Cyber crooks abuse legitimate EU Cookie Law notices in clever clickjacking campaign

Cyber crooks have set up a clever new clickjacking campaign that takes advantage of pop-up alerts that European users are (by now) accustomed to see: the “EU Cookie Law” notifications.

Since May 2012, websites owned in the EU or targeted towards EU citizens are required to get visitors’ consent to be able to place a cookie on their computer. They comply by showing pop-up notices that require the user to make a choice.

The criminals are exploiting this fact by placing a legitimate ad banner on top of the warning message via an iframe. The trick is to make the ad invisible by setting its opacity to zero (click on the screenshot to enlarge it):

So, each time a user clicks anywhere on the legitimate message, he or she clicks also on the hidden ad.

“While simple, this technique, also known as clickjacking, is pretty effective at generating clicks that look perfectly legitimate and performed by real human beings as opposed to bots,” Malwarebytes’ Jerome Segura explains.

“This is costing advertisers and ad networks a lot of money while online crooks are profiting from bogus Pay Per Click traffic.”

The campaign does not currently present a danger to the visitors themselves, and Google has been notified and has likely put a stop to it by now.

Still, similar campaigns that will likely pop up in the future might not be so benign – the ads the users inadvertently click on could be malicious, taking users to websites hosting malware or exploit kits.