Search Hijacking 101

Search hijacking is a very simple type of fraud. A user with one of these extensions installed who types a search engine like Google.com into their browser address bar and intends to conduct a Google search will have their search intercepted and sent to one of several search domains setup by the perpetrator. These perpetrators monetize this traffic by placing their own ads on the search results pages. In this case, Microsoft provides both the ads and search results to the search hijacker, becoming an unwitting victim funding this fraud.

Perhaps the biggest irony is that Microsoft’s own Bing.com searches are also hijacked by the extensions and re-sold back to Microsoft.

Bing.com Search Hijacking

For example, a search for “airpods” on Bing leads to a Search Encrypt search results page that has more ads than search results. A user would have to have the stamina to scroll through 10 text ads from Microsoft and then 5 image ads before coming to an organic search result. You, the Medium reader, may also test your own stamina, as I have embedded a screenshot of the exact page after the footnotes at the end of the article.

We have identified major US advertisers such as American Express, Amazon.com, BestBuy, Coca-Cola, Dell, Disney, HP, PayPal and Walmart whose ads appear on these search hijacking sites [Appendix A]. The ads are supplied by Microsoft Advertising, part of Microsoft’s Search division which generated $7.6 billion in fiscal 2019 [1]. The perpetrators of this fraud regularly rotate the websites that they are using, which makes it difficult for advertisers to identify and stop their advertising dollars from funding this fraud.

Search Encrypt Results Page (partial screenshot, see Appendix B for full screenshot)

The Chinese Connection

Genimous Technology Co Ltd, a public company traded on the Shenzhen Stock Exchange under the symbol 000676, is the 12 billion CNY ($1.7 billion USD) company that is behind these extensions [2]. Their ownership is concealed through shell companies setup in offshore jurisdictions like Polarity Technologies Ltd in Cyprus and EightPoint Technologies Ltd in the Cayman Islands, but can be traced through analysis of the browser extensions terms of service and contact information [3, 4]. Based on public filings, in the first 6 months of 2019, Genimous made 900,296,410.76 CNY ($125 million USD) from its overseas division, which generates its revenues from ads on search results pages [5, 6 (page 15 of the PDF)] for a $250 million yearly run rate.

Genimous subsidiary, EightPoint Technologies, claims to have 10 million users and generate at least 5 billion searches a year [7]. Microsoft Bing sees 5.5 billion searches a month [8]. This implies Genimous could be responsible for driving 10% of the searches on Bing, which may not be an unreasonable assumption since we have identified almost 7 million active users of their extensions. Even at 1 search a day, 7 million users will generate 2.5 billion searches a year.

A Threat to National Security?

More concerning for users may be that Genimous is collecting and storing sensitive user data, including search queries, on Chinese servers, notwithstanding the extensions’ privacy policies which can be modified at any time, where the data are subject to Chinese laws on data privacy. While their privacy policies claim not to store “identifying” user data, past research has found how easy it is to de-anonymize data. Potentially sensitive searches could then be linked to users.

These same privacy concerns have sparked a national security investigation into TikTok because as a Chinese company, the “company must still adhere to Chinese law on supplying information to the government” [9]. However, while TikTok hosts fun and light-hearted content, the Genimous search hijacker extensions are marketed toward users who are seeking a private search engine and who may be surprised that their most sensitive searches are being stored by a Chinese company making promises that it cannot legally keep. Arguably, searches that reveal or imply a user’s sexual orientation or health status are far more damaging in the wrong hands than a funny TikTok video.

The marketing for Search Encrypt leaves little to the imagination as to the kind of searches that they are catering to [10]. These searches are also the most personal and deeply sensitive kind, exactly the kind of searches you wouldn’t want a foreign power to have access to. The forced divestment of the dating app Grindr from Chinese ownership being a case in point.

Moat Advertiser Report

Mozilla Takes a Stand

Mozilla, the maker of the popular Firefox browser, appears to have taken some preliminary steps to mitigate search hijacking with add-on policies [11] that prohibit search interception:

Search functionality provided or loaded by the add-on must not collect search terms or intercept searches that are going to a third-party search provider.

At the time of publication, however, the Genimous extensions are still active in the Firefox add-on store.

Update on 12/13/2019: Mozilla appears to have removed the Genimous extensions from the add-on store. This action would only stop new users from having their searches hijacked however. It is unclear if extensions that were installed in the past have also been disabled by Mozilla, or if existing users are still having their searches hijacked.

Next Steps

In the online advertising world, fraud has generally been seen as a scourge in the ad exchange space. Search advertising has been spared that level of scrutiny. As a result, standards like ads.txt that protect publishers on ad exchanges and ensure that bad actors are prevented from the unauthorized resale of publisher inventory are sorely missing when it comes to search advertising. Even the biggest publishers like Google and Bing are victims of search hijacking.

Browser extensions can only be distributed through the extension stores with the approval of the browser vendors. Mozilla has taken action. Will Google step up and stop the search hijackers?

Update on 12/13/2019: The full Search Encrypt screenshot was moved to the end of the article to improve readability. A section on advertisers affected by this fraud was added.