What is AllBlock extension and what does it do?

AllBlock is a Chrome ad blocker extension that claims to block ads on YouTube and Facebook, but it has been discovered to inject hidden affiliate links into legitimate web pages, generating commissions for its developers.

How does AllBlock perform ad injection?

AllBlock uses a script called 'bg.js' to send a list of all links present in the page to a remote server, which returns a list of redirection domains. The malicious JavaScript code then alters the original link to point to one of these redirection domains.

Malicious Chrome Extension AllBlock Found Injecting Affiliate Links

Q: What are some common uses of ad injection?

Ad injectors can generate revenue for their creators by serving ads and stealing advertising impressions from other websites, brands advertising on competitors' sites, price comparison ads distracting customers' attention from making a purchase, and affiliate codes or links injected to cash in on purchases.

Q: Where can users find the AllBlock extension?

The AllBlock extension is available on Chrome's Web Store.

Researchers at Imperva discovered that the ad blocker extension AllBlock is conducting a deceptive ad-injection campaign, injecting hidden affiliate links into legitimate web pages.

A malicious Chrome ad blocker extension has been discovered to be injecting hidden affiliate links into legitimate web pages, generating commissions for its developers. The extension, called AllBlock, claims to block ads on YouTube and Facebook, but researchers at Imperva found that it is actually conducting a deceptive ad-injection campaign.

What Happened

The discovery was made by Imperva's research team in August 2021, when they stumbled upon unknown malicious domains distributing an ad injection script. The script sends legitimate URLs to a remote server and receives a list of redirection domains as a response. If a user clicks on an altered link, the user is redirected to a different page, typically an affiliate link.

The researchers found that the AllBlock extension injects code into every new tab opened on the browser, using a script called "bg.js." This script takes a list of all links present in the page and sends it to a remote server, which returns a list of domains to redirect to. The malicious JavaScript code then alters the original link to point to one of these redirection domains.

The extension's developers have added innocuous objects and variables into the malicious JavaScript snippet to obfuscate the code execution. Imperva believes that the scammers may also utilize other extensions in this campaign, but they do not know the origin of the attack.

Background and Context

Ad injection is a growing concern on the internet today, affecting many people browsing the web. According to Google, ad injection was one of the most common complaints amongst Chrome users back in 2015. Imperva's research team has been monitoring client-side attacks to better understand the attacker's tactics, techniques, and procedures.

Ad injectors are often made by scammers who want to cash in on application downloads. They can generate revenue for their creators by serving ads and stealing advertising impressions from other websites. Other uses of ad injection include brands advertising on competitors' sites, price comparison ads distracting customers' attention from making a purchase, and affiliate codes or links injected to cash in on purchases.

The AllBlock extension is available on Chrome's Web Store and promotes itself as an ad blocker that focuses on YouTube and Facebook. However, its true purpose is to inject hidden affiliate links into legitimate web pages, generating commissions for its developers.

Why it Matters to the Industry

This discovery highlights the importance of cybersecurity in the adult industry. Adult platforms and operators rely heavily on ad revenue, and malicious extensions like AllBlock can compromise this revenue stream. Moreover, ad injection can also lead to user frustration and decreased engagement with legitimate content.

The use of affiliate links by scammers also raises concerns about age verification and moderation. If users are redirected to different pages through altered links, it becomes challenging for platforms to ensure that users are above the required age threshold or comply with moderation policies.

What Comes Next

Imperva recommends that Chrome users uninstall the AllBlock extension immediately. The researchers also suggest that browser vendors should take a closer look at extensions available on their stores and implement stricter security measures to prevent similar attacks in the future.

Key Facts

The AllBlock extension injects hidden affiliate links into legitimate web pages, generating commissions for its developers.
The extension uses a script called "bg.js" to inject code into every new tab opened on the browser.
Imperva's research team discovered unknown malicious domains distributing an ad injection script in August 2021.
The scammers may also utilize other extensions in this campaign, but Imperva does not know the origin of the attack.
Ad injection is a growing concern on the internet today, affecting many people browsing the web.

As the adult industry continues to rely heavily on ad revenue and user engagement, it is essential for platforms and operators to prioritize cybersecurity and moderation. By staying vigilant and implementing robust security measures, we can prevent similar attacks in the future and ensure a safer online experience for users.