- Pushpaganda Campaign Weaponizes AI Content to Escalate Global Notification Scams
- Google Discover is abused to deliver misleading scam content
- Users are tricked into enabling notifications that generate continuous threats.
A large-scale ad fraud and scareware campaign called Pushpaganda has exploited Google’s Discovery feed to send malicious notifications to Android and Chrome users around the world.
According to HUMAN’s Satori threat intelligence team, “Pushpaganda is, at the highest level, a case of social engineering.”
The operation uses AI-generated articles and images to entice users to click on misleading news stories that appear in their personalized content streams.
Article continues below.
How the scam works
Once a user reaches a domain controlled by an actor, the site manipulates the user to enable push notifications which then generate various threats.
Threat actors created a collection of 113 domains and used artificial intelligence tools to generate sensational headlines and misleading images designed to generate high engagement.
Common lures include fake arrest warrants, police notices, fake bank deposits, and unrealistic technology claims about $100 smartphones with 300MP cameras.
If a user agrees to allow notifications from these sites, they begin to see a series of intimidating alerts that have no relation to the domain from which they were enabled.
Some notifications mimic missed calls from family members, while others send urgent tax review notices or government direct deposit alerts.
Clicking on a notification associated with Pushpaganda redirects the user to another domain controlled by an actor.
These domains use deceptive buttons labeled “Apply Now,” “Claim Now,” or “Join WhatsApp.”
However, these buttons use JavaScript to redirect users to additional internal articles or to different domains controlled by actors.
A JavaScript rotation algorithm also forces inactive browser tabs to automatically cycle through multiple pages owned by the actors.
It then generates additional ad loads and makes the sites appear high quality to ad networks.
At its peak, HUMAN observed approximately 240 million bid requests associated with Pushpaganda domains in a single seven-day period.
The ads on these scam domains contain some deepfakes that reference celebrities or medical professionals to exploit users’ trust on a large scale.
The operation initially targeted users in India, but has since expanded to the United States, Australia, Canada, South Africa, and the United Kingdom.
A Google spokesperson said the company keeps the vast majority of spam out of Discover through anti-spam systems and that a fix has been implemented for the spam issue at hand.
A standard firewall or antivirus cannot block these push notifications at the browser level, making user awareness a very effective defense.
Users should never enable push notifications from unknown websites, regardless of how legitimate the article appears.
To block existing malicious notifications, users can go to their browser settings and revoke notification permissions for any suspicious domains.
Mobile users should also review the notification settings in their Chrome browser or Android system settings to remove unauthorized subscriptions.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
