 

In browsers based on Chromium, such as Chrome, to generate a push notification, the browser is called with a special “notification-launch” command line option. Here is one example extracted from a spurious notification ticket we opened for one of our customers (URL edited to avoid accidental clicks): 

CommandLine:”C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –notification-launch-id=0|0|Default|0|https://captcharesolving-universe[.]com/|p#https://captcharesolving-universe[.]com/#19404

Looking at the notifications, you quickly see a number of obviously legitimate websites (e.g. youtube), but you also find a number of sites that clearly are attempting to look legitimate, like our captcharesolving-universe friend up here. These are usually the sites annoying the users with unwanted pop-ups. Usually, searching Google for the site name will yield a bunch of top results filled with people complaining about the unwanted ads and asking how to remove them as shown below (at time of writing). 

How to Actually Remove Spurious Push Notifications 

The fix for this annoyance is very easy. You only have to go in your browser configuration and remove the permission from the offending web site to send push notifications. 

Naturally, this is not what most users think of because they don’t understand exactly what is happening. Looking at the Google search, it is clear that many users think they have been infected by a virus or adware program.  

The Link With The Help Desk 

When users have a computer problem, they call the help desk. And when they do, they complain about the symptoms of the problem, not the cause. So, the help desk has to interpret what the user is saying and investigate the machine to check what could be wrong. 

In the case of these spurious notifications, a typical story might look like the following. The help desk starts by scanning the machine with an AV and finds nothing. So, they mark the ticket as resolved. Then, the user sees the ads again and reopens the ticket. The help desk then asks the user to notify them when it happens again so they can remote in and manually investigate what is causing the popups. This is a lot of back and forth and a lot of wasted time. All of these interactions cost money. 

We have had multiple cases where we reported this kind of activity and the user opened a help desk trouble ticket a few hours or a few days after.  While it would have been even better if they had been proactively removed, since the source of the problem was already identified and next steps were clearly laid out, the help desk tickets could be solved immediately. 

So, even if the main reason to integrate security monitoring is to improve your security outcomes, you might also get improvements in your day-to-day IT operations. This is another point to consider when looking at the return on investment for our managed service. 

Want to Know More About CYDEF?

Contact us or try SMART-Monitor free for 30 days. 

Dr. Antoine Lemay

Chief Scientific Officer