Headline
Advertisers are pushing ad and pop-up blockers using old tricks
A malvertising campaign using an old school trick was found pushing to different ad blockers.
Despite the countermeasures some services are taking against well-known ad blockers, lots of people now use one. This is no doubt due to increased privacy concerns around online tracking, along with the growing number of ads per site.
And where there is money to be made, you’ll find social engineering and affiliates.
In a campaign predominantly used on media websites, we found a misleading ad that promised visitors some content they might be interested in.
When we followed the link, we ran into one of the oldest tricks in a malvertiser’s playbook—the website told us we needed something extra in order to be able to view the content.
In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.”
Following the prompt to install Adblock Pro we found that the whole trick was set up to promote another blocker called Push Notifications Blocker.
This one is a bit demanding when it comes to the permissions it claims to need. This isn’t always a reason for alarm (we have to ask for certain permissions to enable Malwarebytes Browser Guard effectively, for example), but is something to keep an eye on.
The prompt shown below demonstrates what the extension is supposed to do.
The extension provides information about the current status of the notifications permission of the website and gives the user control to change it or keep the current setting.
But using this extension soon shows some side effects. The browser becomes extremely slow, and other users have reported redirects happening at unexpected moments, and search results that looked off because they weren’t done with the intended search engine.
A further investigation convinced us that this extension should be classified as adware. What puzzled us is that the exact same trick on the same domain was used to promote other Chrome extensions that promised to block ads, and those extensions have earned the trust of many users.
To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission.
Certainly the irony of an ad blocker being promoted in a malvertising campaign was not lost on us.
Malwarebytes detects Push Notifications Blocker as Adware.Redirector.
Malwarebytes Premium Security and Malwarebytes Browser Guard block recommendedchain[.]com.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.