Two Widely Used Ad Blocker Extensions for Chrome Caught in Ad Fraud Scheme

Two widely used Adblocker Google Chrome
extensions^[1] mimicking as — AdBlock
and uBlock Origin — have been caught stuffing cookies in the web
browser of millions of users to generate affiliate income from
referral schemes fraudulently.

There’s no doubt web extensions add a lot of useful features to
web browsers, making your online experience great and aiding
productivity, but at the same time, they also pose huge threats to
both your privacy and security.

Being the most over-sighted weakest link in the browser security
model, extensions sit between the browser application and the
Internet — from where they look for the websites you visit and
subsequently can intercept, modify, and block any requests, based
on the functionalities they have been designed for.

Apart from the extensions which are purposely created with malicious
intent^[2], in recent years we have
also seen some of the most popular legitimate Chrome and Firefox
extensions going
rogue^[3] after gaining a massive
user base or getting hacked.

Discovered by researchers at Adguard, the two newly caught
Chrome extensions mentioned below were found using the names of two
real and very popular ad-blocking extensions in an attempt to trick
most users into downloading them.

• AdBlock by AdBlock, Inc — over 800,000 users
• uBlock by Charlie Lee — over 850,000 users

Though these extensions were fully working as any other adblocker
does by removing ads from web pages a user visits, the researchers
caught them performing “Cookie Stuffing” as an ad fraud
scheme to generate revenue for their developers.

What is Cookie Stuffing Ad Fraud Scheme?

Cookie Stuffing, also known as Cookie Dropping, is one of the most
popular types of fraud schemes in which a website or a browser
extension drops handfuls affiliate cookies into users’ web browser
without their permission or knowledge.

These affiliate tracking cookies then keep track of users’
browsing activities and, if they make online purchases, the cookie
stuffers claim commissions for sales that actually they had no part
in making, potentially stealing the credit for someone else’s
attribution fraudulently.

The two ad blocking extensions discovered by researchers were
found sending out a request to a URL for each new domain users
visited after being installed for around 55 hours in an attempt to
receive affiliate links from the sites users visited.

The two extensions, with 1.6 million active users, were stuffing
cookies from 300 websites from Alexa Top 10000 most popular
websites, including of teamviewer, microsoft, linkedin, aliexpress,
and booking.com, potentially making millions of dollars a month for
their developers, according to the researchers.

Google Removed Both Ad Blocker Extensions from Chrome Web
Store

Despite receiving multiple reports about how these extensions are
deceiving users in the names of other more popular extensions,
Google did not remove them from the Chrome Web Store as Google
policy does allow multiple extensions to have the same name.

However, after AdGuard researchers reported their findings of
the malicious behavior of the two extensions, the tech giant
removed both malicious extensions from Google Chrome Store.

Since browser extension takes permission to access all the web
pages you visit, it can do practically anything, including stealing your
online accounts passwords^[5]. So, you are always
advised to install as few extensions as possible and only from
companies you trust.

Before installing any extension or an app on your mobile phone,
always ask yourself—Do I Really Need It?