A new wave of browser-based phishing attacks is exploiting the one space users instinctively trust their device’s own notification panel blurring the line between genuine alerts and malicious prompts designed to steal sensitive credentials from some of the world’s most widely used platforms.
When a Notification Looks Real Enough to Trust
In recent months, cybersecurity analysts have documented an escalation in browser-based phishing schemes that rely not on email or SMS, but on something far more subtle: web-push notifications engineered to mimic system alerts. These prompts, appearing in the same space as legitimate device warnings, are deceiving users into clicking malicious links that lead to credential-harvesting sites disguised as Netflix, PayPal, TikTok, MetaMask and other high-profile brands.
The tactic begins with social engineering. Victims are prompted to “allow notifications” on a seemingly benign webpage — sometimes a compromised legitimate site, sometimes an outright malicious one. Once permissions are granted, attackers can deliver a stream of fake alerts that look indistinguishable from trusted system messages. The result, researchers say, is a seamless psychological trick that exploits people’s reflexive trust in familiar notification zones.
“We found templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more,” said Brenda Robb of BlackFog security. Each notification, she added, is “designed to look like a legitimate security page from those providers.”
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
A New Command-and-Control Platform Emerges
The alerts are not random. They are part of a coordinated infrastructure tied to a newly identified command-and-control platform called Matrix Push C2, according to a threat-intelligence report from BlackFog. The platform enables cybercriminals to hijack browser functionality, turning it into an attack-delivery system rather than a passive window to the web.
Matrix Push C2 leverages three vectors in combination:
- Push browser notifications that mimic system-level alerts
- Faked security warnings that invoke trusted brands
- Redirect chains that funnel users toward credential-harvesting portals
The sophistication lies not only in the deception but also in the way Matrix Push uses the web browser normally treated as a neutral interface as an active mechanism for manipulation. By embedding itself within permission settings users often overlook, the platform can continuously deliver malicious prompts even after the user has left the original triggering webpage. BlackFog researchers described the strategy succinctly: Matrix Push “turns web browsers into an attack delivery vehicle.”
A Week of Attacks That Don’t Look Like Attacks
The discovery of Matrix Push follows what analysts describe as a series of “not what they seem” incidents that reflect a changing threat landscape. Earlier this week, security teams flagged a new Android banking trojan known as Sturnus, capable of reading encrypted instant-message conversations by capturing them at the moment they appear on a user’s screen. Prior to that, researchers warned companies to be wary of copy-and-paste attacks, which quietly exploit clipboard permissions to exfiltrate sensitive data.
Taken together, these incidents illustrate a pattern: attackers are increasingly relying on features users perceive as harmless notifications, clipboards, screen display rather than deploying the more traditional malware behaviors that antivirus systems are trained to detect.
It is within this broader context that Matrix Push becomes particularly concerning. Unlike email-based phishing, which relies on users spotting suspicious elements in a message, push-notification phishing injects itself directly into a trusted visual space. When alerts appear exactly where legitimate warnings normally reside, users are far more likely to accept them as real.
A Persistent Threat in Systems Built for Convenience
Cybersecurity researchers caution that the problem is not temporary. Three trends, they say, are unlikely to change:
-
Phishing is not going anywhere.
-
Operating systems will remain open to notification-based threats by design.
-
Cybercriminals will continue refining attack platforms that exploit user trust.
These realities complicate defensive strategies. Blocking all push notifications is impractical for most users, while distinguishing legitimate alerts from malicious ones requires a degree of scrutiny that is unrealistic in everyday digital life.
