A publicly listed Chinese company has used a series of offshore shell companies to conceal their ownership of browser extensions that purport to offer a private search engine to users.
Search Hijacking Extensions in Browser Stores
These extensions with names like Search Encrypt and Hide My Searches engage in a form of ad fraud called search hijacking whereby searches are intercepted and redirected from one search engine to another.
Our research has identified almost 7 million users who are affected by these malware extensions, which are helping this company generate almost $250 million a year in revenue.
Search Hijacking 101
Search hijacking is a very simple type of fraud. A user with one of these extensions installed who types a search engine like Google.com into their browser address bar and intends to conduct a Google search will have their search intercepted and sent to one of several search domains setup by the perpetrator. These perpetrators monetize this traffic by placing their own ads on the search results pages. In this case, Microsoft provides both the ads and search results to the search hijacker, becoming an unwitting victim funding this fraud.
Perhaps the biggest irony is that Microsoft’s own Bing.com searches are also hijacked by the extensions and re-sold back to Microsoft.
Bing.com Search Hijacking
For example, a search for “airpods” on Bing leads to a Search Encrypt search results page that has more ads than search results. A user would have to have the stamina to scroll through 10 text ads from Microsoft and then 5 image ads before coming to an organic search result. You, the Medium reader, will also need the same stamina, as I have embedded a screenshot of the exact page below.
Search Encrypt Results Page
The Chinese Connection
Genimous Technology Co Ltd, a public company traded on the Shenzhen Stock Exchange under the symbol 000676, is the 12 billion CNY ($1.7 billion USD) company that is behind these extensions . Their ownership is concealed through shell companies setup in offshore jurisdictions like Polarity Technologies Ltd in Cyprus and EightPoint Technologies Ltd in the Cayman Islands, but can be traced through analysis of the browser extensions terms of service and contact information [2, 3]. Based on public filings, in the first 6 months of 2019, Genimous made 900,296,410.76 CNY ($125 million USD) from its overseas division, which generates its revenues from ads on search results pages [4, 5 (page 15 of the PDF)] for a $250 million yearly run rate.
Genimous subsidiary, EightPoint Technologies, claims to have 10 million users and generate at least 5 billion searches a year . Microsoft Bing sees 5.5 billion searches a month . This implies Genimous could be responsible for driving 10% of the searches on Bing, which may not be an unreasonable assumption since we have identified almost 7 million active users of their extensions. Even at 1 search a day, 7 million users will generate 2.5 billion searches a year.
A Threat to National Security?
More concerning for users may be that Genimous is collecting and storing sensitive user data, including search queries, on Chinese servers, notwithstanding the extensions’ privacy policies which can be modified at any time, where the data are subject to Chinese laws on data privacy. While their privacy policies claim not to store “identifying” user data, past research has found how easy it is to de-anonymize data. Potentially sensitive searches could then be linked to users.
These same privacy concerns have sparked a national security investigation into TikTok because as a Chinese company, the “company must still adhere to Chinese law on supplying information to the government” . However, while TikTok hosts fun and light-hearted content, the Genimous search hijacker extensions are marketed toward users who are seeking a private search engine and who may be surprised that their most sensitive searches are being stored by a Chinese company making promises that it cannot legally keep. Arguably, searches that reveal or imply a user’s sexual orientation or health status are far more damaging in the wrong hands than a funny TikTok video.
The marketing for Search Encrypt leaves little to the imagination as to the kind of searches that they are catering to . These searches are also the most personal and deeply sensitive kind, exactly the kind of searches you wouldn’t want a foreign power to have access to. The forced divestment of the dating app Grindr from Chinese ownership being a case in point.
Moat Advertiser Report
Mozilla Takes a Stand
Mozilla, the maker of the popular Firefox browser, appears to have taken some preliminary steps to mitigate search hijacking with add-on policies  that prohibit search interception:
Search functionality provided or loaded by the add-on must not collect search terms or intercept searches that are going to a third-party search provider.
At the time of publication, however, the Genimous extensions are still active in the Firefox add-on store.
In the online advertising world, fraud has generally been seen as a scourge in the ad exchange space. Search advertising has been spared that level of scrutiny. As a result, standards like ads.txt that protect publishers on ad exchanges and ensure that bad actors are prevented from the unauthorized resale of publisher inventory are sorely missing when it comes to search advertising. Even the biggest publishers like Google and Bing are victims of search hijacking.
Browser extensions can only be distributed through the extension stores with the approval of the browser vendors. Will the major browser vendors like Google and Mozilla step up and stop the search hijackers?
* * *
Against Surveillance Capitalism - Fighting back against unscrupulous data collection