How 23 Chrome Extensions Hijacked 758,000 Browsers for Silent Profit + Video

By /

Listen to this Post

Featured Image

Introduction:

The browser extension marketplace has been weaponized. A sprawling malvertising campaign known as “SearchJack” has deployed 23 deceptive Chrome extensions to covertly override the default search engines of approximately 758,000 users, routing every query through a monetization middleware layer before returning search results to the victim. This sophisticated operation generates untold affiliate revenue for attackers by transforming users’ unpaid search traffic into a silent income stream through at least eight separate monetization brokers and twenty-two distinct publishers.

Learning Objectives:

  • Analyze the technical mechanics of how malicious Chrome extensions leverage `chrome_settings_overrides` to silently hijack search settings.
  • Identify and remove browser hijackers using Windows and Linux system commands.
  • Understand the role of affiliate brokers and parameter-based clustering in tracking large-scale malvertising campaigns.

You Should Know:

1. Dissecting the SearchJack Hijacking Technique

The foundation of the SearchJack campaign lies in a specific, powerful permission within Chrome’s extension manifest: chrome_settings_overrides. This key, when present in an extension’s manifest.json, allows the extension to alter critical browser settings, including the default search engine. While intended for legitimate utility (e.g., search tools), the SearchJack extensions weaponize it. Upon installation, the extension rewrites the default search engine to a URL under the attacker’s control. Every search query is then sent to this intermediary server before being redirected to a legitimate search network like Google or Bing, with the attacker’s referral code appended to generate affiliate revenue for each query. The true nature of the extension is often hidden; some extensions promise features like satellite imagery or news reading but have no functionality beyond this search override.

Step-by-step guide explaining what this does and how to use it (for detection and analysis):

Linux / macOS (Terminal):

If you are an analyst inspecting suspicious extensions, you can use the following commands to search for the hijacking signature within the extension directories.

1. Locate Chrome Extension Directories:

 Default paths for Chrome extensions
find ~/.config/google-chrome/Default/Extensions/ -1ame "manifest.json" -exec grep -l "chrome_settings_overrides" {} \;
 For Chromium-based browsers like Brave
find ~/.config/Brave-Browser/Default/Extensions/ -1ame "manifest.json" -exec grep -l "chrome_settings_overrides" {} \;

2. Extract and Review Suspicious Manifests:

 Once you have the extension ID from the previous command (e.g., "aobfbcjcegdegfdbegmjfggkijonmdlk"), open its manifest
cat ~/.config/google-chrome/Default/Extensions/aobfbcjcegdegfdbegmjfggkijonmdlk//manifest.json | grep -A 5 -B 5 "chrome_settings_overrides"

Windows (PowerShell):

1. Search for Hijacking Manifests:

 Find all Chrome extensions with the hijacking key
Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\" -Recurse -Filter "manifest.json" | Select-String "chrome_settings_overrides" -List

2. Analyze the Search URL:

 For each detected manifest, extract the replacement search URL
Get-Content "C:\Users[bash]\AppData\Local\Google\Chrome\User Data\Default\Extensions[Extension-ID][bash]\manifest.json" | Select-String "search_url"
  1. The Broker Network and Clustering: The `hspart` Fingerprint

The SearchJack campaign is not monolithic. It involves at least eight distinct monetization brokers who manage the backend infrastructure, allowing them to quickly spin up new extensions if existing ones are removed from the Chrome Web Store. The key to identifying all extensions tied to a single broker network is a specific URL parameter: hspart. In the final redirect URL sent to the search engine, this parameter acts as a clustering key. All extensions funneling traffic to the same broker will share the same `hspart` value, regardless of their extension name, display domain, or publisher identity, providing analysts with a reliable signature for takedown operations.

Step-by-step guide explaining what this does and how to use it (for analysis and tracking):

To analyze and track this, a security professional can use a web debugging proxy or browser developer tools.

1. Intercept Search Queries:

  • Open your browser’s Developer Tools (F12).
  • Navigate to the `Network` tab.
  • Perform a search using the compromised browser. Look for the initial request being made to the hijacked URL.

2. Extract the `hspart` Parameter:

  • In the network log, find the request to the malicious intermediary domain. The full URL might look like: `http://malicious-domain.com/search?q=search+term&hspart=broker_123`.
  • The value of `hspart` (e.g., broker_123) is the fingerprint of the broker.

3. Conduct Open Source Intelligence (OSINT) Search:

  • Use the extracted `hspart` value as a search query on public code repositories (like GitHub) or threat intelligence platforms (like AlienVault OTX) to find other extensions, domains, or IP addresses linked to the same broker.

3. Evasion Tactics: Runtime Injection and Deceptive Claims

The SearchJack operators employ advanced techniques to bypass both user scrutiny and automated security scans. One primary method is runtime injection using the `declarativeNetRequest` API. Instead of embedding the malicious routing logic directly in the static extension package, the extension injects the network rules dynamically at runtime. This means that static analysis tools that only scan the downloaded `.crx` file will see a benign extension, as the malicious behavior only becomes active after installation. Adding to the deception, some extensions explicitly claim in their Chrome Web Store descriptions that they “don’t track your searches,” while their privacy policy acknowledges the collection of IP addresses and search queries, creating a clear falsehood for the end-user.

Step-by-step guide explaining what this does and how to use it (for remediation and hardening):

To protect yourself from such attacks, follow these steps to audit and harden your browser.

For Individual Users (Removal):

  1. Manually Review Extensions: In Chrome, navigate to chrome://extensions/. Switch on “Developer mode” (typically at the top right) to view detailed extension IDs.
  2. Remove Suspicious Extensions: Click “Remove” on any extension you do not recognize or trust. Pay special attention to extensions with names like “Search Control,” “Easy Search,” or vague terms like “Helper”.

3. Reset Browser Search Engine:

  • Go to chrome://settings/searchEngines.
  • Locate the “Default search engine” section. If a malicious one is present, click the three dots next to it and select “Make default” for a trusted engine (e.g., Google, Bing).
  • Remove any unknown search engines by clicking the three dots next to them and selecting “Remove from list”.

For Enterprise Security Teams (Hardening):

  1. Disable Unnecessary Extension Permissions: Use Group Policy on Windows or MDM on macOS to force-install an extension allowlist. Block extensions that request `chrome_settings_overrides` unless explicitly approved.

– Windows Registry (GPO): Set `Configure extension management policies` to block all extensions not in your allowlist.

{
"": {
"installation_mode": "blocked"
},
"allowed_extension_1_id": {
"installation_mode": "allowed"
}
}

2. Monitor Network Logs: Configure your network proxy or security gateway to monitor for unknown URL parameters like `hspart` or requests to unknown, newly registered domains that could serve as monetization middleware. Alert on any traffic pattern where a search query is first sent to a non-standard domain before being forwarded to a known search engine.

4. Mitigation and Future Prevention: The User Response

The ultimate risk of the SearchJack campaign extends beyond unwanted ad revenue. By sitting as a man-in-the-middle for all search queries, these extensions can collect every search term a user enters, building a detailed profile of their interests, behaviors, and potentially sensitive information. This data can be sold to third parties or used for targeted phishing campaigns. The only effective response is the immediate removal of the offending extensions and a comprehensive reset of browser settings to ensure no persistent policies are left behind.

What Undercode Say:

  • Key Takeaway 1: The `chrome_settings_overrides` permission is a massive security sinkhole. Users must be trained to never install extensions requesting this permission unless the extension is from a highly trusted, well-known vendor. Its abuse is the cornerstone of the entire SearchJack operation.
  • Key Takeaway 2: The use of runtime code injection via `declarativeNetRequest` marks a significant evolution in browser malware sophistication. It forces security vendors to move beyond simple static file scanning and adopt dynamic, behavior-based analysis systems to detect malicious extensions before they reach millions of users.

Expected Output

The SearchJack campaign highlights the commercial pressures that lead to the weaponization of browser extension frameworks. By infiltrating the trusted distribution ecosystem of the Chrome Web Store, attackers have demonstrated that permission-based security models are only effective if users and automated scanners can meaningfully understand the implications of what they are allowing. The campaign’s use of multiple brokers and disposable extensions shows it is a resilient, profit-driven enterprise, not an isolated attack, meaning the techniques will be replicated. The sophistication of hiding logic within `declarativeNetRequest` rules is a direct challenge to current anti-malware scanning methodologies, which still largely rely on static analysis. Organizations must now treat browser extensions as a critical attack vector, enforcing strict allowlists and monitoring for behavioral anomalies such as unexpected search URL alterations. For the average user, this serves as a stark reminder: a free extension is rarely free; you are often the product being sold.

Prediction:

  • -1: As browser vendors race to block obvious manifest-based overrides, attackers will increasingly pivot to abusing `declarativeNetRequest` APIs and other runtime methods, making detection significantly harder.
  • -1: The use of URL parameters like `hspart` for brokering will evolve into more distributed and encrypted fingerprinting systems, complicating efforts to take down entire malicious extension networks.
  • +1: Major browser vendors like Google will be forced to implement real-time behavioral monitoring and stricter, more transparent permission models for search engine overrides, potentially requiring user re-consent for any change to the default search provider.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Chrome – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: