While doing my normal scan through various sites that are known to push unwanted programs, I ran across a new version of a Chrome extension family that hijacks searches done on Google and other search engines. In addition to hijacking searches, this new variant, called “Affirmativo – Keep Safe!”, also removes web site content that contains the string “Trump”. This behavior, though, is not indicated in the extension’s description shown below.
While filtering out web content about President Trump is not new, this is the first time I have seen an unwanted program performing this behavior without a user’s knowledge. Furthermore, it is unknown whether this behavior is being used to prevent readers from seeing negative stories about Trump, or on the flip side, positive stories about him.
Removing Trump from the Web
When the Affirmativo – Keep Safe! extension is installed it will perform a case-insensitive search for the string “Trump” and make it so the string’s container is not displayed. This will effectively remove any paragraph, or even an entire page, that contains the word Trump. You can see this behavior in action with the video below.
As you can see in one of the extension’s scripts below, it searches for the word Trump and if detected, applies the jQuery fadeout effect to the matched containers in order to hide the text from the page.
When it removes content that contains the word “Trump”, it will also increment a counter that keeps track of all “Trumps removed”. This counter can be seen in the extension options.
Hijacking your Web Search
While the removal of Trump content makes this extension stand out more than the other variants in this family, the main goal of this extension is to hijack search queries done on popular search engines and from the Chrome’s address bar. When installed, if a user searches on Google, Bing, Ask.com, Aol.com, Wow.com, Searchlock.com, and Duckduckgo.com, instead of the search results being returned from the search engine, the user is instead redirected to Yahoo. It is unknown why this behavior is occuring, but my guess is that the developers probably have a revenue share on the ads shown in the Yahoo search results.
The extension’s script that is performing this behavior can be seen below. As you can see if a user performs a search on any of the listed search engines, the query will instead be sent first to allgfind.com, which then currently redirects to Yahoo.com.
For those who may have this extension installed, or are exhibiting similar behavior, you can try removing the extension. If that does not help, you can use our Affirmativo – Keep Safe! Chrome Extension Removal Guide.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.