Experts spotted an Ad-Blocking Chrome extension injecting malicious ads

Researchers warn of an Ad-Blocking Chrome extension that was abused by threat actors to Injecting Ads in Google search pages.

Researchers from Imperva have spotted a new deceptive ad injection campaign that is targeting users of some large websites leveraging an AD-blocking extension, named AllBlock, that is available on both Chrome and Opera browsers.

Ad injection consists of inserting unauthorized advertisements into a publisher’s web page to trick users into clicking on them. Ad injection can be conducted in many ways, such as using malicious browser extensions, malware, and cross-site scripting (XSS) attacks.

The researchers discovered a series of rogue domains distributing an ad injection script in late August 2021 that they linked to an extension called AllBlock.

“One of them was hxxps[:]//frgtylik[.]com/KryhsIvSaUnQ[.]js, which works in the following way:

1 – The script sends a list of all the links that are currently present in the page, including the full URL of the page, to a remote server.
2 – The server returns the list of domains it wants to redirect back to the script.
3 – Whenever the user clicks on a link that has been altered, the user will then be hijacked to a different page.” reads the analysis published by Imperva.

The JavaScript code is injected into every new tab opened in the browser, it identifies and sends all links in a web page (i.e. The results of a query to a search engine) to a remote server. The server, in turn, responds back with a list of domains to replace the legitimate links, when the user will click on one of them he will be redirected to a page chosen by the attackers.

“In a variable called e.hiddenHref, the malicious JavaScript will store the replacing URL based on the information returned by the server ratds[.]net. When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link. Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place.” continues the analysis.

AllBlock employed by the operators behind this campaign implements several techniques to avoid detection and make the analysis harder, including clearing the debug console every 100ms and excluding major search engines.

Imperva researchers linked this campaign to an older one tracked as PBot campaign that used same domain names and IP addresses.

“Ad injection is an evolving threat that can impact almost any site.” concludes the analysis. “When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use. According to Baymard Institute, 68.8% of online shopping carts are abandoned. There could be many reasons for this, but there is no denying that ad injection plays a key role in this as well. Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates.”

The malicious Ad-Blocking Chrome extension has been removed from both the Chrome Web Store and Opera add-ons marketplaces.

The researchers also shared Indicators of Compromise (IoCs) for this campaign.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ad-Blocking Chrome extension)

[adrotate banner=”5″]

[adrotate banner=”13″]