Researchers at Imperva Research Labs announced that they have discovered a new ad injection campaign led by a popular Chrome and Opera extension, AllBlock. Ad injection is a method to insert unauthorized advertisements into a web page. It can be originated from multiple sources, including browser extension, malware, or stored cross-site scripting. Scammers are using this method to generate revenue and steal advertising impressions from authorized advertisement providers.
Ad injection scripts
Imperva researchers found unknown malicious domains associated with an ad injection script in August of 2021. The script is capable of sending the list of the links on a web page to a remote server and the server sends a list of domains that it wants to redirect. Thus, if a user clicks on a link, the traffic is hijacked to a different URL. The JavaScript file uses various methods to disturb analysis, such as clearing the debug console every 100 ms and it excludes major search engines to avoid detection.
Imperva stated that upon close examination, they noticed that AllBlock’s background script was injecting a JavaScript code snippet into new tabs. The code connects back to the extension via a standard browser extension communications channel and listens for messages. When it receives the base64 encoded code from the extension, decodes it. The response that the extension received is a JSON that includes base64 encoded properties data and URLs.
Imperva stated that they believe that this is a part of a larger campaign and scammers are using different delivery methods and more extensions. The researchers also stated that the ad injection method can impact almost any site and it also affects site performance and user experience negatively by making them load slower and harder to use.