The "Quiz" Deception: Push Notification Spam Campaign Targets Users via Browser Permissions
Executive Summary
A sophisticated social engineering campaign is currently exploiting user curiosity to hijack browser notification permissions. Threat actors are deploying deceptive quiz websites that masquerade as harmless entertainment. Once a user engages with the "Start the Quiz" button, a deceptive overlay prompts them to enable browser notifications. By clicking "Allow," users inadvertently grant these sites permission to push unsolicited advertisements, affiliate links, and potentially malicious content directly to their desktop or mobile device, regardless of whether the user is actively browsing the site.
At SecLookup, our threat intelligence team has been actively monitoring this vector. We have confirmed that the domains identified in this campaign are malicious and are currently being blocked by our platform to protect our users from this intrusive adware technique.
Threat Analysis
The Anatomy of the Deception
The core of this attack vector relies on Social Engineering and the Browser Notifications API. Unlike traditional drive-by downloads that require a user to execute a file, this attack requires a binary interaction: a click.
Landing Page: The victim lands on a site that appears to be a legitimate quiz platform. The content varies but typically includes geography, vocabulary, history, or country-specific trivia (e.g., quizzes tailored for Canada, Germany, France, Japan, and the US).
The Hook: The primary goal of the site is to maximize dwell time and engagement. The user is presented with a "Start the Quiz" button.
The Trap: Upon clicking the button, the site overlays a prompt with a misleading background image. The text usually implies that clicking "Allow" is necessary to "continue" or "see the results."
The Execution: This triggers the native browser prompt: "Allow [Domain] to send notifications?" The text inside the prompt often misleads the user, making it seem like a benign system request or an ad-blocker update, rather than a request for spam.
TTPs (Tactics, Techniques, and Procedures)
This campaign aligns with several techniques observed in the MITRE ATT&CK framework:
TA0001 - Initial Access: T1566.001 (Phishing: Fake Website): The actors use legitimate-looking domains to gain initial trust.
T1193 (Spearphishing Link): While not strictly email-based, the mechanism mimics a trusted interaction.
T1071.001 (Web Protocols: Web Traffic): The attack relies entirely on standard web traffic and browser APIs.
T1546.015 (Event Triggered Execution - Web Browser API): The granting of notification permissions is a specific browser API trigger that allows the actor to push content into the user's environment, effectively bypassing the need for the user to visit the site again.
Economic Motivation
Unlike ransomware campaigns that demand immediate ransoms, this threat actor is primarily motivated by Ad Revenue and Affiliate Schemes. By bombarding the user with persistent notifications, the attackers can generate clicks on affiliate links, display pay-per-click advertisements, or drive traffic to scam sites. This "Push Notification Spam" model is a low-effort, high-yield revenue stream for cybercriminals.
Indicators of Compromise (IOCs)
SecLookup's threat intelligence platform has scanned the domains identified in the Malwarebytes Labs report. The following domains have been confirmed malicious and should be blocked immediately:
Domains
quizcentral.co.in
yeqeso.org
uhuhedeb.org
navixzuno.co.in
edifaqe.org
quizcentral.co.za
triviabox.co.in
loopdeviceconnection.co.in
rixifabed.org
unsphiperidion.co.in
geniusfun.co.in
ylloer.org
Note: While the source article mentions a redirect chain involving unsphiperidion.co.in leading to a fake AdGuard update, the root domains listed above represent the primary infrastructure utilized in this campaign.
SecLookup Detection
SecLookup is actively detecting and blocking this threat. Our threat intelligence platform has verified the malicious nature of the domains listed above. We have updated our threat feeds to ensure that traffic to these specific domains is intercepted and blocked before it can reach user endpoints.
Recommendations
To mitigate the risk of falling victim to push notification spam campaigns, security professionals and end-users should implement the following measures:
1. User Education and Policy
Educate users on the dangers of the "Allow" prompt. Remind them that legitimate websites rarely ask for push notifications unless they are a messaging service (like WhatsApp) or a news outlet. Quiz sites are almost never a valid reason to grant this permission.
2. Browser Configuration
Review Notification Settings: Users should regularly check their browser settings (Chrome, Firefox, Edge) to review which sites have permission to send notifications. They should revoke access to any site they do not recognize.
Disable by Default: Users can configure their browsers to block all notifications by default and only allow them when visiting a specific, trusted site.
3. Use of Ad-Blockers
Utilizing content blockers (such as uBlock Origin or AdGuard) can often mitigate these attacks by preventing the deceptive overlay from rendering, thereby stopping the "Click Allow" interaction.
4. Endpoint Protection
Ensure that Endpoint Detection and Response (EDR) solutions are configured to alert on browser process anomalies or unexpected outbound traffic to known ad-tech domains.
References
- Quiz sites trick users into enabling unwanted browser notifications by Malwarebytes Labs, Malwarebytes Labs, 2026-03-09.
