Listen to this Post
Introduction: When AI Popularity Becomes a Weapon for Cybercriminals
Artificial intelligence has transformed the way millions of people search for information. Services like Perplexity AI have gained enormous popularity by delivering direct, conversational answers instead of traditional search results. Unfortunately, wherever trust grows, cybercriminals quickly follow.
Security researchers have uncovered a dangerous Chrome extension disguising itself as an official Perplexity AI tool. Instead of enhancing the browsing experience, the extension silently intercepted search traffic, modified browser settings, and gathered browsing-related information without users fully understanding what was happening. While investigators found no evidence that passwords or credentials were stolen, the technical capabilities of the extension reveal that it could have evolved into something far more dangerous.
A Fake AI Extension Hiding in Plain Sight
Microsoft Threat Intelligence has identified a malicious Chrome extension published in the Chrome Web Store under the misleading name “Search for perplexity ai.” The extension was carefully designed to imitate the branding of the legitimate Perplexity AI service, making it difficult for many users to recognize the deception.
Instead of functioning as a genuine AI assistant, the extension redirected browser searches through attacker-controlled infrastructure before forwarding requests to legitimate search engines. To unsuspecting users, everything appeared to work normally, making the surveillance nearly invisible.
The discovery highlights how cybercriminals increasingly rely on social engineering rather than sophisticated exploits. By exploiting user trust instead of browser vulnerabilities, attackers can collect valuable data while remaining undetected for extended periods.
Understanding the Real Perplexity AI
Perplexity AI has rapidly become one of the most recognized AI-powered research assistants. Unlike conventional search engines that return pages of links, Perplexity AI gathers information from multiple sources and presents concise, conversational answers.
Its official services are available through web browsers, Android devices, iPhones, desktop applications, and an official Chrome extension called “Perplexity – AI Search.”
The fake extension copied this identity while directing users toward a suspicious domain, perplexity-ai[.]online, instead of the legitimate perplexity.ai domain. This small difference is exactly the type of detail attackers depend upon, knowing many users rarely inspect URLs before installing browser extensions.
How the Malicious Extension Hijacked Browser Searches
Once installed, the extension immediately modified
Rather than allowing searches to travel directly from the browser to the user’s chosen search engine, every query typed into Chrome’s address bar first traveled through attacker-controlled servers.
This technique effectively transformed the extension into a middleman capable of observing every search request before passing it along to the intended destination.
Microsoft researchers explained that the extension abused Chrome’s chrome_settings_overrides feature to replace the browser’s default search provider and intercept every Omnibox query generated within Chromium-based browsers.
Because users still received legitimate search results afterward, most victims would never suspect that every request had already been monitored.
The Hidden Infrastructure Behind the Attack
Microsoft’s investigation extended beyond the browser extension itself.
Researchers discovered logging mechanisms running on the remote infrastructure receiving intercepted search requests. These logs strongly suggested that the data collection was not accidental but intentionally engineered into the service.
Rather than performing simple redirects, the backend systematically recorded browser activity, demonstrating clear evidence of surveillance infrastructure designed to profile users over time.
The combination of browser-side manipulation and server-side logging created an efficient system capable of collecting extensive browsing intelligence.
Dangerous Chrome Permissions Raise Serious Concerns
One of the most alarming discoveries involved the permissions requested by the extension.
It obtained powerful Chrome Declarative Net Request (DNR) permissions capable of:
Redirecting network traffic
Rewriting URLs
Filtering browser requests
Monitoring when security rules are triggered
These permissions far exceed what an ordinary AI assistant requires.
While legitimate browser extensions may request certain permissions for functionality, Microsoft’s researchers emphasized that this collection of privileges was inconsistent with expected AI search behavior.
Such extensive access dramatically increases the attack surface available to malicious operators.
No Password Theft Today Does Not Mean Safety Tomorrow
Microsoft reported that investigators found no evidence indicating that usernames, passwords, authentication tokens, or sensitive credentials had been stolen.
However, this should not be interpreted as reassurance.
The permissions granted to the extension would have provided attackers with opportunities to significantly expand their operations through future updates.
Once users trust an extension and automatic updates remain enabled, operators can quietly introduce additional malicious capabilities without requiring another installation.
This flexibility makes browser extensions one of the most dangerous long-term attack vectors in modern cybersecurity.
User Profiling Can Become a Powerful Weapon
Even without stealing passwords, intercepted browsing activity carries enormous value.
Search history can reveal:
Personal interests
Medical concerns
Financial intentions
Travel plans
Business research
Political interests
Shopping behavior
Professional activities
Over time, this information enables highly detailed digital profiling.
Such profiles can later support targeted phishing campaigns, identity theft, financial scams, social engineering operations, or corporate espionage.
Information itself has become one of the most valuable assets in today’s cybercrime ecosystem.
Who Should Take Immediate Action?
Microsoft specifically warned anyone who installed the extension using the ID:
flkebkiofojicogddingbdmcmkpbplcd
should remove it immediately.
As an additional precaution, users are encouraged to rotate passwords for important online accounts, particularly if those accounts were accessed while the extension remained installed.
Although no credential theft has been confirmed, adopting preventive security measures significantly reduces future risk.
Browser Extensions Continue to Be an Overlooked Security Risk
Browser extensions have become incredibly popular because they offer convenience with only a single click.
Unfortunately, every installed extension introduces another component capable of reading web pages, intercepting traffic, modifying browser behavior, and interacting with online services.
Many users spend considerable effort protecting operating systems while ignoring browser extensions that often possess equally powerful permissions.
Cybercriminals recognize this imbalance and increasingly disguise malware as productivity tools, AI assistants, cryptocurrency utilities, PDF converters, VPNs, and shopping helpers.
The rapid growth of AI applications has simply created another attractive disguise.
Why AI Branding Has Become a Favorite Cybercrime Strategy
Artificial intelligence dominates
New AI tools emerge almost weekly, creating excitement among users eager to improve productivity.
Attackers exploit this enthusiasm by cloning logos, names, interfaces, and marketing language from well-known AI brands.
Users often install extensions without carefully reviewing publishers, permission requests, developer history, or official websites.
As AI adoption accelerates worldwide, fake AI software will likely become one of the fastest-growing categories of malware distribution.
Education and verification remain the strongest defenses.
Deep Analysis: Security Investigation and Defensive Commands
Security professionals investigating potentially malicious browser extensions can perform several defensive actions across Linux systems.
Check installed Chromium extensions:
find ~/.config/google-chrome/Default/Extensions/
Search for suspicious extension IDs:
grep -R "flkebkiofojicogddingbdmcmkpbplcd" ~/.config/google-chrome/
Review active Chromium policies:
cat ~/.config/google-chrome/Default/Preferences
Inspect DNS activity:
sudo tcpdump -i any port 53
Monitor HTTPS connections:
sudo ss -tpn
Check established outbound sessions:
netstat -plant
Inspect browser-related processes:
ps aux | grep chrome
Review running Chromium instances:
pgrep -a chrome
Identify recently modified browser files:
find ~/.config/google-chrome -mtime -7
Search for suspicious URLs:
grep -Ri "perplexity-ai.online" ~/.config/google-chrome/
Check system DNS resolver:
resolvectl status
Review firewall rules:
sudo iptables -L
List open connections:
lsof -i
Capture suspicious traffic:
sudo tcpdump -w browser_capture.pcap
Analyze network packets:
tshark -r browser_capture.pcap
Inspect browser startup entries:
systemctl --user list-unit-files
Check scheduled tasks:
crontab -l
Scan downloaded files:
clamscan -r ~/Downloads
Review authentication logs:
sudo journalctl -xe
Update the operating system:
sudo apt update && sudo apt upgrade
Keeping browsers updated, auditing installed extensions regularly, limiting unnecessary permissions, and verifying extension publishers should become routine cybersecurity practices for both individuals and organizations.
What Undercode Say:
The fake Perplexity AI extension is another reminder that cybercriminals increasingly exploit trust instead of technical weaknesses. Rather than breaking into systems through complex vulnerabilities, attackers simply imitate popular services and wait for users to install them voluntarily.
This campaign demonstrates how browser extensions have evolved into sophisticated surveillance tools.
The attack required no exploit against Chrome itself.
Instead, it leveraged legitimate browser functionality.
That makes detection significantly harder.
Users often assume software available in official stores is automatically safe.
History repeatedly proves otherwise.
Official marketplaces reduce risk.
They do not eliminate it.
Extension permissions deserve the same scrutiny as mobile application permissions.
Every requested privilege should have a clear justification.
Redirecting search traffic is an unusually powerful capability.
Most AI assistants never need such permissions.
Server-side logging reveals intentional collection rather than accidental behavior.
That distinction matters.
The infrastructure was engineered to observe user activity.
Even without credential theft, browsing intelligence has tremendous value.
Modern cybercrime increasingly monetizes behavioral data.
Search history exposes habits.
Habits reveal identity.
Identity fuels targeted attacks.
Future extension updates could dramatically expand malicious functionality.
Automatic updates remain both a convenience and a security concern.
Organizations should continuously audit browser extensions across employee devices.
Endpoint detection should include browser telemetry.
Security awareness training must now include browser extension verification.
Developers of legitimate AI services should strengthen brand verification.
Official domains must be clearly communicated.
Users should bookmark trusted websites.
Blind installation based on branding is no longer safe.
Attackers are becoming marketing experts.
AI popularity guarantees additional impersonation campaigns.
Browser security must extend beyond antivirus software.
Extension ecosystems require stronger review mechanisms.
Permission transparency should become more visible to users.
Threat intelligence sharing remains essential.
Microsoft’s investigation prevented wider abuse.
Early disclosure limits damage.
The cybersecurity community benefits when researchers publish detailed findings.
Trust should always be verified.
Especially when artificial intelligence is involved.
✅ Microsoft Threat Intelligence publicly reported the discovery of a malicious Chrome extension impersonating Perplexity AI and described how it intercepted browser search traffic.
✅ Investigators found no confirmed evidence that passwords or user credentials were stolen, although the extension possessed permissions capable of supporting broader surveillance or future malicious functionality.
✅ The recommendation to remove the extension immediately and change important account passwords as a precaution is consistent with standard cybersecurity incident response practices when potentially malicious browser software has been installed.
Prediction
(+1) AI companies will increasingly introduce stronger verification mechanisms, digitally signed browser extensions, enhanced publisher validation, and improved user education to reduce successful impersonation attacks across browser marketplaces.
(-1) Cybercriminals are likely to intensify attacks using fake AI brands, trusted productivity tools, and browser extensions because these techniques continue to deliver valuable user data while avoiding traditional malware detection methods.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
