Google has removed two malicious ad blockers from its Chrome Web Store after a researcher discovered they were carrying out ad fraud and deceived Chrome users by using names of legitimate and popular blockers.
Researcher Andrey Meshkov from rival ad blocker maker AdGuard discovered that the extensions “AdBlock” and “uBlock” found in the store were fraudulent and alerted users in a blog post.
Rather than legitimately block ads on websites—the obvious purpose of this type of browser extension–the malicious blockers perform what’s called “cookie stuffing,” Meshkov said.
In this technique—which has been used since the internet’s early days–a website or browser extension adds extra information to a user’s cookie so it looks like more people clicked on an affiliate ad than actually did. Cybercriminals use cookie stuffing to win money through ad fraud.
By using fake ad blockers, cybercriminals can earn commission on purchases made on sites stuffed with the cookies, Meshkov said.
What’s especially difficult in terms of preventing this type of ad fraud is that it’s difficult for users downloading fraudulent adblockers to tell the difference from legitimate ones, he said.
The two extensions in question–AdBlock by AdBlock Inc. and uBlock by Charlie Lee—have names similar to existing ad blockers AdBlock by getadblockand uBlock.org’s uBlock or Raymond Hill’s uBlock Origin, Meshkov wrote.
Moreover, the fake ad blocker extensions do in fact block ads, he said. They “both are based on the code of the original ‘AdBlock’ extension so the quality is good enough,” Meshkov wrote in the post.
However, after 55 hours, the extensions act a bit differently than typical ad blockers, serving up commands for the extension to execute that hijack cookies from affiliate programs such as Teamviewer, Meshkov wrote. Then, if the Web user with the fraudulent ad blocker makes a purchase on Teamviewer.com, “the extensions owner will be paid a commission by Teamviewer,” he wrote.
Meshkov found AdBlock and uBlock hijacking cookie commissions from numerous sites, including Microsoft.com, Linkedin.com, Aliexpress.com, and Booking.com.
“The scale is unprecedented,” he wrote “These two add-ons have more than 1.6 million ‘weekly active users,’ who were stuffed with cookies of [more] than 300 websites from Alexa Top 10,000. It is difficult to estimate the damage, but I’d say that we are talking about millions of USD monthly.”
It’s not the first time dodgy ad blockers have appeared on the Chrome store. Two years ago Google also had to remove malicious Chrome extensions spoofing AdBlock Plus from the store.
Google did not immediately respond to request for comment Tuesday.
One “bright side” to the latest discovery is that affiliate programs being defrauded now “can follow the money trail and find out who is behind this scheme,” Meshkov wrote.
There is precedence for criminal prosecution against this type of ad fraud, he added. In 2014 former eBay affiliate marketer Brian Dunning was sentenced to 15 months in federal prison for a $35 million cookie-stuffing scam.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.
