Annoying recurring popup saying things like “Your Norton has expired” or “Your McAfee has expired”

This popup recurs every minute or sometimes less, while you are using your browser. It disappears, and you think it is gone, but then it is back.

What has happened is that the bad people have tricked you into giving permission to one of their servers running in the cloud to show notification popups in your browser. And now they are trying to use that fingerhold on your system to try and seduce/annoy you into downloading and installing some software that will do some actual damage. It is a phishing attack.

There are two main routes to disaster. Firstly, clicking on the link in the popup and downloading anything it points you to, no matter what it says it is.  Secondly, searching for a solution on the Internet and believing any of the posts that say you need to download and run program X to solve the problem. Almost all of these posts are from the same bad people.

The permission would have been set up by a website (probably hacked) that you visited. The permission grant will have been disguised as something you thought was okay to click the button to grant. You probably barely noticed.

What almost nobody will tell you is that all you need to do to get rid of the problem again is to go into your browser settings and turn off the permission you inadvertently gave to show notification popups. Simple, but true, and the bad people do not want the news to spread, so I am posting it on my own site and everywhere else that I can reach. How do you know this solution is safe? Well, nothing is hidden, you do all the actions yourself, and the only actions you take are to turn permissions off.

I got the right answer from this forum thread: https://support.google.com/chrome/thread/17013978?hl=en . Unfortunately, the good stuff doesn’t even show up until you expand to see all comments. It has been creatively buried. The good answer is by Dominic Diehl, posted on 23 October 2019, and here it is.

The rogue website tricked you into (1) granting notifications for a domain. Originally, this was becausenightisbetter.com, but there are now other variations. This site also installed a (2) service worker in your browser. Service workers have the ability to react on messages from some server. This can be useful, e.g. if you want to be notified of new messages of your favourite website. It can also be misused, if the remote server sends you annoying or even potentially harmful messages.

1) Turn off notifications for becausenightisbetter.com, or any other domains that look suspicious to you:

Chrome:
https://support.google.com/chrome/answer/3220216?co=GENIE.Platform%3DDesktop&hl=en

Firefox:
https://support.mozilla.org/en-US/kb/push-notifications-firefox#w_how-do-i-revoke-web-push-permissions-for-a-specific-site

2) Remove the service worker:

Chrome:
1. Open up the following URL to manage your service workers:
   chrome://serviceworker-internals/
2. Delete the entries of the malicious domains

Firefox:
1. Open up the following URL to manage your service workers:
   about:serviceworkers
2. Delete the entries of the malicious domains

Deleting a service worker should never be a problem, as it would be reinstalled the next time you visit the website