This ad blocker extension actually added…more ads

Installing an ad blocker extension for your browser is a great way to limit the number of ads you see online but what if your ad blocker actually ended up showing you more ads?

Security researchers from the cybersecurity firm Imperva have released a report detailing a new ad injection campaign that targets users through an extension available on both Google Chrome and Opera called AllBlock.

For those unfamiliar, ad injection is the process of inserting unauthorized ads into a publisher’s webpage with the goal of enticing unsuspecting users into clicking on them. Ad injection can also come from a variety of sources including malicious browser extensions, malware and even stored cross-site scripting (XSS).

When it comes to ecommerce, ad injection is commonly used to advertise on competitors’ sites to steal their customers, price comparison ads can be utilized to distract customers and prevent them from making purchases and affiliate codes or links can be injected so that scammers can cash in on purchases made on sites that aren’t theirs.

AllBlock extension

Back in August, Imperva Research Labs discovered that unknown malicious domains were being distributed by an ad injection script. 

One of these malicious domains observed by the firm works by sending a list of all of the links on a page to a remote server. The server returns the list of domains it wants to redirect back to the script and then whenever a user clicks on a link that has been altered, they are taken to a different page (often an affiliate link) than the one intended by the actual site owner.

Imperva then decided to download the Chrome extension for AllBlock for further analysis to find that it also leads to the same malicious behavior. After reviewing the extension’s source code, the firm found that while it appeared like any other ad blocker, the background script “bg.js” was used to inject a JavaScript code snippet into every new tab.

Despite its findings, Imperva doesn’t believe it found the origin of the attack because of the way the script was injected and that a larger campaign is taking place that may utilize different delivery methods as well as other extensions.

If you’ve added AllBlock to your browser, you should remove the extension immediately if you don’t want additional ads injected to the websites you visit. Thankfully though, it does appear that Google has removed the extension in question from the Chrome Web Store.

Go to Source