What just happened? A number of Microsoft Edge users have reported strange redirections from Google searches with no unexpected addons in their browser. After some serious Reddit sleuthing, several seemingly legitimate browser extensions have been found to cause this malware behavior.

Many reading this may have experience with malicious browser add-ons. You open Chrome or Firefox, and your homepage is redirected to a strange, unfamiliar search engine. Or perhaps you spy an odd new toolbar above your bookmarks "fueled by" one of these companies or engines where buttons and search bars take you to malware-ridden sites.

Google and Mozilla have been fending off abusive extensions, add-ons, and settings-altering "VPN services" for years. At one time, browser extensions were viewed as the Wild Wild West by cybersecurity companies because these add-ons, in theory, had full access to the contents of the web page - even email and banking details.

Google later stepped up, removing malicious extensions, and wrote user privacy policies that required apps and companies to request consent and take minimal user information. For their part, Google also set up a reward program to encourage the cybersecurity community to hunt down qualifying vulnerabilities.

With the growing user base of the Edge browser, Microsoft has entered the fray. In recent days, Edge users have flagged Google searches that redirected to a site called oksearch, often via cdn77(.)org, which then reportedly redirected to various other sites.

Some proactive Redditers discovered that these complaints were a recurring theme and managed to trace them back to a few suspected sources. These fake extensions used the names of legitimate applications to grab user attention and have since been flagged to Microsoft.

The abusive malware functioned under the names:

  • NordVPN
  • Adguard VPN
  • TunnelBear VPN
  • The Great Suspender
  • Floating Player - Picture-in-picture Mode
  • Greasemonkey

It is possible this is not an exhaustive list, but the extension companies have been made aware of the malware, and an Edge Community Manager has confirmed that the offending extensions discovered so far have been removed from the Edge Add-on store.

Malware like this typically gains revenue through ad-clicks, but the real danger is that they do not follow the guidelines set up by browser privacy policies. User information made available on the browser through these add-ons can be extracted and used for malicious purposes.

If you have installed one of the above extensions, either remove it immediately or ensure that it is the legitimate add-on produced by the company. If you experience any of the odd redirections mentioned, check your extension list, even recently deleted extensions, and report the behavior to your browser's distributor.