man and woman sharing a Mac

Advertisers are pushing ad and pop-up blockers using old tricks

Despite the countermeasures some services are taking against well-known ad blockers, lots of people now use one. This is no doubt due to increased privacy concerns around online tracking, along with the growing number of ads per site.

And where there is money to be made, you’ll find social engineering and affiliates.

In a campaign predominantly used on media websites, we found a misleading ad that promised visitors some content they might be interested in.

When we followed the link, we ran into one of the oldest tricks in a malvertiser’s playbook—the website told us we needed something extra in order to be able to view the content.

In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.”

You need to install the Adblock Pro - Browser Extension to continue watching in safe mode

Following the prompt to install Adblock Pro we found that the whole trick was set up to promote another blocker called Push Notifications Blocker.

Push Notifications Blocker in the Chrome Web Store

This one is a bit demanding when it comes to the permissions it claims to need. This isn’t always a reason for alarm (we have to ask for certain permissions to enable Malwarebytes Browser Guard effectively, for example), but is something to keep an eye on.

Push Notifications Blocker permissions

The prompt shown below demonstrates what the extension is supposed to do.

Notificatiosn for this site are currently blocked. Do you wnat to allow them? Allow or Keep Blocking?

The extension provides information about the current status of the notifications permission of the website and gives the user control to change it or keep the current setting.

But using this extension soon shows some side effects. The browser becomes extremely slow, and other users have reported redirects happening at unexpected moments, and search results that looked off because they weren’t done with the intended search engine.

A further investigation convinced us that this extension should be classified as adware. What puzzled us is that the exact same trick on the same domain was used to promote other Chrome extensions that promised to block ads, and those extensions have earned the trust of many users.

To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission.

Certainly the irony of an ad blocker being promoted in a malvertising campaign was not lost on us.

Malwarebytes detects Push Notifications Blocker as Adware.Redirector.

Malwarebytes Premium Security and Malwarebytes Browser Guard block recommendedchain[.]com.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.