Fake AdBlock and uBlock Origin participate in fraud schemes

“Cookie Stuffing” activities promoted via fake AdBlock and uBlock extensions

Fake AdBlock and uBlock Origin participate in fraud schemes Experts discovered misleading AdBlock and uBlock extensions taking action in "Cookie Stuffing"

Originally-looking but truly fake AdBlock and uBlock Origin Google Chrome extensions have been found involved in “cookie stuffing” activities. Tricking users by their legitimate names, these add-ons managed to get on numerous users' web browsers through the Google Chrome Web Store.

Normally, such ad-blocking programs do not include any types of tracking cookies into web browsers for promoting ad fraud activity. AdBlock and uBlock[1] technically are very handy tools for preventing the repeated appearance of annoying advertising content on various Internet sources while you are completing browsing sessions.

Experts found that cookies were being stuffed from around 300 popular web pages

This time the original names of these extensions were used for delivering targeted adverts and gaining income for the add-ons' creators. These two fake ad-blocking products were described like this:[2]

  1. AdBlock. Developed by AdBlock Inc. Includes over 800,000 users.
  2. uBlock. Developed by Charlie Lee. Includes over 850,000 users.

The bogus extensions were discovered secretly inserting browsing cookies from around 300 websites such as Microsoft, Aliexpress, Booking, LinkedIn, Teamviewer and collecting around one million of income monthly for their creators.[3] According to news reports, these add-ons started taking actions on the user's browsers after 55 hours when they have been installed:[4]

However, about 55 hours after the installation, the response suddenly changes, and it does not look that innocent anymore. This new response contains a list of commands for the extension to execute. After that the extensions' behavior changes, and they start doing a few more things besides ad blocking.

The tracking cookies were spying on the users' browsing processes

The fake AdBlock and uBlock extensions seemed to operate as an ad-blocking tool indeed but their main goal was to camouflage as legitimate-looking add-ons for revenue purposes regarding the Cookie Stuffing (or Cookie Dropping) technique.[5]

The Cookie Stuffing method is a specific technique used by third-party developers who seek to secretly inject tracking cookies into the user's web browsers disguising as handy extensions. Later on, the cookies start spying on the person's browsing sessions and recording all his online visits, purchases, and similar activities.

According to tech reports, all of this “Cookie Stuffing” was used for swindling money from users by urging payments regarding some sales that they have supposedly searched for but truly did not even interact with.

Google has finally removed the bogus products from Chrome Web Store

At first, Google was not able to remove the fake AdBlock and uBlock Origin extensions as the Privacy Policy allowed products to have the same names. However, once AdGuard's reports regarding the suspicious activities of these two add-ons reached the surface, the misleading extensions were finally eliminated from the Google Chrome Web Store.

Regarding this incident, we want to encourage all users to take their online safety seriously. Downloading many extensions, especially from less-known developers can cause you trouble even such as data or password theft. Install only the tools that you truly need and make sure to identify the provider before opting for the download.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions