A recent investigation has uncovered a stealthy operation named SearchJack, which involves 23 misleading Chrome browser extensions hijacking users’ search queries. This campaign has unknowingly impacted approximately 758,000 Chrome users worldwide by rerouting their searches through hidden revenue channels.
How SearchJack Operates
The extensions involved in SearchJack present themselves as beneficial tools, such as productivity apps or satellite maps. However, their true purpose is to override the browser’s default search engine settings using a Chrome feature known as chrome_settings_overrides. When users enter a search query, it is directed through operator-controlled servers before appearing as a typical search result, although each query has already been monetized without user consent.
Researchers at MalExt Sentry, using their automated scanning tools, were able to expose the campaign. Their report, shared with Cyber Security News (CSN), highlighted that these extensions manipulated the chrome_settings_overrides manifest key to gain control over search settings. The investigation identified eight distinct affiliate brokers, each with a unique tracking parameter linked to Yahoo’s redirects.
The Deceptive Nature of SearchJack Extensions
The extensions in the SearchJack campaign are difficult to distinguish from legitimate ones. For example, Nautilus Search claims it does not track searches or collect personal data, yet its privacy policy admits to collecting IP addresses and search queries. This false representation violates regulatory frameworks like GDPR and FTC, raising significant privacy concerns.
What makes SearchJack particularly dangerous is its ability to escalate threats by altering search results to phishing sites or malicious downloads, all without updating the extension itself. This potential for harm elevates SearchJack from mere adware to a significant cybersecurity threat.
The Network Behind SearchJack
At the core of SearchJack is a network of brokers with revenue-sharing agreements through Yahoo’s affiliate program. These brokers, such as the traceable Becovi Ltd in Dublin, profit each time a user conducts a search. However, some brokers remain unidentifiable, complicating accountability efforts.
In some instances, extensions like Fusebase Search exhibit suspicious behavior, such as an unusually high number of reviews compared to installations, indicating possible manipulation. Researchers suggest that addressing this issue at the broker level could be more effective than targeting individual extensions, which are easily replaceable.
Users are advised to review their installed Chrome extensions, remove any that are unfamiliar, and reset their default search engine settings manually to safeguard against such threats.
The threat from SearchJack underscores the need for vigilance in monitoring browser extensions and highlights the ongoing challenges in maintaining online privacy and security.
