How to advise clients with regard to browser notification scamware?

[britechguy]

Just had a client call me regarding constant pop-ups screaming about viruses on his computer (which he recognized as bogus and did not interact with other than to dismiss, which was futile). Both had their origin in browser notifications from MS-Edge and their origin with 2 domains out of India. What was funny (in a perverse way) is one was touting McAfee and the other, Norton.

It didn't take me too long after a single AI search to get this all straightened out, but I honestly have no idea what the client did in the first place to get these things into place, and he seemed not to, either. While this is not the most tech savvy client, he's not a panicked button clicking sort, either.

If someone can describe how an end user is enticed into "installing" (for lack of a better term) these things, I'd love to have a description that I can share with clients if/when this pops up. I haven't encountered one of these in quite some time, let alone two on one machine.

 

[seashore]

This is one of my most common customer calls these days.

Customer visits a website which has been configured to pop up the browser message "Do you want to allow notifications?" They click Yes, then are plagued by fake AV popups.

After fixing, I ask for the customer's permission to disable notifications on all browsers to avoid a recurrence. No more popups.

 

[thecomputerguy]

This is one of my most common customer calls these days.

Customer visits a website which has been configured to pop up the browser message "Do you want to allow notifications?" They click Yes, then are plagued by fake AV popups.

After fixing, I ask for the customer's permission to disable notifications on all browsers to avoid a recurrence. No more popups.

Something has happened in the last few weeks. This used to be a once every few days or once a week call, now it's much more frequent, sometimes multiple times a day. I'm not sure why the increase.

I charge an hour of labor to remove the notifications from chrome/edge, disable notifications, add ublock lite, check appwiz.cpl for junk, check services for screenconnect, then update windows.

 

[HCHTech]

Something has happened in the last few weeks. This used to be a once every few days or once a week call, now it's much more frequent, sometimes multiple times a day. I'm not sure why the increase.

Yes, we're seeing a few of these each week. For managed customers, we have a script to disable browser notifications each day...one of several in the category of scammer defense. There is always something new, it seems.

 

[britechguy]

we have a script to disable browser notifications

Would you mind sharing? I can already predict this trend wreaking havoc for my blind clients, and it would be great to have a script that went through "the list of commonly installed browsers," checking if each was installed, and making the settings tweak to disable notifications for any that are present on the system.

I'll also give Claude a whirl at generating this, too.

 

[HCHTech]

Would you mind sharing?

Not at all! Here's the most recent version:

# Disable Browser Notifications and Pop-ups v1.2
# Chrome, Edge, Firefox - Windows 11
# Exit 0 = Success
# Exit 1001 = One or more installed browsers failed
# Notifications blocked, notification prompt requests blocked, Existing notification allow-list policies removed, existing pop-up allow-list entries preserved

Write-Host "Disabling browser notification prompts, notifications, pop-ups, and redirects..."

$FailureDetected = $false

function Set-BrowserSecurityPolicy {
    param (
        [string]$BrowserName,
        [string]$PolicyPath,
        [string[]]$NotificationAllowListPolicyPaths
    )

    try {
        if (-not (Test-Path $PolicyPath)) {
            New-Item -Path $PolicyPath -Force | Out-Null
        }

        # Block notification prompts and notifications
        New-ItemProperty `
            -Path $PolicyPath `
            -Name "DefaultNotificationsSetting" `
            -PropertyType DWord `
            -Value 2 `
            -Force | Out-Null

        # Block pop-ups and redirects
        New-ItemProperty `
            -Path $PolicyPath `
            -Name "DefaultPopupsSetting" `
            -PropertyType DWord `
            -Value 1 `
            -Force | Out-Null

        # Remove notification allow-list policies only
        foreach ($AllowListPath in $NotificationAllowListPolicyPaths) {
            if (Test-Path $AllowListPath) {
                Remove-Item -Path $AllowListPath -Recurse -Force
            }
        }

        $NotificationValue = Get-ItemPropertyValue `
            -Path $PolicyPath `
            -Name "DefaultNotificationsSetting" `
            -ErrorAction Stop

        $PopupValue = Get-ItemPropertyValue `
            -Path $PolicyPath `
            -Name "DefaultPopupsSetting" `
            -ErrorAction Stop

        if (($NotificationValue -eq 2) -and ($PopupValue -eq 1)) {
            Write-Host "$BrowserName notification prompts, notifications, pop-ups, and redirects configured."
        }
        else {
            throw "$BrowserName policy verification failed."
        }
    }
    catch {
        Write-Host "ERROR: Failed to configure $BrowserName browser security policies."
        $script:FailureDetected = $true
    }
}

# Chrome
$ChromeInstalled = (Test-Path "HKLM:\SOFTWARE\Google\Chrome") -or `
                   (Test-Path "HKLM:\SOFTWARE\WOW6432Node\Google\Chrome") -or `
                   (Test-Path "$Env:ProgramFiles\Google\Chrome\Application\chrome.exe") -or `
                   (Test-Path "${Env:ProgramFiles(x86)}\Google\Chrome\Application\chrome.exe")

if ($ChromeInstalled) {
    Set-BrowserSecurityPolicy `
        -BrowserName "Chrome" `
        -PolicyPath "HKLM:\SOFTWARE\Policies\Google\Chrome" `
        -NotificationAllowListPolicyPaths @(
            "HKLM:\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls"
        )
}
else {
    Write-Host "Chrome not detected. Skipping."
}

# Edge
$EdgeInstalled = (Test-Path "HKLM:\SOFTWARE\Microsoft\Edge") -or `
                 (Test-Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Edge") -or `
                 (Test-Path "$Env:ProgramFiles\Microsoft\Edge\Application\msedge.exe") -or `
                 (Test-Path "${Env:ProgramFiles(x86)}\Microsoft\Edge\Application\msedge.exe")

if ($EdgeInstalled) {
    Set-BrowserSecurityPolicy `
        -BrowserName "Edge" `
        -PolicyPath "HKLM:\SOFTWARE\Policies\Microsoft\Edge" `
        -NotificationAllowListPolicyPaths @(
            "HKLM:\SOFTWARE\Policies\Microsoft\Edge\NotificationsAllowedForUrls"
        )
}
else {
    Write-Host "Edge not detected. Skipping."
}

# Firefox
$FirefoxInstalled = $false
$FirefoxPaths = @(
    "$Env:ProgramFiles\Mozilla Firefox",
    "${Env:ProgramFiles(x86)}\Mozilla Firefox"
)

foreach ($FirefoxPath in $FirefoxPaths) {
    if (Test-Path $FirefoxPath) {
        $FirefoxInstalled = $true

        try {
            $DistributionPath = Join-Path $FirefoxPath "distribution"

            if (-not (Test-Path $DistributionPath)) {
                New-Item -Path $DistributionPath -ItemType Directory -Force | Out-Null
            }

            $PoliciesFile = Join-Path $DistributionPath "policies.json"

            $PoliciesJson = @"
{
  "policies": {
    "DisableNotifications": true,
    "Permissions": {
      "Block": {
        "Popup": true
      }
    }
  }
}
"@

            $PoliciesJson | Out-File -FilePath $PoliciesFile -Encoding UTF8 -Force

            if (Test-Path $PoliciesFile) {
                Write-Host "Firefox notification prompts, notifications, and pop-ups disabled at $FirefoxPath."
            }
            else {
                throw "Firefox policies.json was not created."
            }
        }
        catch {
            Write-Host "ERROR: Failed to configure Firefox browser security policies at $FirefoxPath."
            $FailureDetected = $true
        }
    }
}

if (-not $FirefoxInstalled) {
    Write-Host "Firefox not detected. Skipping."
}

if ($FailureDetected) {
    Write-Host "One or more installed browsers failed configuration."
    exit 1001
}
else {
    Write-Host "All installed browsers configured successfully."
    exit 0
}

 

[britechguy]

Thanks Much