Researchers from Imperva have spotted a new deceptive ad injection campaign that is targeting users of some large websites leveraging an AD-blocking extension, named AllBlock, that is available on both Chrome and Opera browsers.
Ad injection consists of inserting unauthorized advertisements into a publisher’s web page to trick users into clicking on them. Ad injection can be conducted in many ways, such as using malicious browser extensions, malware, and cross-site scripting (XSS) attacks.
The researchers discovered a series of rogue domains distributing an ad injection script in late August 2021 that they linked to an extension called AllBlock.
“One of them was hxxps[:]//frgtylik[.]com/KryhsIvSaUnQ[.]js, which works in the following way:
1 – The script sends a list of all the links that are currently present in the page, including the full URL of the page, to a remote server.
2 – The server returns the list of domains it wants to redirect back to the script.
3 – Whenever the user clicks on a link that has been altered, the user will then be hijacked to a different page.” reads the analysis published by Imperva.
AllBlock employed by the operators behind this campaign implements several techniques to avoid detection and make the analysis harder, including clearing the debug console every 100ms and excluding major search engines.
Imperva researchers linked this campaign to an older one tracked as PBot campaign that used same domain names and IP addresses.
“Ad injection is an evolving threat that can impact almost any site.” concludes the analysis. “When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use. According to Baymard Institute, 68.8% of online shopping carts are abandoned. There could be many reasons for this, but there is no denying that ad injection plays a key role in this as well. Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates.”
The malicious Ad-Blocking Chrome extension has been removed from both the Chrome Web Store and Opera add-ons marketplaces.
The researchers also shared Indicators of Compromise (IoCs) for this campaign.
(SecurityAffairs – hacking, Ad-Blocking Chrome extension)