Cyber-security firm Imperva said it discovered a malicious browser extension named AllBlock, available for both the Chrome and Opera browsers, that has been injecting ads and referral affiliate codes inside search results.
The discovery took place in August this year when Imperva researchers said they identified a domain that was hosting a malicious script that contained ad injection capabilities.
According to their findings, the malicious behavior was described as follows:
- Once users installed the extension, AllBlock would inject code into every new tab.
- The code would block legitimate ads, but it would also collect a list of URLs present on the page.
- The list would be sent to a remote server, which would reply with a list of links that needed to be replaced or injected into the page, usually inside search engine results.
- The links typically contained affiliate codes that allowed scammers to earn profits on new user registrations or product purchases.
Sillam and Masas said they believed the AllBlock extension was part of a larger distribution campaign that most likely involved more malicious browser extensions.
Based on some indicators, like IP addresses and domain names, the Imperva team believed this was part of a malware distribution operation called PBot.
An AllBlock spokesperson did not return an email seeking comment on Imperva’s findings.
At the time of writing, Opera has removed the AllBlock extension from its site, while the Chrome extension is still available on the official Chrome Web Store.