A deceptive browser extension, masquerading as the widely recognized AI tool Perplexity AI, has been discovered hijacking user search data and browser signals. This incident highlights the vulnerability of trusted brand names being exploited to compromise user privacy.
The extension, titled “Search for perplexity ai,” mimicked a legitimate AI tool to evade detection by users. It specifically targeted browsers built on the Chromium framework, modifying the default search settings immediately upon installation.
How the Malicious Extension Operated
Once installed, the extension rerouted user searches through its own servers before reaching search engines like Google or Bing. This seamless operation ensured that users remained unaware of the data interception occurring during their browsing sessions.
Microsoft analysts identified the extension’s primary motive as intercepting search traffic and collecting data. They warned that such data could be misused for user profiling, targeted advertising, or other privacy violations, depending on the attackers’ intent.
Advanced Techniques and Concealed Operations
Following responsible disclosure, Google removed the extension from the Chrome Web Store. Unlike traditional search hijackers, this extension leveraged modern browser technology, integrating its malicious activities within normal browsing behavior.
Moreover, the extension came equipped with server-side code, allowing it to record all incoming requests, including HTTP headers, user-agent strings, and IP addresses. This setup confirmed the operation’s intentional design for extensive data collection.
Preventive Measures and Recommendations
The fake extension declared itself as the default search provider, using a domain that closely resembled the legitimate perplexity[.]ai service. This change was nearly imperceptible, further aiding its deceptive operations.
Microsoft recommends organizations limit extension installations to approved lists and enforce strict browser policies. Users are advised to verify the authenticity of extensions and be cautious of AI-themed tools, which are increasingly used in social engineering scams.
Monitoring unauthorized changes to browser settings and tracking traffic to unfamiliar domains are crucial steps in mitigating such threats. Organizations should remain vigilant to prevent similar attacks in the future.
Indicators of Compromise (IoCs) include the typosquatted domain perplexity-ai[.]online and the extension ID flkebkiofojicogddingbdmcmkpbplcd, used for intercepting search queries and redirecting them.
