- Pushpaganda campaign weaponizes AI content to scale global notification fraud
- Google Discover is being misused to deliver misleading scam content
- Users are tricked into enabling notifications that deliver continuous threats
A large-scale ad fraud and scareware campaign, called Pushpaganda, has exploited Google’s Discovery feed to send malicious messages to Android and Chrome users worldwide.
According to HUMAN’s Satori Threat Intelligence Team, “Pushpaganda at its highest level is a case of social engineering.”
The operation uses AI-generated articles and images to lure users into clicking on misleading news stories that appear in their personal content feeds.
The article continues below
How the scam works
When a user lands on an actor-controlled domain, the site manipulates the user into activating push notifications that later deliver various threats.
The threat actors created a collection of 113 domains and used AI tools to generate sensational headlines and misleading images designed to drive high engagement.
Common lures include fake arrest warrants, police reports, fake bank deposits and unrealistic technical claims around $100 smartphones with 300MP cameras.
If a user agrees to allow messages from these sites, the user starts seeing a series of scary warnings that have no relation to the domain from which they were activated.
Some messages mimic missed calls from family members, while others send urgent tax review messages or direct deposit alerts from the government.
Clicking on a Pushpaganda-associated notification redirects the user to another actor-controlled domain.
These domains use misleading buttons labeled “Apply Now”, “Claim Now” or “Join WhatsApp”.
However, these buttons use JavaScript to redirect users to additional internal articles or other actor-controlled domains.
A JavaScript rotation algorithm also forces inactive browser tabs to automatically cycle through different actor-owned pages.
It then generates additional ad loads and makes the sites appear high quality to ad networks.
At its peak, HUMAN observed around 240 million bid requests associated with Pushpaganda domains in a single seven-day period.
The ads in these scam domains contain some deep fakes referring to celebrities or medical professionals to exploit users’ trust on a large scale.
The operation initially targeted users in India, but has since expanded to the US, Australia, Canada, South Africa and the UK.
A Google spokesperson stated that the company keeps the vast majority of spam out of Discover through spam-fighting systems, and that a fix for the spam issue in question has been implemented.
A standard firewall or antivirus cannot block these push notifications at the browser level, making user awareness a very effective defense.
Users should never enable push notifications from unknown websites, no matter how legitimate the article appears.
To block existing malicious messages, users can access their browser settings and revoke notification permissions for any suspicious domain.
Mobile users should also review the notification settings in their Chrome browser or Android system settings to remove unauthorized subscriptions.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
