Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can clicking "Cancel" still mean "Accept" when I get a popup?

Question:

My daughter got an offer at a song lyrics website that had a pop-up, and as
always she clicked 'cancel' to get rid of it, then it came back that she had
accepted the offer because clicking 'cancel' was to accept the offer! Now we
are having problems with the computer, especially application hangs. Did we
download spyware or adware inadvertently? So how can we remedy the situation?
Just an FYI, I cannot believe what tactics some of these websites will go to to
gain access to your PC. Shame on them!

Shame on them, indeed.

Yes, I think it's very likely that your daughter - trying to do the right
thing - inadvertently allowed spyware onto your machine.

And yes, sometimes a cancel button isn't a cancel button at all.

While it's possible to tell the difference, it's not always easy.

]]>

Quick, without spending a lot of time studying them, if one of these just popped up at you would you be able to tell which is real and which is fake?

At first blush they're very, very similar. In fact, if you saw either one without the other to compare to, you might never even question it.

"It may look like there are "Yes" and "No" buttons, but in fact the page could be authored in such a way that both mean yes ..."

But question it you should, because that's exactly what spyware authors are counting on.

The first is an actual Windows XP confirmation dialog.

The second is an example of a fake. It's not a confirmation dialog at all, but a web page that has been carefully crafted to look like a confirmation dialog.

Now here's where it gets more devious. Since it's a web page, the author of that page can pretty much have it do anything no matter where you click. It may look like there are "Yes" and "No" buttons, but in fact the page could be authored in such a way that both mean yes, or that even clicking anywhere on that popup at all could mean yes.

So you're surfing along, you get this popup where the obvious answer is "No", you click "No" and the popup treats it as if you'd clicked "Yes", or does something that's completely unrelated - like direct you to porn, or initiate a download of spyware.

It's the later scenario that is the most troubling, and in fact the reason that spyware vendors do this at all.

Let's say that the popup didn't ask about deleting "All Your Work", but rather said something like "A virus has been detected, would you like to remove it?"

By posing as a Windows confirmation dialog, the spyware attempts to gain your trust. You think it's Windows asking you something, you click on the button and then it asks you something again - like "are you sure you want this download?". And because you think it's Windows asking, and because it had asked a reasonable question to begin with, you say yes again.

And you've just allowed spyware to be installed.

Shame on them, indeed.

There are many more scenarios that might not be as obvious, but this is one of the most basic: popups that attempt to fool you into thinking that they're not popups at all, but important messages from your system.

What can you do to avoid this?

It boils down to a three-pronged approach. And even though it shouldn't really be necessary, two of those prongs boil down to learning what to watch out for.

  • Technology: A good anti-spyware package with its real time protection enabled is a good start. So is making sure that you have a popup blocker enabled (fortunately they're now built into most web browsers).

  • Visual Characteristics: Look at those two dialogs above again and you'll see that the title bars - the blue areas at the top of each - are different in several ways. The most telling, perhaps, is that in the fake dialog you can see my browser - Mozilla Firefox - attempting to identify itself. More accurately system alerts typically do not have icons, and almost never have the Maximize button (the center of the three buttons on the far right of the title bar). There may be more characteristics you'll also come to see as "suspicious" over time as you start to notice more of these attempts at fakery.

  • Behavioral Characteristics: Perhaps the most important, and the most reliable, is to develop a sense for when popups like this are unexpected, and therefore suspicious. After you surf the web for a bit and use your computer for a bit certain behaviours will start to stand out. Visiting a new web page, for example, by itself shouldn't result in a "virus detected" warning - since that's not when virus detection happens. When you download something, yes, that's when your anti-virus tool's real time protection would kick in, but just visiting a new page should not trigger this type of notification. Again, over time you'll get a sense for what's reasonable, and when.

I also realize that you started this by saying "my daughter" ... and that of course makes these last two items so much more difficult. Without knowing her age or expertise, it might not even be reasonable to expect her to learn these types of nuances (and they are admittedly nuances).

That's when you rely most heavily on your anti-spyware software, good local network security, and of course a good backup regimen to help recover when the inevitable happens.

Which leads to the final point.

What do you do once you've got spyware?

Sadly the news isn't much better than it is for viruses.

  • Try your up-to-date anti-spyware and other anti-malware tools to see if they can remove the infection.

  • Try a System Restore to a point prior to the infection.

  • Look for manual removal instructions out on the web specific to the infection you have.

Failing any of that there are only two approaches that are absolutely guaranteed to remove the spyware:

  • Restore from a full-image backup taken prior to the infection.

  • Backup, reformat and reinstall.

Fortunately in many cases, there are tools out there that can remove most common spyware, though it may require a little searching.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

16 comments on “Can clicking "Cancel" still mean "Accept" when I get a popup?”

  1. I used to click on the cancel button in the middle of the pop-up simply assuming that it meant what it said. Luckily in those cases it only opened another web-site offering a fak antivirus program or something similar. But if you click on the X in the upper right hand corner, that will really cancel the window as that X is put there by Windows (or what ever OS you are using, Mac puts it on the left)

    Reply
  2. Shortly after my last comment here I got on of those pop-ups. I use the Web of Trust http://www.mywot.com plug-in which gives a user rating of web-sites.In the case of aa website having a poor rating, the web site opens witn a warning that it is a site reated insecure by MYWOT users. When that happens I simply clost that tab or window. I highly recommend it.

    Reply
  3. Like Mark said, safest thing is to close the pop-up via X, not clicking buttons. Or have good pop-up blocker.

    As far as virus warnings go I tend to ignore windows that simply pop up out of nowhere. I know which anti-virus program I use and how that program informs me when it detected something. Anything else it’s likely fake. If by any chance it’s a real warning then my anti-virus program will pick it up and deal with it anyway.

    Reply
  4. Be careful of just clicking on the X… there are some popups that are overlays and/or chromeless windows that have it that even if you click the X it still will act like an ‘accept’ action. I find it better to just close the browser tab or window.

    Reply
  5. I found it amusing / ironic that whilst reading this page I got Leo’s ‘op-up’ asking me if I wanted the newsletter!! :-)

    Reply
  6. As I do pc repair for a living, I’ve often seen spyware and virus’ attack this way. One of the worst is the ‘360 Virus’, in which the pop-up looks almost exactly like a Nortan 360 Internet Security screen. Clicking on “no”, or even the red “X” in the top right corner will download the 360 Virus, which can wipe out your pc in no time. What I do when I get such a pop-up is to just reboot the computer (without closing the browser). Do not click anywhere on the pop-up at all, as any part of it can be programmed to download a virus.

    Reply
  7. Hi, The only really safe way to close these Popup without harm is to close the window thru ALT + F4 keys sequence. there is no guessing as to where or how to click, the window is cancel period.

    Reply
  8. I was recently “attacked” by a very genuine looking Cyber Security offer on my work computer. I tried to reject it but it still got onto my system somehow. Any further attempt to use Internet Explorer to access a regular work related site,met with a notice saying “This site has been reported to Microsoft as suspicious ……recommend its use be discontinued”. Spybot Search & Destroy was used to find and remove it.

    Reply
  9. common sense works well – before clicking or allowing pop-ups. but pop-ups should not even come up most of the time. try playing with security/pop-up settings in firefox (or whichever browser).

    if i get a pop-up i click red cross (explorer window) or alt+F4 either way its gone.

    Reply
  10. I find the best way to get rid of these popups is to open task manager, find the popup and kill them that way. No restart of the computer needed (as suggested by Dave)

    Reply
  11. Yes is the answer. The thing is, the popups are hand coded, as part of the javascript and it’s very very easy to create a popup box where both the yes and no buttons do the same thing. However, the top right hand “x” can’t be hand coded and is hard coded into java itself. Clicking on that will close the dialog box.

    Richard Tanfield-Johnson
    Web Designer @ IT-Green

    Reply
  12. I just faced the problem with chrome (which I always thought had a built in pop-up blocker).
    Anyways, there was no red button in the upper corner for me to close it down.
    So I tried to close the tab with the cross (x) on the tab… Even that did not work…the pop-up did not allow me to close the tab… it was of an annoying company (mackeeper or something like that) telling me to clean my mac… Hell NO!!!

    But I found a solution to get rid of that nonsense:

    I dragged the tab away from all other tabs. So it openened as in a single new window…. and tadaa!!! there was the red button in the left upper corner…. Gone was the SPAM pop-up…
    hope it works in other browsers as well…

    cheers

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.