A new deceptive ad injection campaign has been found leveraging
an ad blocker extension for Google Chrome and Opera web browsers to
sneakily insert ads and affiliate codes on websites, according to
new research from cybersecurity firm Imperva.
The findings come following the discovery of rogue domains
distributing an ad injection script in late August 2021 that the
researchers connected to an add-on called AllBlock. The extension[1]
has since been pulled from both the Chrome Web Store and Opera
add-ons marketplaces.
While AllBlock is designed to block ads legitimately, the
JavaScript code is injected into every new tab opened on the
browser. It works by identifying and sending all links in a web
page — typically on search engine results pages — to a remote
server, which responds back with a list of websites to replace the
genuine links with, leading to a scenario where upon clicking a
link, the victim is redirected to a different page.
“When the user clicks on any modified links on the webpage, he
will be redirected to an affiliate link,” Imperva researchers
Johann Sillam and Ron Masas said[2]. “Via this affiliate
fraud, the attacker earns money when specific actions like
registration or sale of the product take place.”
AllBlock is also characterized by a variety of techniques aimed
at avoiding detection, including clearing the debug console every
100ms and excluding major search engines. Imperva said the AllBlock
extension is likely part of a larger distribution campaign that may
have utilized other browser extensions and delivery methods, with
ties observed to a previous PBot campaign[3]
based on overlaps in domain names and IP addresses.
“Ad injection is an evolving threat that can impact almost any
site. Attackers will use anything from browser extensions to
malware and adware installed on visitors’ devices, making most site
owners ill-equipped to handle such attacks,” Sillam and Masas
said.
“When ad injection is used, the site performance and user
experience is degraded, making websites slower and harder to use,”
the researchers added. “Other impacts of ad injection include loss
of customer trust and loyalty, revenue loss from ad placements,
blocked content and diminished conversion rates.”