Cyble – Over 2 Million Users Affected With Browser Hijackers

Browser Extensions Capture User Searches For Monetary Gain

During a routine investigation, Cyble Research and Intelligence Labs (CRIL) discovered multiple Chrome extensions that compromised over two million users with Browser Hijackers. A browser hijacker is an unwanted program that modifies browser settings without user permission and redirects them to specific web pages that they do not intend to visit. After installation, a browser hijacker might open doors for future attacks by redirecting users to malicious websites.

All the extensions that we found were present on the Chrome web store. After installation, we observed that the browsers hijackers were also changing the browser’s default search engine without the users’ knowledge. We noticed that extensions wouldn’t work if a user tried to revert to the default browser settings.

These extensions send the user queries to different servers with multiple redirects, and at the end, the search results are shown from search engines such as Yahoo or Bing rather than default ones. Such search query redirects can collect user information and show advertisements to further serve the developer’s financial motives.

In the technical analysis, we will cover three browser hijackers that mainly target Chromium-based browsers.

Technical Analysis

Hijacker Plugin I:

WebSecurerr Browser Protection extension claims to protect users from malicious sites. It has over 200K installs and is currently active on the Chrome web store. Figure 1 shows the Chrome extension. The meta information of the plugin is given below:

Extension ID: odlnghcomkeenpeblhddfpacdncfjmna

Name: ‘WebSecurerr Browser Protection’

Targeted Browser: Chrome

Figure 1 WebSecurerr Browser Extension 1
Figure 1 – WebSecurerr Browser Extension

After installation, the extension opens a new tab where it urges the user to keep the changes made by it. If a user clicks on “Change it back” or manually tries to revert to the default settings, the extension will not work or will be disabled automatically.

This extension tries to change the browser search URL to “go.searchsecurer[.]com” and further redirects the user’s search query to the Yahoo search engine. The user’s search keyword can be easily captured using this redirection technique.

Figure 2 Urges User to Keep Changes 1
Figure 2 – Urges User to Keep Changes

After capturing the search keywords, the extension verifies whether the keyword is a domain name and compares it with the hardcoded domain list hosted on the searchsecurer[.]com in JSON format. If there’s a match, it either blocks the request or displays a warning message.

These JSON files contain over 1,000 domains in total, and we observed that a few of them were also legitimate sites. Thus, this extension might display warning messages for legitimate sites as well.

Additionally, a part of the code suggests that the developer of this extension may have contributed to the STOPPROPAGANDA campaign, indicating that the author of this extension might be redirecting more traffic to Russian government sites. The figure below shows the code that should take the user to a Russian site when the URL added by the user is flagged as malicious.

Figure 3 – Code of Warning Message 1
Figure 3 – Code of Warning Message

Currently, this code is not functional due to a coding flaw, or the developer may have deliberately altered it. This extension displays a warning message when it flags a site as malicious and redirects to the Russian government site when users click on the link shown in the warning message.

Hijacker Plugin 2:

Ultrasurf enables users to bypass internet censorship laws by leveraging proxy servers. This extension has over 800,000 installs on the Chrome web store. Figure 4 shows the extension. The meta information of the plugin is given below:

Extension ID: mjnbclmflcpookeapghfhapeffmpodij

Name: UltraSurf Security, Privacy & Unblock VPN

Browser: Chrome

Figure 4 UltraSurf Chrome Extension 1
Figure 4 – UltraSurf Chrome Extension

After installation, this extension changes the default search URL of the victim’s browser to smartwebfinder[.]com. Researchers have reported a few extensions in the past as well, which changed the default search engine to ‘smartwebfinder’. The figure below shows the manifest.json file of this extension.

Figure 5 Manifest.json 1
Figure 5 – Manifest.json

The user search goes through multiple redirects, and the final results will appear via the Bing search engine. This extension creates multiple redirects, causing a delay in displaying search results. The figure below shows these redirects.

Figure 6 Network Activity of the Extension 1
Figure 6 – Network Activity of the Extension

This extension requires following the browser’s permission to access chrome’s built-in APIs:

webRequest: Gives extension access to chrome.webRequest API to observe and analyze traffic and to intercept, block, or modify requests in flight.

storage: Gives extension access to the chrome.storage API.

proxy: Grants the extension access to the chrome.proxy API

This extension can open “ultrasurfing[.]com” in a new tab multiple times with every search action performed on the browser and can slow down the system by consuming resources unnecessarily.

The extension uses chrome.tabs.create() method to create a new tab. The figure below shows the code responsible for creating a new tab using a unique TabID and opening ultrasurfing[.]com.

Figure 7 Pops Up New Tabs 1
Figure 7 – Opens New Tabs

This browser plugin is used to run an ad campaign.

Hijacker Plugin 3:

As per the description, Internet-Start claims to replace a user’s current search and transform the results for search queries into a more convenient format. Figure 8 shows the Chrome extension with over a million installs. The meta information of the plugin is given below:

Extension ID: llcdellnofncikmhimjdbkdjgpmcjbik

Name: Internet-Start

Browser: Chrome

Figure 8 Internet Start Browser Extension 1
Figure 8 – Internet-Start Browser Extension

After installation, this extension changes your default search engine to internet-start[.]net. This extension claims to have multiple features. However, we did not observe them being functional. The extension claims to block ads, but it shows results on top that are advertisements related to the search keyword entered by the user or user sentiments.  

During our analysis, we found that the extension collects user data to create targeted advertisements. This extension redirects traffic to Yandex metrics, a web-based analytics service offered by Yandex that tracks and reports website traffic.

It also uses AdSense, which enables the developer to generate advertisement revenue. The figure below shows the network activity of the extension during search activities.

Figure 9 Network Activity of the Extension 1
Figure 9 – Network Activity of the Extension

Conclusion

Web extensions are widely used across all the most popular browsers, making them a prime vector for redirecting users to malicious websites. Hijackers can also be used to spy on users and execute ad campaigns to generate revenue. The extension developer can also sell user data to third parties for financial gain.

Our Recommendations

  • Verify the authenticity of sources before installing browser add-ons such as validating developer, domain, and user reviews.
  • Reverting to default browser settings should remediate the unwanted behavior of the browser; however, this won’t remove the malicious extension.
  • Malicious browser extensions can be removed manually by going to Extension > Remove Extension on the browser or by using a competent antivirus solution.

Source: https://blog.cyble.com/2022/11/22/over-2-million-users-affected-with-browser-hijackers/