According to recent research from cybersecurity firm Imperva, a new misleading ad injection campaign has been discovered that uses an ad blocker plugin for Google Chrome and Opera web browsers to install advertisements and affiliate codes on websites secretly.
The results follow the discovery in late August 2021 of malicious websites spreading an ad injection script that the researchers linked to an add-on named AllBlock. Both the Chrome Web Store and the Opera add-ons marketplaces have now removed the extension.
It operates by detecting and transmitting all links on a web page (often on search engine results pages) to a remote server, which answers with a list of domains to replace the actual links with, resulting in a scenario in which the victim is routed to a different page after clicking a link.
According to Imperva researchers Johann Sillam and Ron Masas, when the user clicks on any changed links on the webpage, he will be routed to an affiliate link. When specified activities such as registration or product sales occur, the attacker gets money through affiliate fraud.
AllBlock also employs several anti-detection methods, such as clearing the debug console every 100 milliseconds and eliminating key search engines. According to Imperva, the AllBlock extension is likely part of a broader distribution effort that may have used other browser extensions and delivery mechanisms, with overlaps in domain names and IP addresses pointing to a previous PBot campaign.
Sillam and Masas said Ad injection is a growing danger that may affect nearly any website. Attackers will employ various tools, including browser extensions, malware, and adware put on users’ devices, leaving most website owners unprepared to deal with such threats.
Ad injection degrades site speed and user experience, making websites slower and more challenging to use. Ad injection can also result in a loss of consumer trust and loyalty, as well as income loss from ad placements, banned content, and worse conversion rates.