A dark adtech empire fed by fake CAPTCHAs

Original Article ↗ Hacker News Discussion ↗

Fake CAPTCHAs & user confusion

  • “Click to prove you’re human” is seen as a clever attack because the modern web already trains users to click through CAPTCHAs, buttons, and arbitrary hoops.
  • Non‑technical and older users are especially vulnerable; they’ve learned that refusing permissions or dialogs can break essential apps (e.g., calls not ringing), so they default to “Allow.”

Permission Prompts & Habituation

  • Commenters note we already knew users mindlessly click “OK/Allow,” yet design and regulation kept adding more prompts (permissions, cookie banners).
  • Debate over alternatives:
    • Auto‑deny breaks apps and is hard to debug/override for normal users.
    • Auto‑allow is worse due to abuse and tracking.
  • Some praise iOS’s repeated prompts for sensitive permissions; others call for TTLs, “allow once/session/timeframe,” and clearer global controls.

Push Notifications as an Attack Surface

  • Multiple stories of elderly users’ desktops being overrun by scammy browser notifications that look like native OS alerts (“SECURITY ALERT!! CALL NOW”).
  • Many see general‑purpose web push as “one of the worst features of the modern web,” with maybe email/chat/financial alerts as marginally valid.
  • Others argue for legitimate uses (news, flights, YouTube, messaging), but there’s low trust that companies will restrain themselves from turning them into ad channels.
  • Some suggest:
    • Blocking all notification requests by default.
    • Allowing notifications only for PWAs the user explicitly installs.
    • Using badges/pinned tabs instead of OS‑style popups.

Browser Capabilities & Web Platform Creep

  • Strong criticism that untrusted JS can trigger OS‑like notifications and access things like battery or fonts; belief that adtech steers standards.
  • Counterargument: some APIs are genuinely useful, but should be permission‑gated, possibly returning fake data on denial.
  • Overall concern that browsers now execute hostile code with too many knobs, while permission UX is opaque and inconsistent across features.

Redirect Chains & Traffic Distribution Systems

  • Readers ask why scam links bounce through many domains.
  • Proposed reasons: multiple ad impressions, bypassing initial checks, user‑agent/IP targeting, setting first‑party cookies, and tracking/monetization.
  • Comparisons to convoluted SSO flows (Okta, universities, Microsoft) that normalize long redirect chains and erode user suspicion.

Mitigations: Ad Blocking & Configuration

  • Many advocate adblockers and DNS‑level blocking (uBlock Origin, NextDNS, VPN‑based blockers, Safari content blockers) as primary defense, especially for at‑risk relatives.
  • Challenges: older users cling to familiar browsers (often Chrome) and resist switching, limiting effective protection.

Regulation, UX, and Article Critique

  • EU cookie rules are blamed for normalizing popups/dark patterns; others reply that the intent was user‑friendly and site operators chose hostile implementations.
  • Some praise the article as a useful warning; others find it vague, alarmist, and light on technical detail, claiming this is a recurring pattern.