A recent investigation has uncovered a coordinated campaign, dubbed “SearchJack,” involving 23 deceptive Chrome browser extensions that have covertly hijacked search queries from approximately 758,000 users worldwide. These extensions, masquerading as tools ranging from satellite maps to productivity applications, have been redirecting user searches through operator-controlled servers without user consent.
Upon installation, these extensions exploit Chrome’s chrome_settings_overrides feature to alter the browser’s default search engine settings. Consequently, when users input a search query, it is rerouted through intermediary servers before displaying the results. This process allows the operators to monetize the search traffic without the users’ knowledge, effectively turning their browsing activity into a revenue stream for the attackers.
Security researchers at MalExt Sentry identified this campaign through their automated scanning system, which monitors Chrome extension listings for suspicious activities. Their analysis revealed that these extensions were abusing the chrome_settings_overrides manifest key to manipulate search settings. Further investigation traced the operation to at least eight distinct affiliate brokers, each identified by unique tracking parameters embedded in the final Yahoo redirect URLs.
One particularly concerning aspect of the SearchJack campaign is the deceptive nature of the extensions involved. For instance, an extension named “Nautilus Search” claims in its store listing that it does not track searches or collect personal data. However, its privacy policy explicitly states the collection of IP addresses, search queries, and device identifiers. This blatant misrepresentation not only violates user trust but also potentially breaches regulations such as the General Data Protection Regulation (GDPR) and guidelines set forth by the Federal Trade Commission (FTC).
The implications of this campaign extend beyond unauthorized data collection. Since the operators have control over the search traffic flow, they possess the capability to redirect users to phishing sites or malicious downloads without issuing any updates to the extensions themselves. This ability to escalate the level of harm without modifying the extension code elevates the threat from mere adware to a significant security risk.
Technically, the SearchJack campaign employs a layered redirect system designed to remain undetected. Many of the involved extensions function as shell extensions, containing minimal content beyond the manifest file that alters the default search engine. They lack background scripts, do not request additional permissions, and provide no visible indicators of their malicious activities. This structural simplicity aids in evading detection during store reviews and by end-users.
Some extensions incorporate rudimentary functionalities, such as basic map viewers or video libraries, to appear legitimate and pass store reviews. However, these features are often barely functional and serve primarily to lend an air of credibility to the extensions. For example, an extension named “Search Toggler” presents an interface that ostensibly allows users to switch between different search engines. In reality, all search queries are still funneled through the operator’s server, regardless of the user’s selection, effectively nullifying the perceived control.
The discovery of the SearchJack campaign underscores the persistent threats posed by malicious browser extensions and the challenges in detecting and mitigating such risks. Users are advised to exercise caution when installing browser extensions, especially those that request permissions to alter search settings or other critical browser functions. Regular audits of installed extensions and adherence to best practices in cybersecurity hygiene are essential steps in safeguarding personal information and maintaining secure browsing experiences.
In light of this campaign, it is imperative for both users and developers to remain vigilant. Users should scrutinize the permissions requested by extensions and verify their legitimacy through reviews and trusted sources. Developers and platform maintainers must enhance their monitoring mechanisms to detect and prevent the distribution of malicious extensions. Collaborative efforts between security researchers, browser developers, and the user community are crucial in identifying and mitigating such threats promptly.
The SearchJack campaign serves as a stark reminder of the evolving tactics employed by cybercriminals to exploit user trust and the importance of continuous vigilance in the digital landscape.
