Cyble – Over 2 Million Users Affected With Browser Hijackers

Keypoints

• CRIL identified three Chromium-based browser hijacker plugins active on the Chrome Web Store that impacted over 2 million users.
• Hijacker Plugin 1: WebSecurerr Browser Protection alters search behavior, blocks reversions to default settings, and redirects queries through go.searchsecurer[.]com to Yahoo; it also loads a JSON domain list that may flag legitimate sites.
• The code suggests a STOPPROPAGANDA linkage, with a route to a Russian government site when a flagged URL is clicked, though the warning-code path may be nonfunctional.
• Hijacker Plugin 2: UltraSurf Security, Privacy & Unblock VPN changes the default search to smartwebfinder[.]com, relies on proxy APIs, and opens ultrasurfing[.]com while performing ad-related activity; it has over 800K installs.
• This extension’s manifest and network activity show use of webRequest, storage, and proxy APIs and that searches ultimately land on Bing after multiple redirects, delaying results.
• Hijacker Plugin 3: Internet-Start redirects searches to internet-start[.]net, claims ad-blocking but displays ads; it collects user data for targeted advertising and uses Yandex Metrics and AdSense.
• Common themes include data collection for ads, traffic redirection, and persistent modifications to search behavior across Chrome/Chromium browsers.
• Our recommendations emphasize source verification, avoiding default settings reversion, and removing malicious extensions via browser settings or a reputable antivirus solution.