Researchers have discovered a new deceptive ad injection campaign that is targeting users of some large websites leveraging an AD-blocking extension AllBlock, that is available on both Chrome and Opera browsers.

Ad injection is a technique of inserting unauthorized advertisements into a publisher’s web page to trick users into clicking on them. Ad injection can be conducted in many ways, such as using malicious browser extensions, malware, and XSS attacks. The researchers discovered a series of rogue domains distributing an ad injection script linked to an extension called AllBlock.

One of them was hxxps[:]//frgtylik[.]com/KryhsIvSaUnQ[.]js, which works in the following way

  • The script sends a list of all the links that are currently present in the page, including the full URL of the page, to a remote server.
  • The server returns the list of domains it wants to redirect back to the script.
  • When user clicks on a link that has been altered, the user will then be hijacked to a different page

The JavaScript code is injected into every new tab opened in the browser, it identifies and sends all links in a web page to a remote server. The server, in turn, responds back with a list of domains to replace the legitimate links, when the user will click on one of them, he will be redirected to a page chosen by the attackers.

In a variable called e.hiddenHref, the malicious JavaScript will store the replacing URL based on the information returned by the server ratds[.]net. When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link. Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place.

AllBlock employed by the operators behind this campaign implements several techniques to avoid detection and make the analysis harder, including clearing the debug console every 100ms and excluding major search engines.

When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use. Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content, and diminished conversion rates.

The malicious Ad-Blocking Chrome extension has been removed from both the Chrome Web Store and Opera add-ons marketplaces.