Chrome extension blocking surprise ads injecting ads into Google search pages
A new deceptive ad injection campaign was found using an ad blocker extension for Google Chrome and Opera web browsers to sneakily insert ads and affiliate codes into websites, according to new research from the cybersecurity company Imperva.
The findings follow the discovery of malicious domains distributing an ad injection script in late August 2021 that researchers connected to an add-on called AllBlock. The extension has since been pulled from the Chrome Web Store and Opera add-on markets.
“When the user clicks on a modified link on the web page, they will be redirected to an affiliate link,” said Imperva researchers Johann Sillam and Ron Masas. “With this affiliate fraud, the attacker makes money when specific actions such as registering or selling the product take place.”
AllBlock also features a variety of techniques to avoid detection, including clearing the debug console every 100ms and excluding major search engines. Imperva said the AllBlock extension is likely part of a larger distribution campaign that may have used other browser extensions and delivery methods, with links seen to a previous PBot campaign based on name overlaps from domain and IP addresses.
“Ad injection is an evolving threat that can impact almost any site. Attackers will use anything from browser extensions to malware and adware installed on visitors’ devices, making the Most site owners ill-equipped to handle such attacks, ”said Sillam and Masas.
“When ad injection is used, site performance and user experience are degraded, making websites slower and more difficult to use,” the researchers added. “Other impacts of ad injection include loss of customer trust and loyalty, loss of revenue from ad placements, blocked content, and decreased conversion rates. “