Security News > 2021 > October > Malicious Chrome ad blocker injects ads behind the scenes
The AllBlock Chromium ad blocking extension has been found to be injecting hidden affiliate links that generate commissions for the developers.
This extension is still available on Chrome's Web Store and promotes itself as an ad blocker that focuses on YouTube and Facebook to prevent pop-ups and speed up browsing.
In August 2021, Imperva's researchers discovered a set of previously unknown malicious domains distributing an ad injection script.
To inject the malicious script, the extension would connect to an URL at allblock.net, which would return a base64 encoded script that would be decoded and injected into the webpage.
The developers of the extension have added several innocuous objects and variables into the malicious JavaScript snippet in an attempt to obfuscate the code execution.
"We do not believe we found the origin of the attack that led us to this discovery, likely because of the way the script was injected. The script we first observed was injected via a script tag pointing to a remote server where the AllBlock extension injects the malicious code directly to the active tab, Imperva explains in the report."