A new Chrome extension called Browse-Secure is promoted on the Chrome Web Store as being able to secure searches. What it does not tell you is that it is also crawling your LinkedIn and Facebook accounts and uploading your name, email address, gender, mobile number, and address to a remote server.
Browse-Secure is promoted through web sites that display misleading advertisements that display messages such as "Warning! Security Breach". They then go on to promote a Chrome extension that supposedly makes your browser "safe again". You can see an example of one of these advertisements below.
Once a user clicks on the Add Extension button, it will display a small prompt to install the extension.
When the extension is installed, it will connect to its backend server at the URL https://backend.chupashop.com/getuid4search. This server will respond with a UID, or user ID, that is associated with this particular Chrome user and will be used for each subsequent request.
The extension will then read a set of rules from an included crawl.json file. These rules contain a list of URLs and associated regular expressions that will be used to extract information from a particular URL. You can see a portion of the crawl.json rules file below.
The list of URLs and the information that is extracted from each one is:
|http://www.facebook.com/me/about||Name, First Name, Date of Birth|
|https://www.linkedin.com/profile/edit-basic-info||First Name, Last Name|
Once it retrieves the desired information, it will connect again to the back end server and upload this information to the developer.
What the developers are using this information for is currently unknown. This information could, though, be used in a variety of ways such as unsolicited email and postal marketing and spear phishing.
The Browse-Secure extension also states that it will make your search engine secure. I am not sure how it achieves that, but it does cause search redirects to occur when you browse from the address bar or using Google, MyWebSearch, Bing, MSN, Ask, WoW, MyWay, AOL, & SearchLock.
When installed, it will cause a small lock to appear in the search forms of targeted search engines as seen below.
When a user performs a search, it will first send that search to http://www.browse-secure.com/search?a=[extension_id]&q=[search_query], which then redirects you back to Google. This allows the developer to track queries and associated IP addresses.
It is important for all Chrome users to be extremely wary of extensions promoted via web sites that use messages stating that they can secure your computer, make browsing safe and anonymous, or offer "enhanced" search functionality. Most of these extensions do nothing more than track your searches, inject advertisements, or redirect you to partner sites to generate advertisement revenue.
It has also become common for extensions to be used for more nefarious purposes, such as inject cryptocurrency miners, stealing contact info as described above, and rerouting you into a domain registration scheme.
Therefore, Chrome users should not install any extension until they visit the Chrome Web Store page and read the reviews and do research to see if it looks trustworthy.
SHA256: 3429edf014d2d29eb178ae8dfd8ae696554b8fbed211c9c6f699f0b40048b560 Chrome ID: dgmncbgjgnpjpcamfldonocohjemapfj