A new deceptive ad injection campaign has been found leveraging an ad blocker extension for Google Chrome and Opera web browsers to sneakily insert ads and affiliate codes on websites, according to new research from cybersecurity firm Imperva.

The findings come following the discovery of rogue domains distributing an ad injection script in late August 2021 that the researchers connected to an add-on called AllBlock. The extension has since been pulled from both the Chrome Web Store and Opera add-ons marketplaces.


While AllBlock is designed to block ads legitimately, the JavaScript code is injected into every new tab opened on the browser. It works by identifying and sending all links in a web page — typically on search engine results pages — to a remote server, which responds back with a list of websites to replace the genuine links with, leading to a scenario where upon clicking a link, the victim is redirected to a different page.

"When the user clicks on any modified links on the webpage, he will be redirected to an affiliate link," Imperva researchers Johann Sillam and Ron Masas said. "Via this affiliate fraud, the attacker earns money when specific actions like registration or sale of the product take place."

AllBlock is also characterized by a variety of techniques aimed at avoiding detection, including clearing the debug console every 100ms and excluding major search engines. Imperva said the AllBlock extension is likely part of a larger distribution campaign that may have utilized other browser extensions and delivery methods, with ties observed to a previous PBot campaign based on overlaps in domain names and IP addresses.

AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

"Ad injection is an evolving threat that can impact almost any site. Attackers will use anything from browser extensions to malware and adware installed on visitors' devices, making most site owners ill-equipped to handle such attacks," Sillam and Masas said.

"When ad injection is used, the site performance and user experience is degraded, making websites slower and harder to use," the researchers added. "Other impacts of ad injection include loss of customer trust and loyalty, revenue loss from ad placements, blocked content and diminished conversion rates."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.