A new Chrome extension called Browse-Secure is promoted on the Chrome Web Store as being able to secure searches. What it does not tell you is that it is also crawling your LinkedIn and Facebook accounts and uploading your name, email address, gender, mobile number, and address to a remote server.

Browse-Secure promoted via misleading advertisements

Browse-Secure is promoted through web sites that display misleading advertisements that display messages such as "Warning! Security Breach". They then go on to promote a Chrome extension that supposedly makes your browser "safe again". You can see an example of one of these advertisements below.

Misleading Advertisement

Once a user clicks on the Add Extension button, it will display a small prompt to install the extension.

Crawls Facebook and LinkedIn for your contact info

When the extension is installed, it will connect to its backend server at the URL https://backend.chupashop.com/getuid4search. This server will respond with a UID, or user ID, that is associated with this particular Chrome user and will be used for each subsequent request.

Registering a user and getting a UID

The extension will then read a set of rules from an included crawl.json file. These rules contain a list of URLs and associated regular expressions that will be used to extract information from a particular URL. You can see a portion of the crawl.json rules file below.

Crawl.json Rules File

The list of URLs and the information that is extracted from each one is:

URL Extracted Information http://www.facebook.com/me/about Name, First Name, Date of Birth https://www.facebook.com/me/about?section=contact-info Gender, Address https://www.facebook.com/settings Email Address https://www.facebook.com/settings?tab=mobile Mobile Phone http://www.linkedin.com/psettings/email Email Address https://www.linkedin.com/profile/edit-basic-info First Name, Last Name

Once it retrieves the desired information, it will connect again to the back end server and upload this information to the developer.

Uploading Email

Uploading the Address and Gender

What the developers are using this information for is currently unknown. This information could, though, be used in a variety of ways such as unsolicited email and postal marketing and spear phishing.

What about its supposed search functionality?

The Browse-Secure extension also states that it will make your search engine secure. I am not sure how it achieves that, but it does cause search redirects to occur when you browse from the address bar or using Google, MyWebSearch, Bing, MSN, Ask, WoW, MyWay, AOL, & SearchLock.

When installed, it will cause a small lock to appear in the search forms of targeted search engines as seen below.

Lock Icon in Search Form

When a user performs a search, it will first send that search to http://www.browse-secure.com/search?a=[extension_id]&q=[search_query], which then redirects you back to Google. This allows the developer to track queries and associated IP addresses.

Chrome users need to be wary of extensions

It is important for all Chrome users to be extremely wary of extensions promoted via web sites that use messages stating that they can secure your computer, make browsing safe and anonymous, or offer "enhanced" search functionality. Most of these extensions do nothing more than track your searches, inject advertisements, or redirect you to partner sites to generate advertisement revenue.

It has also become common for extensions to be used for more nefarious purposes, such as inject cryptocurrency miners, stealing contact info as described above, and rerouting you into a domain registration scheme.

Therefore, Chrome users should not install any extension until they visit the Chrome Web Store page and read the reviews and do research to see if it looks trustworthy.

IOCs

Hashes:

SHA256: 3429edf014d2d29eb178ae8dfd8ae696554b8fbed211c9c6f699f0b40048b560 Chrome ID: dgmncbgjgnpjpcamfldonocohjemapfj

Network Connections: