Pushpaganda Campaign Exploits Google Discover to Hijack Browser Notifications

Executive Summary

A threat campaign, tracked as Pushpaganda, is actively exploiting Google's Discover feed to distribute AI-generated clickbait articles that manipulate users into enabling malicious browser push notifications. According to researchers at Guardio Labs, who first documented the operation, the attackers leverage the high visibility and perceived legitimacy of content surfaced by Google's algorithm to establish a persistent, fraudulent communication channel directly to victims' desktops and mobile devices. Once a user subscribes, the threat actors deliver a stream of phishing pages, tech support scams, and deceptive advertisements.

Technical Analysis

The campaign's technical execution hinges on abusing the trust users place in content recommended by Google Discover, a personalized feed integrated into the Chrome new tab page and many Android home screens. The threat actors create low-quality, AI-generated websites focused on sensationalist topics like celebrity news or fake giveaways. These sites are then promoted via paid search and social media ads to gain initial traffic and, crucially, to be indexed and recommended by Google's Discover algorithm.

When a user clicks a Discover-recommended link, they land on a page that immediately triggers a browser prompt to allow notifications. The prompt is often disguised with social engineering, such as a fake "CAPTCHA verification" or a message claiming the user must click "Allow" to prove they are not a robot. If permitted, the notification permission is registered to a malicious domain controlled by the attackers. This establishes a direct, out-of-band communication channel that bypasses email filters, website blocks, and ad networks. The attackers then push notifications containing links to phishing sites impersonating legitimate services, fake antivirus alerts, or other scams.

Guardio's analysis notes the infrastructure uses multiple redirections and obfuscation to hide the final notification delivery domain. The content of the push notifications is dynamically updated, allowing the attackers to quickly pivot to new scams based on current events or perceived effectiveness.

Tactics, Techniques & Procedures

The Pushpaganda operation employs a multi-stage technique blending search engine optimization (SEO), malvertising, and social engineering.

1. Initial Access (T1583.001): Acquire and deploy spoofed or AI-generated content websites.
2. Drive-by Compromise (T1189): Use paid advertising and manipulation of Google Discover to drive traffic to malicious sites.
3. User Execution (T1204): Deceive users into interacting with a browser prompt through fake CAPTCHA or verification schemes.
4. Abuse Elevation Control Mechanism (T1548): Exploit the browser's notification API to gain a persistent presence on the user's device.
5. Phishing (T1566): Use the granted notification channel to deliver links to phishing and scam sites directly to the user's desktop or notification center.

Threat Actor Context

The researchers attribute this ongoing campaign to a single threat operation they named Pushpaganda. The primary motivation appears to be financial, leveraging affiliate fraud and phishing schemes. The operational security is considered moderate, with the actors demonstrating an understanding of web traffic acquisition and browser API abuse. There is no clear link to a known advanced persistent threat (APT) group at this time; the tactics are consistent with financially motivated cybercrime. The campaign has shown a particular focus on English-speaking users in the United States, United Kingdom, Canada, Australia, and New Zealand.

Mitigations & Recommendations

Users and administrators should take steps to limit the impact of notification abuse.

• Review and Revoke Permissions: Regularly audit and remove unnecessary notification permissions in browser settings (chrome://settings/content/notifications).
• User Awareness: Train users to be highly skeptical of any website that immediately asks for notification permissions, especially those using "human verification" or CAPTCHA pretexts.
• Block Permission Prompts: Consider using browser extensions or enterprise policies to automatically block notification permission requests.
• Network Filtering: Deploy web filtering solutions that can block known malicious domains associated with push notification abuse.
• Report Abuse: Users can report abusive sites directly to Google via the "Report abuse" link at the bottom of Google Discover cards or through Safe Browsing.