Chrome Extension Hijacks Search Results While Filtering Trump from the Web

While doing my normal scan through various sites that are known to push unwanted programs, I ran across a new version of a Chrome extension family that hijacks searches done on Google and other search engines. In addition to hijacking searches, this new variant, called “Affirmativo – Keep Safe!”, also removes web site content that contains the string “Trump”. This behavior, though, is not indicated in the extension’s description shown below.

Chrome Store Page for this Extension
Chrome Store Page for this Extension

While filtering out web content about President Trump is not new, this is the first time I have seen an unwanted program performing this behavior without a user’s knowledge. Furthermore, it is unknown whether this behavior is being used to prevent readers from seeing negative stories about Trump, or on the flip side, positive stories about him.

Removing Trump from the Web

When the Affirmativo – Keep Safe! extension is installed it will perform a case-insensitive search for the string “Trump” and make it so the string’s container is not displayed. This will effectively remove any paragraph, or even an entire page, that contains the word Trump. You can see this behavior in action with the video below.

As you can see in one of the extension’s scripts below,  it searches for the word Trump and if detected, applies the jQuery fadeout effect to the matched containers in order to hide the text from the page.

Trump Filter Script
Trump Filter Script

When it removes content that contains the word “Trump”, it will also increment a counter that keeps track of all “Trumps removed”. This counter can be seen in the extension options.

Extension Options
Extension Options

Hijacking your Web Search

While the removal of Trump content makes this extension stand out more than the other variants in this family, the main goal of this extension is to hijack search queries done on popular search engines and from the Chrome’s address bar. When installed, if a user searches on  Google, Bing, Ask.com, Aol.com, Wow.com, Searchlock.com, and Duckduckgo.com, instead of the search results being returned from the search engine, the user is instead redirected to Yahoo. It is unknown why this behavior is occuring, but my guess is that the developers probably have a revenue share on the ads shown in the Yahoo search results.

The extension’s script that is performing this behavior can be seen below. As you can see if a user performs a search on any of the listed search engines, the query will instead be sent first to allgfind.com, which then currently redirects to Yahoo.com.

Search Redirect Script
Search Redirect Script

For those who may have this extension installed, or are exhibiting similar behavior, you can try removing the extension. If that does not help, you can use our Affirmativo – Keep Safe! Chrome Extension Removal Guide.

 Source:https://www.bleepingcomputer.com/news/security/chrome-extension-hijacks-search-results-while-filtering-trump-from-the-web/