Thanks for your interesting article (and the other ones too!). There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website. Mind you: just because these extensions monetized by redirecting search pages two years ago, it doesn’t mean that they still limit themselves to it now. No proof, but serasearchtopcom/search/?q=test redirects to Google. The domain is no longer active, but this likely merely means that they switched to a less known name. If you search for it, you’ll find plenty discussions on how to remove malware from your computer. Small correction: the website in question was actually called CharmSearchingcom. There is a similar two years old review on the OneCleaner extension: Maybe it is a fake form only meant to increase customer satisfaction? Yes, I’ve never heard about the “Report abuse” link in Chrome Web Store producing any result. I’m pretty certain that these users reported the extension back then, yet here we still are. So it would seem that at least back in 2021 (yes, almost two years ago) the monetization approach of this extension was redirecting search pages. Finally, a bunch of Brisk VPN reviews mention the extension being malicious, sadly without explaining how they noticed.īut I found my answer in the reviews for the Image Download Center extension: There are also just as many reviews complaining about functional issues: people notice that these extensions aren’t really being developed. Many reviews for these extensions appear to be fake. So I went checking out what other people say. Maybe it’s not currently active, maybe it only activates some time after installation, or maybe I have to be in a specific geographic region. The configuration data produced by serasearchtopcom is always empty for me. What does it actually do?Īs with PDF Toolbox, I cannot observe the malicious code in action. So these extensions are meant to inject some arbitrary JavaScript code into every website you visit. Its purpose is making two very specific function calls, from the look of it: and. The extension logic remains exactly the same however. The extensions using the Day.js variant are newer, and the code has been obfuscated more thoroughly here. The WebExtension Polyfill variant appears to be older: the extensions using it usually had their latest release end of 2021 or early in 2022. It downloads data from and stores the mangled timestamp in localStorage.locale.īoth variants keep the code of the original module, the malicious code has been added on top.
0 Comments
Leave a Reply. |