Researchers at Cyble Research and Intelligence Labs (CRIL) have discovered some new instances of browser hijacking embedded into Chrome extensions. According to CRIL, the extensions were available on the Google Chrome Web Store, an online store to download themes and extensions for the Chrome browser. So far, the extension has compromised over two million users, per the CRIL report.
Upon analyzing the content on the extension, the researchers found that the browser hijackers were trying to change Chrome’s default search engine to something else. For the uninitiated, a browser hijacker, in its raw form, is malware capable of modifying the web browser settings without the users’ permission and can redirect the user to malicious websites and install programs on behalf of the user.
It is often called the “browser redirect virus” because it forces users to visit other malicious websites they initially never intended to visit. Once installed on the target’s web browser, it can “open doors for future attacks by redirecting users to malicious websites,” said the CRIL brief on the discovery. The extensions become defunct after changing the browser to its default settings.
Browser hijackers: An enigma of cyber attacks
Browser hijackers come in all shapes and sizes — existing solely on the internet browser to steal information and spread malware. Once installed, these extensions route users’ queries via various servers and complex direction mechanisms contrary to how the standard Google, Bing, or any known search engine works. Instead of using Google search as the default, the results are either shown in Yahoo or Bing, which can be used to gather user data for displaying personalized adverts to pursue the victim to click them.
According to the CIRL researchers who spoke to The Cyber Express, the browser hijackers were found in their regular “research activities” and affected the users “who installed it and people who’re using chromium-based browsers.” In the technical analysis of the extensions, three mainly targeted Chromium-based browsers. A detailed analysis of the methodology and execution of browser hijacker extensions is given below.
Technical analysis of browser hijacker extensions
CIRL researchers collected three browser hijacker extensions: WebSecurerr Browser Protection, Ultrasurf, and Internet-Start. All three extensions claimed to provide additional features to the standard search options by replacing them with new ones. However, by doing so, they tend to “hijack” the browser, persuading the user to use other services — setting up the trap to steal data using malware-infected websites and programs.
WebSecurerr Browser Protection
WebSecurerr Browser Protection aims to provide better protection against websites with malicious codes and malware. It even has over 200K installations that could build confidence in the user to install the extension on their browser. However, the extensions need to provide what is said in their description.
Upon close inspection, the researchers at CRIL found that the extension urges the users to change the browser’s default settings. It also forces the browser to change the default browser search URL to “go.searchsecurer[.]com” and causes the browser to change the default search engine to Yahoo.
According to CRIL, this method can be used to capture the user’s search keywords, which is later used as a reference to collect data on users to promote personalized agendas — in this case, is STOPPROPAGANDA campaign.
Ultrasurf is a VPN-powered extension that allows users to visit websites censored by the law in their countries. It uses communication encrypting on the installed devices and sends the data through a secure tunnel to its VPN server. The user data, in this sense, is encrypted and rerouted to whatever site they visit.
Despite how good it sounds, it is only on paper, or that’s what it wants the users to believe. Though it has over 800,000 installs on the Chrome web store and has multiple positive feedbacks, the research team discovered that it changes the default search URL to smartwebfinder[.]com after installation. It uses the same “multiple redirects” mechanism as the “WebSecurerr Browser Protection” to show the end search results in a Bing search engine.
It also asks for browser persimmons to use Chrome’s built-in APIs like webRequest, storage, and proxy. Upon analyzing its resource consumption, it was found that it tries to open “ultrasurfing[.]com” multiple times without users’ content, which slows down the system by using unnecessary resources.
Like most of the extensions on this list, Internet-Start also claims to provide better functionality to Chrome browser. It replaces the current search engine from the browser and provides search results using a “more convenient format”. However, like other browser hijackers, it also changes the default engine to internet-start[.]net.
The extension is marketed to provide better features but, according to CRIL, these features are not functional and show advertisements on the top of search results, defying the logic behind its usage. During the analyzes, the researchers found that the extensions collect users data to provide targeted advertisements, and often redirect the traffic to Yandex metrics, another search engine.
Moreover, it was found out that the browser uses a monetization platform, Adsense, to generate revenue using the user’s activity on the browser with the extension installed.