AllBlock ad blocker Chrome extension injected ads into Google searches

AllBlock was available on Google Chrome’s web store where it is marketed as a powerful Facebook and YouTube focused ad blocker to prevent pop-ups.

Google has maintained that it takes the security of Chrome extensions very seriously and checks them regularly to prevent them from being exploited. However, Imperva’s new report reveals that Google may not be doing its job as sincerely as it claims.

Chrome Ad-Blocker Extension Showing Ads on Google

Sillam and Ron Masas from security provider Imperva reported that a Google Chrome extension called AllBlock designed to block ads injects ads into Chrome and Opera.

Although the extension blocks ads, it runs a script in the background that injects a piece of JavaScript code into each tab the user opens. This code communicates with the remote servers and downloads / installs a payload connected to the operators of an ad injection scam.

“When the user clicks on a modified link on the web page, they are redirected to an affiliate link. Thanks to this affiliate fraud, the attacker earns money when specific actions such as the registration or sale of the product take place, ”Imperva researchers observed.

The payload then picks up a series of unwanted ads, most of which are not from legitimate sources, and includes affiliate links. AllBlock was available on the Google Chrome web store where it is marketed as a powerful Facebook and YouTube focused ad blocker to prevent pop-ups. It has now been removed from Opera add-ons and the Chrome Web Store.

What is ad injection?

Ad injection is a method of inserting ads or links into a web page that is not meant to host them. Scammers can make money from ads by injecting unrelated ads or redirecting unsuspecting users to affiliate links to earn commission.

Ad-blocking Chrome extension caught injecting ads into Google searches

Imperva researchers identified such a campaign in August 2021 where several previously unknown domains were found to distribute an ad injection script that would send legitimate URLs to a remote server and, in response, obtained a list of domains. redirection. Therefore, when a user clicked on a modified link, they were taken to another page, usually an affiliate link.

Ad injection scripts can feature evasion techniques such as excluding Russian search engines, actively detecting Firebug variables, and clearing the debug console every 100ms. In the AllBlock ad injection scam, Imperva researchers were able to find the script in bg.js they had been looking for since August.

How is the extension marketed?

It is not yet clear how AllBlock is distributed or promoted. According to Imperva, the crooks are probably using other extensions in this campaign. They could not identify the origin of the attack due to the way the malicious script was injected.

“The script we first observed was injected via a script tag pointing to a remote server where the AllBlock extension injects malicious code directly into the active tab,” the Imperva report revealed.

This indicates a larger campaign at work using different delivery methods and extensions, which could be related to the PBot campaign.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Previous Burgum: the State launches the search for an executive director of Job Service ND; Klipfel will continue to lead WSI | New
Next Apple Search Ads Grows Amid Application Tracking Transparency Push