Future Tense

How an Attempt to Give Users More Control Over Their Data Opened a Door for a New Scam

A sample disclosure about cookie tracking.

Screengrab of European Commission

Visiting another country often means visiting another Internet, where you may find that you can’t load a certain website, or view certain search results, or access certain services. But different countries’ online experiences aren’t only about who blocks what content—they can also be about who adds content and why.

For years, one of the signs that you’ve entered European cyberspace has been the little notices about cookies that pop up warning you that a site is collecting information about your session. Many European sites are required by law to notify visitors and get their consent to collect cookies—hence the notices, which serve as a subtle reminder of the ways that different policies and social values can impact what the Web looks like in different places. The cookie policy is, of course, intended to protect European online users’ privacy and provide them with greater transparency and agency when it comes to how their information is being collected and used. But it has also had some unintended consequences, according to a blog post by Jerome Segura at security firm Malwarebytes last week.

According to the Malwarebytes post, someone has found a way to use the cookie notification messages to trick viewers into clicking on invisible ads, simultaneously driving more eyeballs to the hidden ads and driving up costs to advertisers and ad networks operating on a pay-per-click model. The scam works by loading an ad on top of the cookie notification message. The opacity of the ad is set to zero, so it’s invisible to viewers, but when they try to click through the cookie notification message they instead end up clicking on the ad and being redirected to the advertiser’s site—a process called clickjacking.

Mouse clicks by actual humans (rather than automated robots) are, in large part, the currency of online advertising—they’re often how businesses measure whether their online advertising has actually received any attention and generated any interest, instead of just being ignored or filtered out by the likes of AdBlockPlus. Since it’s been fairly well-documented that most of us instinctively ignore banner ads on websites, advertisers will often pay the sites that publish their ads per click rather than per view, on the assumption that most of those views were worthless to the advertiser to begin with because our eyes instinctively skip the top banner and right-side ads on websites.

But paying per click means that there’s a considerable incentive for ad publishers to inflate the number of times the ads they publish are clicked on, without resorting to high-volume automated techniques that will be relatively easy for any savvy ad network to detect. (If you’ve ever known someone who started a website and routinely clicked on all the ads on it—this is why.)

The invisible ad overlaid on a cookie notification message is not a particularly new or sophisticated technical tactic, but it does represent an interesting intersection of online policy, economics, and privacy that highlights the challenges of developing effective policies for the Internet and the potential for those policies to have unintended consequences.

The whole point of the cookie notification requirement, after all, is to give Internet users more control over their online experience and data. Yet by creating a familiar, trusted message that users have come to expect on websites and believe is there to help them when they click on it, the policy also generates new opportunities for sabotage. This is not unique to the cookie notifications—all forms of security or privacy notification are susceptible to abuse, especially the ones we are most accustomed to. When you are notified that your data has been breached and given the opportunity to enroll in an identity protection service that immediately demands to know your name, birth date, social security number, and address, it’s not always easy to tell whether you’re dealing with a website that actually wants to help protect you or is merely preying on your security fears to expose you to even greater risks.

Similarly, we’ve been conditioned to be attentive to messages alerting us to the need to download important security updates for software, but that conditioning can make it easier for criminals to sneak malware onto our machines in the guise of security updates.

Cookie messages—like security updates, like data breach notifications and identity protection services—are meant to help, to make us feel more in control of our data and online activity. So it’s not entirely surprising that they’re being manipulated to undermine that control as well, that someone looked at this piece of widespread, trusted online infrastructure and saw an opportunity to take advantage of all those people clicking their consent, to turn those clicks into money.

This particular scam will probably be relatively straightforward to remedy. Google Ads Services, which hosts the invisible ads, should be able to do something about the ad placement and opacity now that they’ve been notified of the problem by Malwarebytes. But the larger problem—that trusted online messages and notifications create new attack surfaces even as they ostensibly protect us—is a much knottier one with fewer clear solutions. It’s a crucial issue for many Internet security and privacy policy proposals: how to make sure they help more than they harm us.