What is a pop-up in the browser?
On the world wide web, “the internet”, a pop-up refers to a new browser window which is triggered when the internet browser receives specific programming code. The webpage holds programming code to let the browser know to open a new smaller window on top of the main window. The trigger to open a pop-up window can be a click on a hyperlink, hovering over an image or just by loading the webpage. Many events can make the browser open a window on top of another window, a pop-up.
In 1994 a software programmer Ethan Zuckerman wrote the first programming code for pop-up “advertisements”. His assignment was to create a new way of advertising, show advertisements that were not directly visibly linked to the main webpage. This is the original idea behind the pop-up and this technique is still used today on many web pages. Later in this article, I’ll explain why and how pop-ups are abused on the today’s world wide web.
What is a browser redirect?
A redirect is a referral from one internet address (webpage) to another. Redirects are often used to redirect visitors to the correct webpage, for example, if a webpage URL has changed, using the redirect, a visitor will still be redirected to the new webpage, instead of the old webpage. There are multiple redirects with their own status code. The status code tells the browser what to do, it’s an identifier for the browser what kind of redirect it is and how to react to the redirect.
The most widely used redirects are 301 Moved permanently and 302 Found. A redirect with the status Code 301 is a permanent referral. The webpage will now be accessible via the new URL. A 302 redirect indicates that the webpage is found, but it is temporarily at a different URL.
Malicious web page pop-ups
We already know how pop-ups work and what the purpose is for pop-ups. The purpose of pop-ups is not changed, pop-ups are still used for advertising or any call to action such as subscribing to an interesting newsletter or promote a special discount offer. This is the main purpose of pop-ups and there is nothing wrong with these kinds of pop-up advertisements. However, as with many other things in life, overdoing is the key problem.
The problem I would like to clarify to you as a reader is the overdoing of pop-ups by ad-supported applications. At the beginning of the internet, there already were software applications that applied legit advertising as a technique to monetize their free software. These legit ads were mainly banners within the software application. If the software application user wanted to remove the advertising from the free application, the software application should be bought. This is a legit way of monetizing free software.
As for today, cybercriminals have discovered what I would like to call a “gray area” to display advertisements to users in more deceptive and sophisticated ways. On the internet, there are many web pages that provide shady services (adult service, piracy etc.). These suspicious web pages frequently contain programming code that deceives users into downloading malicious software that is known as malware. Users that visit these suspicious web pages know they are on a web page that in some parts of the world are forbidden or not socially accepted.
This is where the cybercriminals get their chance to deploy social engineering techniques to make the browser create a pop-up and redirect the user to a Microsoft Support Scam. What these malicious pop-up web pages do is exploit the human social behavior. The user on the suspicious web page knows he or she is doing something shady and then the browser is locked by a pop-up from “Microsoft” or the “Police”, stating their device is locked by the police or their device is infected by a virus. The user is shocked and calls the telephone number to remove the fake virus or police message from their device.
The same technique is deployed on many web pages that provide piracy software. The piracy software is most likely bundled with adware. Many of these piracy web pages generate pop-ups to malicious web pages telling the user to “Update your Video Player“, which is a social engineering scam. There are loads of examples, however, the most well known is the Update Your video Player scam. Users should stay away from piracy or any suspicious web pages, the change for a virus infection from a pop-up is high on these web pages. The Google Chrome and Firefox browser warn their users with a message “This site ahead contains harmful programs“.
Overdoing it, by creating multiple pop-ups at once or to deceive users into downloading malware or scaring them using fake pop-up virus alerts is not were pop-ups are meant for. However, since cybercriminals and suspicious advertisement networks search for new ways to make money from pop-ups. The pop-ups are abused for revenue and give the pop-ups a bad reputation.
Malicious browser redirects
Before I’ll explain how a with adware created browser redirect works, and what why some of them are malicious you should know what I mean by a landing page. A landing page is the web page the user get’s to see at the end of a chain of browser redirects. It’s the advertisement the advertisement network or adware publisher wants you to see. However, these landing pages are not random. The landing pages are selected for that potential victim.
As I already explained some suspicious web pages trigger pop-ups and redirect the pop-up to a Microsoft Support Scam, Update Your Video Player scam or any useful browser extension you must install, at least according the pop-up in your browser.
Before the pop-up lands on these scam/malicious web pages and the user sees the advertisement. The browser is redirected through several domains. These domains are what I refer to as a redirect domain. These domains determine the best advertisement to show to the user. This animated image shows how adware generates new browser pop-up redirects out of the blue. The domain’s you see in the image are browser redirect domains.
The browser redirects determine the best advertisement for the victim based on the browser that is used, the web pages that are viewed at the time the browser is redirected and country. An internet user from the United States of America will see a landing page, for example, Amazon. The Amazon Gift Scam is one of many deceptive landing pages for USA victims.
PC’s infected with adware will often see the domain that redirects the browser to a landing page for a few seconds before the internet browser lands on the advertisement chosen by the domain’s involved in redirecting victims of adware. Deloton.com, Jebadu.com, adnetworkperformance.com, and liveadpredict.com are recent examples of domains that redirect browsers to landing pages (advertisements).
I hope it’s more transparent how dangerous adware has become and how the social engineering scams work. The best protection and prevention against browser pop-ups, browser redirects and adware is the malware protection application, Malwarebytes.