How Push Notifications Are Exposing Consumers to a New Breed of Cyber Attack

Push notifications, powerful engagement tools for marketers and publishers on mobile, are exposing readers to new types of cyber attacks known as push lockers. Marketers need to recognize these risks and ensure they’re taking the steps necessary to protect their audience.

Editor’s Note: This article was originally written for the publishing industry, but a number of marketers also employ push notifications, and should be aware of possible cyber security threats.

It should come as no surprise to anyone involved in the digital advertising ecosystem that fraudsters are always looking for new methods to target users with sophisticated digital attacks. As soon as innovative new ways of engaging with users are developed, cyber criminals aren’t far behind with a method for exploiting these innovations, particularly when there’s money to be made. Now, as push notification ads grow in popularity, a new threat to user security is growing within the format: push lockers.

Upon identifying these push notification specific lockers, between February and March AdSecure — an ad security verification tool and my employer — saw a 563% increase in the detection of browser locker attacks, and at the time of writing this article, we have protected our partners from more than 20 unique push lockers in under 24 hours.

While push notifications are a popular way for publishers to engage their readers, publishers must recognize the growing risk and take the necessary steps to ensure that their readers are protected. That includes working with ad partners who have the necessary technology to identify these cyber security threats and thwart them.

What Is a Push Notification Ad?

Push notification ads are simple clickable messages, accompanied by a small image, that are delivered to desktop browsers or mobile devices, but only once a user has consented to receiving them. This is a key point, as the users have agreed to see the ads, leaving the perception that they are less intrusive than traditional formats, and develop a higher level of engagement from the user.

Push notifications work by displaying an initial permission request — managed by the browser — when a user is visiting a site for the first time. Once the user agrees to receive these push notifications, they will receive them based on the frequency set out by the advertiser. Should a user opt not to see push notifications, the browser logs this choice as well, and they won’t be asked to subscribe to them again.

What Is a Push Locker?

The push notification format, while relatively new, is growing in popularity within the online marketplace for all the reasons mentioned previously: users have to opt-in to see them at all, and with that consent comes a higher rate of engagement. Brands using push notifications are seeing increased click through rates, and just as marketers are seeing the clear benefits the format provides, cyber criminals are becoming wise to the potential for driving malicious campaigns straight to users screens. What has developed out of these sinister intentions is a new form of browser locker specifically designed around the natural behavior of a push ad.

When you make the choice to opt-in, or out, of receiving push notifications on a particular site, the browser manages the request and saves the choice. However, it’s the way the browser saves this choice — either by domain, or subdomain — that can expose the user to trouble.

What happens if the user opts out, but the website redirects him automatically to another subdomain? Can you guess what’s coming? This allows the user to be prompted again to accept the push notification. So naturally, he declines this new request, and then he’s sent to yet another subdomain and asked again, and again, and again. Suddenly he is trapped in an endless looping push notification nightmare, and he can only escape it by giving in and “consenting” to receive the push notification.

Incredibly annoying, right? But this is tame compared to what other push lockers are capable of.

What Types of Push Lockers Are Out There?

There are various types of push lockers, some more sophisticated than others. Here are two examples:

Browser Hijacking

Crypto currency mining is a popular way for cyber criminals to hijack a user’s browser so that the user is unaware that his computer power is being secretly used to mine crypto currency for the hijacker. A push locker will keep the user locked on the consent page until he accepts the push, all the while quietly mining crypto currencies in the background.

Users who opt in are then redirected to a new offer page which also launches the cryptocurrency miner, leaving the user with no safe option to take. When this type of push locker is implemented on a mobile browser, the entire device is rendered useless for the owner, again until he is forced to consent. In all cases, the looping push notification locks the user into an action that he absolutely does not want to take, and puts him at severe risk of exposure to exploit flaws or other security breaches.

Full-Screen Hijacking

If a user clicks somewhere on the page other than the buttons to allow or block a push notification this causes the browser to switch to full screen mode. That prevents the user from doing anything else until he accepts the push notification, which in turn leads the user to a scam offer, or the forced download of malware, or a similar security threat.

What’s the Solution? 

The relative speed at which push lockers have appeared on the scene has caught some ad verification providers off guard. They either weren’t aware of the problem quickly enough, or they aren’t using the modern technology needed to detect push lockers with any degree of consistency and precision.

Push lockers are sophisticated and pernicious, and in order to catch them early and often, the ad verification scanning technology being used needs to be based on the most modern browser technology available, particularly a crawler powered by Chrome, as Google’s browser is the most commonly used.

As more publishers and ad platforms begin to work with the push notification ad format, push locker attacks will spread across the digital ads landscape. As a publisher, make sure that your partners are working with an ad verification provider that has the resources and the knowledge needed to track down push lockers and keep them from hurting your end users.


The Power and Pitfalls of Using Browser Push Notifications

With the advent of browser push notifications, marketers and publishers now have a new channel to directly connect with their audience. Odds are, you’ve encountered browser push opt-in requests many times: browser-generated dialogs asking whether you want to “allow” or “block” notifications from the site you’ve just entered.

With the advent of browser push notifications, marketers and publishers now have a new channel to directly connect with their audience. Odds are, you’ve encountered browser push opt-in requests many times: browser-generated dialogs asking whether you want to “allow” or “block” notifications from the site you’ve just entered.

The ability to reach users immediately, no matter where they are, makes browser push a high potential channel for delivering breaking news or the day’s top articles. By using push to connect users directly with their best content a couple times each day, marketers and publishers can build valuable direct relationships with a broader audience.

That’s not to say browser push success is automatic. In fact, the wrong push approach can cut these relationships short before the first notification is sent. To implement browser push effectively, it’s important to recognize both its power and potential pitfalls so you can craft a strategy that doesn’t push people away.

The Power of Push

Apps for phones and tablets have been around for years, and many publishers use app push notifications to reach their audience and buzz their pockets to drive engagement, all without the algorithm interference of social or the deliverability challenges of email. However, the biggest obstacle here is usually the app itself — getting people to download your app can be tough, assuming you have the resources to build an app in the first place. Less than half of digital publishers have an app, and for those that do, audience penetration averages less than 5%.

With browser push, publishers get the same instantaneous reach of app push without the hurdles. Not everyone will download an app, but everyone uses a browser and browser push notifications are functionally identical to app notifications. They appear on your desktop or phone home screen, even if you are not browsing the web. And with all modern web browsers now supporting push on mobile and desktop, your potential audience is significant.

Even better, you have a good chance of converting this potential audience. Browser push tends to earn higher opt-in rates than other channels because of its low-hurdle opt in.

While some visitors may hesitate to hand over their email address, especially on mobile, you may succeed in asking them to complete a lower-effort action. Opting into push requires nothing more than clicking the mouse, giving publishers access to a sector of their audience that might be wary of giving up personal information.

The Pitfalls of Push

These benefits have led more marketers and publishers to incorporate browser push into their strategy, especially as increased browser support makes it more attractive and companies like OneSignal give them the ability to send unlimited push notifications for free.

Of course, wider use of push doesn’t mean that marketers and publishers are using it the right way. Those push subscribers who refuse to hand over their email address probably wouldn’t be happy to learn that free browser push services make a business of selling their user data. Making a serious push with browser notifications may require publishers to rethink the use of free push services. They’ll also have to rethink their push approach.

Many browser push strategies go awry at the attempt to obtain the opt-in. Often, marketers and publishers rely solely on the browser’s default permissioning request, that dialog box generated natively through the browser as soon as the page loads. While the default dialog does offer a low hurdle for your audience, it creates a high-stakes situation for you. Before visitors even get a chance to view your content, default dialogs hit them with an ultimatum: agree to receive push notifications from this site or block them outright. It’s hardly a way to welcome new visitors.

Without prior knowledge of your content, your invitation will most likely be rejected. And since very few people will dig deep into their browser settings to reverse their decision, your push notifications are essentially blocked forever, robbing you of a chance to connect in the future.

Growing Your Push Audience

The key to growing your browser push audience lies with a more strategic opt-in request. In order to maximize your audience and prevent an immediate block, it’s best to make sure the browser dialog is displayed only at the point when your audience is likely to convert.

To do so, you can present an initial message that lets visitors trigger this allow/block prompt themselves, making it likely that users only see the dialog box when they’re ready to opt in. That way, if they haven’t reached that point yet, you still have a chance to convert them at a later time, after they’ve seen enough of your content to know they’d like to receive alerts about it.

Deploying your own opt-in request also gives you the ability to customize your message, which can make all the difference when it comes to earning an opt-in. Like email newsletter capture forms, you can compel more people to opt in by first telling people what they’re opting into. By clearly communicating the value of receiving your push content, you can earn something more valuable in return: a direct audience relationship.

Are You Meeting Your Customers’ Mobile Needs?

Most of the U.S. population — 61 percent — say they use mobile phones for shopping activities, according to the 2017 Synchrony Financial Digital Study recently completed. But, what would resonate with them in terms of digital marketing and more importantly, what would drive their behavior?

Game Changing TechAs modern marketers, we put a lot of thought and effort into our digital marketing programs. The goals are to promote engagement with our brands, drive traffic to our website or encourage customers to walk into a store. Many times, the goal is all three.

Most of the U.S. population — 61 percent — say they use mobile phones for shopping activities, according to the 2017 Synchrony Financial Digital Study recently completed. But, what would resonate with them in terms of digital marketing and more importantly, what would drive their behavior? Based on the referenced survey, there are specific elements of mobile marketing that consumers tell they are interested in.

Significantly, 50 percent of consumers said if their favorite retailer sent offers to their mobile devices, they would shop there more often. Mobile marketing can include in-app messages, push notifications, beacon / location based offers, SMS messages and voice recognition.

Given this consumer interest, how many companies are investing in mobile technology? The answer is, it depends. According to “The State Of Digital: A Mobile Commerce Perspective: Forrester’s H2 2016 Global Mobile Executive Online Survey” by Forrester, nearly 70 percent of marketers say they are regularly using responsive Web design and mobile optimized websites. It seems that most companies have the basics of mobile user experience down pat. But fewer companies are actively marketing via mobile. Only about 40 percent regularly use SMS messaging or push notifications, and only one in three use in-app messages.

Another element of mobile marketing that consumers express interest in is location-based marketing. Almost half (46 percent) of all consumers said they would like to get relevant offers based on their location. This is overwhelmingly driven by millennials. For instance, 61 percent of those ages 18 to 25 would like location-based offers, steadily declining for each age group (only about a quarter of those 66 or over said this is the case).

But only 37 percent of marketers are using push notifications and an even smaller percentage (only 12 percent) are regularly using beacon/location support on mobile phones, according to the same Forrester study referenced above. There are certainly restrictions on SMS marketing (consult your legal advisor as to the permissions required), but some companies are still planning to implement these programs — about a quarter are planning to pilot/test SMS messaging, and 35 percent are planning to pilot/test push notifications in the future.

Mobile marketing is clearly an imperative for companies with large numbers of millennials in their current or target consumer base. And remember, Gen Z’s, the true mobile natives, are fast approaching behind the millennial population. They may be even more comfortable with mobile marketing than their millennial older siblings. Investments in mobile technology will certainly be crucial for many more marketers as these populations expect more from their favorite brands.

With the constantly evolving field of smartphone technology, people become more and more enamored of using their phone for anything and everything. Digital marketers are challenged to provide “delighters” to attract and engage the population that is most interested in using this technology. Successful digital marketing programs listen to the customer and proactively engage them, whenever and wherever they happen to be.

Note: The views expressed in this blog are those of the blogger and not necessarily of Synchrony Financial. All references to consumers and population refer to the survey respondents from the Synchrony Financial 2017 Digital Study unless otherwise noted.