Malicious Ad Blockers for Chrome Caught in Ad Fraud Scheme
Google has removed two malicious ad blockers from its Chrome Web Store after a researcher discovered they were carrying out ad fraud and deceived Chrome users by using names of legitimate and popular blockers.
Researchers discovered that the extensions “AdBlock” and “uBlock” found in the store were fraudulent
Rather than legitimately block ads on websites—the obvious purpose of this type of browser extension–the malicious blockers perform what’s called “cookie stuffing,”
In this technique—which has been used since the internet’s early days–a website or browser extension adds extra information to a user’s cookie so it looks like more people clicked on an affiliate ad than actually did. Cybercriminals use cookie stuffing to win money through ad fraud. By using fake ad blockers, cybercriminals can earn commission on purchases made on sites stuffed with the cookies
What’s especially difficult in terms of preventing this type of ad fraud is that it’s difficult for users downloading fraudulent adblockers to tell the difference from legitimate ones. The two extensions in question–AdBlock by AdBlock Inc. and uBlock by Charlie Lee—have names similar to existing ad blockers AdBlock by getadblockand uBlock.org’s uBlock or Raymond Hill’s uBlock Origin.
Moreover, the fake ad blocker extensions do in fact block ads. They “both are based on the code of the original ‘AdBlock’ extension so the quality is good enough,”
However, after 55 hours, the extensions act a bit differently than typical ad blockers, serving up commands for the extension to execute that hijack cookies from affiliate programs such as Teamviewer, Meshkov wrote. Then, if the Web user with the fraudulent ad blocker makes a purchase on Teamviewer.com, “the extensions owner will be paid a commission by Teamviewer,”
AdBlock and uBlock hijacking cookie commissions from numerous sites, including Microsoft.com, Linkedin.com, Aliexpress.com, and Booking.com.
It’s not the first time dodgy ad blockers have appeared on the Chrome store. Two years ago Google also had to remove malicious Chrome extensions spoofing AdBlock Plus from the store.
One “bright side” to the latest discovery is that affiliate programs being defrauded now “can follow the money trail and find out who is behind this scheme,”
There is precedence for criminal prosecution against this type of ad fraud, In 2014 former eBay affiliate marketer Brian Dunning was sentenced to 15 months in federal prison for a $35 million cookie-stuffing scam.