A new deceptive ad injection campaign has been found leveraging an ad blocker extension for Google Chrome and Opera web browsers to sneakily insert ads and affiliate codes on websites, according to new research from cybersecurity firm Imperva.
The findings come following the discovery of rogue domains distributing an ad injection script in late August 2021 that the researchers connected to an add-on called AllBlock. The extension has since been pulled from both the Chrome Web Store and Opera add-ons marketplaces.
“When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link,” Imperva researchers Johann Sillam and Ron Masas said. “Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place.”
AllBlock is also characterized by a variety of techniques aimed at avoiding detection, including clearing the debug console every 100ms and excluding major search engines. Imperva said the AllBlock extension is likely part of a larger distribution campaign that may have utilized other browser extensions and delivery methods, with ties observed to a previous PBot campaign based on overlaps in domain names and IP addresses.
“Ad injection is an evolving threat that can impact almost any site. Attackers will use anything from browser extensions to malware and adware installed on visitors’ devices, making most site owners ill-equipped to handle such attacks,” Sillam and Masas said.
“When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use,” the researchers added. “Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates.”