Researchers have discovered a new deceptive ad injection campaign that is targeting users of some large websites leveraging an AD-blocking extension AllBlock, that is available on both Chrome and Opera browsers.
Ad injection is a technique of inserting unauthorized advertisements into a publisher’s web page to trick users into clicking on them. Ad injection can be conducted in many ways, such as using malicious browser extensions, malware, and XSS attacks. The researchers discovered a series of rogue domains distributing an ad injection script linked to an extension called AllBlock.
One of them was hxxps[:]//frgtylik[.]com/KryhsIvSaUnQ[.]js, which works in the following way
- The script sends a list of all the links that are currently present in the page, including the full URL of the page, to a remote server.
- The server returns the list of domains it wants to redirect back to the script.
- When user clicks on a link that has been altered, the user will then be hijacked to a different page
AllBlock employed by the operators behind this campaign implements several techniques to avoid detection and make the analysis harder, including clearing the debug console every 100ms and excluding major search engines.
When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use. Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content, and diminished conversion rates.
The malicious Ad-Blocking Chrome extension has been removed from both the Chrome Web Store and Opera add-ons marketplaces.