Found an interesting attack vector used against my mom's phone

Yesterday I got a panicky phone call from my mom saying that she clicked on a link and she started getting a bunch of notifications about Norton finding security threats and needing to log into things to stop losing protection. I knew I couldn’t troubleshoot over the phone, so I went over to see what the deal was.

Not sure what she did, but it seems like through the link or PDF she clicked, the attacker was able to set a site to send her notifications through the Chrome browser. Those notifications contained spam asking for credentials, scaring her about things expiring, and even some… unsavory invites, lol.

We looked around and didn’t see anything suspicious installed on her phone. Even so we uninstalled unused apps. She doesn’t stay logged into any banking apps. She also doesn’t really use Chrome for anything, so I was able to wipe that data and move on. I took the extra step of blocking notifications on Chrome, removing that site from Chrome entirely, and installing Brave as her default instead.

She uses an old Samsung Galaxy that stopped getting security updates (it’s own problem, I know), so it was an Android phone. Don’t know if iOS has a feature for notifications from their browsers or not.

Thankfully I don’t think we had to go the extra step of factory resetting her phone. However I wanted to mention this in case you guys thought there was more we should check.

Also as a heads up that this kind of thing can happen - I hadn’t heard of this before. Seems like while this attack didn’t do anything, it was a step toward phishing credentials or installing something worse.

1 Like

iOS (and iPadOS) didn’t have any support for web notifications until recently.
To get web push permission:
First, website need to added to the home screen (with the “Add to Home Screen” in the Share menu).
Then, it needs direct user interaction before the website can ask for notification permissions (like a ‘subscribe’ button).

And there are lot more restriction used to make sure that it can’t be used as silent background runtime.

IMO it is very good implementation of web notifications as it give more control to user rather than the site.