Internet ads are annoying. People tend to go to great lengths to avoid them if possible which is why ad-blocking software and browser extensions are so popular.
One of the more popular options is AllBlock which is a Chromium extension that is widely promoted on YouTube and Facebook. The extension touts its ability to prevent pop-up ads and speed up a user’s browsing experience.
Unfortunately, researchers at Imperva have recently discovered that the extension is actually injecting hidden affiliate links onto any device running the extension. These links exist solely for the purpose of generating commissions for the developers of the ad blocker.
If you have AllBlock on your smart device or PC it is quietly injecting redirects to affiliate links on every browser tab you have open. Worse is that the extension was coded with some fairly advanced evasion techniques. One of the techniques includes the ability to clear the debugging console every 100ms and excluding the largest and most popular Russian search engines.
As of the writing of this piece the extension was still available on the Chrome Web Store. Based on the ongoing research the Imperva researchers believe that this script is just one of many currently in use by the group behind the malicious code.
An evaluation of IP and domain evidence points to this as being part of the Pbot campaign which has been active since at least 2018. What we may be looking at then is the tip of a very large iceberg.
Frustratingly the AllBlock extension has great reviews. It is very highly rated because it is legitimately good at what it does. Unfortunately, its advertised function isn’t all that it does which is what makes this extension so problematic.
This underscores an important and distressing point. Sometimes even if you do your due diligence you can wind up installing something dangerous. Now is a good time to review all of the extensions you use and delete any you don’t absolutely need.