Malicious Extension Spoofs AI Platform to Intercept Searches
A fake browser extension impersonating Perplexity AI intercepted search queries, highlighting governance gaps in enterprise security.
Google has taken down a deceptive browser extension that mimicked Perplexity AI, following a report from Microsoft Threat Intelligence. This extension rerouted users' search traffic through attacker-managed servers before ultimately forwarding queries to legitimate search engines. According to Microsoft, the extension's main goal was to intercept search traffic and gather browsing data, all while preserving a typical browsing experience—making detection challenging for users.
Microsoft disclosed that the extension exploited Chromium's Manifest V3 APIs to quietly intercept searches entered in the browser's address bar. The intercepted data passed through attacker-controlled infrastructure before reaching legitimate search providers, which allowed the attackers to monitor search traffic covertly. This method relied on user trust rather than exploiting any browser vulnerabilities.
The extension's removal by Google reflects a growing trend where attackers use the names and branding of popular AI platforms for phishing and malware distribution. Vibhum Dubey, an independent cybersecurity researcher, noted that the attack capitalized on user trust in AI tools, which often request extensive permissions.
Sushovan Mukhopadhyay, director analyst at Gartner, commented on the allure of AI brands as social engineering lures, particularly as enterprises rapidly adopt generative AI tools. He emphasized that the pace of AI adoption has outstripped the development of security governance, creating opportunities for exploitation. Browser extensions, he warned, can become invisible data collectors within an organization's workflow, exposing sensitive information.
Microsoft advised organizations to verify extension publishers, scrutinize permission requests, and monitor for unauthorized extensions. Gartner data suggests that by 2029, 30% of enterprises will employ secure enterprise browser technologies to enhance extension auditing and enforcement. To mitigate risks, browser extensions should be treated as governed enterprise software, with policies akin to those for other third-party suppliers.
What affected users should do: Users who installed this extension should immediately uninstall it and run a comprehensive malware scan on their devices. Regularly review browser extensions, scrutinize permissions, and stay informed on potential threats to maintain a secure browsing environment.
