Browser Hijacking

What Is It and How Can You Prevent It?

Anonymous Browsing

It’s early morning and you just made a cup of coffee. You start up your favorite browser to check the daily news, when all of a sudden, you see various uncommon and odd-looking icons in your browser.

The changes happened without you performing an action or installing any software, yet it’s installed on your browser nonetheless.

Has this ever happened to you?

Then you’ve probably fallen victim to browser hijacking.

Don’t worry too much - most browser hijacking is relatively easy to get rid of, and it’s easy to restore your browser to a clean version.

Let’s kick off by looking at what browser hijacking exactly is.

What Is Browser Hijacking?

The definition of “Browser Hijacking” is “a form of unwanted software that modifies a web browser's settings without a user's permission.

Browser hijacking software can do things with your browser that you didn’t intend to do yourself.

For example, when your browser is hijacked, you might find that your previous default homepage has changed, or the search engine isn’t Google anymore but a different search engine instead.

Another common sign of browser hijacking is unwanted ads displayed in your browser or in popup windows. Such ads can also redirect you to a hijacker page.

The purpose of these ads or to redirect someone to a certain page is to increase traffic on the site. The point is to get as many people to click the ads as possible, because the hackers are paid by the number of clicks on ads.

That means that whenever the hijacker generates more traffic to a website, the higher the advertising profit will be.

In extreme cases, browser hijacking can lead to serious problems. It’s possible for browser hijackers to manipulate your browser into downloading malicious software.

Your browser could automatically download (sometimes without you knowing) spyware, ransomware or other types of malware that can seriously harm your device.

Alternatively, browser hijackers might be after your banking information or credit card details. By installing a keylogger onto your device via a hijacked browser, hackers could potentially see everything you type on your device.

The hacker could then sell the stolen data or your personal information to third parties for either marketing purposes or identity theft, for example.

The malware often spreads via infected systems, which depends on the availability of other systems within its reach. Due to vast increase of internet usage over the past decade, it’s become much more lucrative for hackers to do something with browser hijacking.

Browsers are used on a daily base to surf on the internet and are used on various different computer operating systems, such as Windows and macOS X, but also mobile devices like Android and iOS.

That means that hackers only need to design a malicious software tool once in order to target browsers. The infected browsers spread the malware to other browsers across the web automatically.

The image below is an example of an infected browser, as you can tell by the many different browser extensions installed. On top on that, the lower section of the browser window is filled with annoying ads.

I’ll address the downside of this many browser extensions in the next section.

Browser Extensions

Browser Hijacking: The Symptoms

There are various signs that could mean that your browser is hijacked. Here are the most obvious signs of a hijacked browser:

  • Automatic redirection to unintended websites
  • (Annoying) popup windows that contain advertisements
  • Significantly slow-loading pages
  • hashtag
    A lot of weird and uncommon toolbars installed onto your web browser (which you didn’t install yourself)

There are a number of well-known toolbars, search bars and other types of software that generally belong to a hijacked browser.

Here’s a list of a few well-known examples:

  • Conduit Toolbar
  • Coupon Saver
  • GoSave
  • hashtag
    Babylon Toolbar
  • hashtag
    CoolWebSearch
  • hashtag
    RocketTab
  • hashtag
    Ask Toolbar

Enigma Software created a list of malicious toolbars and other harmful browser software. At the time of this writing, the list counts 141 malicious toolbars.

Also, Wikipedia published an extensive list of browser hijacking software, harmful search engines, websites and other types of malicious browser tools.

Browser Hijacking Methods & How to Prevent It

As for most malware, it doesn’t simply appear on your laptop or mobile phone. It requires a user action to activate, download or install malware. It’s no different with browser hijacking.

Hackers come up with new methods to trick people into performing an action and installing something onto their browser.

I’ve listed a number of common methods below that are used by hackers to install malware on browsers.

After every mention, I’ll also explain how to counter the method and how to prevent it from affecting you.

1

Trick Users Into Installing Software via an Installation Process

In many instances, browser hijacking is executed as part of an installation process for another download that a user believes to be trustworthy and safe.

This means that a user may be tricked into agreeing to install additional software tools during the installation process of another software tool. It’s often hidden in the terms and conditions, or a little check-box that allows the software developer to install malware.

Alternatively, the software might trick users by offering an option to decline the installation of additional browser software. However, the option is brought to the user in such a way that misleads them to install the software anyhow.

For example, the installation process could mention something about additional browser software (that’s actually malware). The description says the software will optimize your browsing experience, search experience, etc. (but it doesn’t; it’s just a scam).

The user might think it could actually be worth it to install the additional software, considering their initial download was already from a software developer/company they trusted.

At this point, the user has been tricked into installing malicious software.

How to Deal with Installation Process Tricksters

It’s important to carefully read the installation process every time you download something!

Whenever you install third-party software (even if it’s from a trusted source), always carefully read through the installation steps and the available checkboxes.

Many people install software and select the “Recommended” checkbox. In many cases, if you opt for the default installation process, it’s quite common that you agree to install other software tools as well.

Avira Antivirus Installation Window

This even happens without you fully knowing what you’re installing, simply because the optional software isn’t shown unless you investigate.

If you click on terms like the “Advanced” or “Manual” checkbox, you’ll often see multiple options you can (de)select in order to download or not download additional software, such as a toolbar or search bar.

Avira Antivirus Installation Advanced Steps

Make sure to read carefully and always check the installation’s advanced steps to find out whether or not they’re trying to trick you into installing other software as well.

2

Phishing Emails & Links

Phishing Email Example

Phishing emails are another popular method of tricking people into downloading malicious software or visiting harmful websites.

The browser hijacker might send out a significant quantity of emails to random people to spread malicious attachments.

Once someone downloads the infected attachment, they’ll automatically install browser hijacking software.

The installation of browser hijacking software can also be enabled by simply clicking on a malicious link.

A link doesn’t always redirect you to the website you thought you were going to visit, but instead, redirects you to a hijacker’s website.

There is always the possibility of clicking on the wrong link. The link could be placed on a website, email, messaging application, forum, YouTube comment, etc.

How to Deal with Phishing Emails & Links

Phishing emails often have certain characteristics that tell you it’s a phishing email. I’m talking about odd grammar, weird stories about a rich African cousin who passed away or long and weird email endings, such as “[email protected]

Simple and only solution: don’t ever open or click on any attachments or links in emails when the sender is unknown.

Read more information about phishing emails and how to deal with them in my in-depth post on the subject.

It’s also important to realize that there are many links on the internet that could be malicious or harmful, not just the attachments and links that come via your email account.

If you’re unsure if you can trust a link, don’t immediately click it. Instead, right-click the link to copy and paste it into a Word document (or any other text tool). Ideally, you want to visit “https” URLs only.

Then you can see whether it’s a legitimate URL. If you’re still unsure, you can also paste the link into a Norton’s website scanner. This tool will analyze the link and check whether it’s safe to visit.

3

Compromised Browser Extension Software & Add-ons

There are many instances of browser hijacking software that come from compromised extension software. I’m talking about third-party (often trusted parties) plugins or other browser software that provide additional features and user-experience improvements for users.

For example, Chris Pederick, the developer of a Chrome extension called “Web Developer for Chrome” fell for a phishing email himself. His plugin is used by more than 1 million Chrome users across the world.

The hacker tricked Chris Pederick into opening a malicious attachment in order to apprehend the developer’s account details. By doing so, the hacker gained access to Chris Pederick’s account and was able to modify the plugin.

The hacker then wrote and uploaded a new script into the plugin and updated it for all the users.

Compromised Browser Extension Software

So, every user that had the Web Developer for Chrome plugin installed also automatically installed browser hijacking software as well.

There are also instances of anti-malware browser extensions pretending to be legit protection software, but in fact, these anti-malware extensions hide scripts that secretly hijack your browser.

One could almost say it’s ironic for hackers to develop anti-malware browser extensions, but then use it against the users, because it’s actually a cover to hijack your browser.

How to Deal with Compromised Browser Extensions & Add-ons

Methods such as these increase the importance of verifying every single browser extension or plugin you install. 

There are a few ways to go about when verifying extensions and add-ons. It’s both important to check for reviews and trustmarks by developers and other users, as well as to check whether it has been flagged in the past by security companies.

Simply search the extension you want to install on Google first and check if you can find any questionable information. If not, it’s safe to say you can install it.

If it has a ton of positive reviews as well, it’s most likely a clean software tool.

It’s also important to check what the extension wants to do. For example, if you use an extension to block out JavaScript code, it’s normal that the extension wants to read the entire page you’re visiting.

But if you installed an extension that allows you to save food recipes, but it also wants permission to read everything on every web page you visit and your contact list, that should ring the alarm bells.

In general, add-ons and plugins are used to create a better user experience or to provide certain helpful features, like the one in the example, which helps developers in some way.

But, it’s exactly those software tools that are vulnerable to exploits and hackers, mostly because the security of these add-ons and plugins isn’t great.

Make sure to determine whether you actually need a browser extension, because if you don’t need it, get rid of it! 

Other Ways of Protecting Yourself

Google’s Safe Browsing List

“Safe Browsing is a Google service that lets client applications check URLs against Google's constantly updated lists of unsafe web resources. Examples of unsafe web resources are social engineering sites (phishing and deceptive sites) and sites that host malware or unwanted software.”

That means that Google is keeping track of harmful websites. Once detected, the website will be added to the list. So, if a user wants to visit the website, they’ll receive a warning message.

Google Notification Harmful Website

Whenever you receive this notification, it’s better not to visit the website you intended to visit. The biggest browser software companies like Google Chrome (obviously), Firefox and Safari use the Safe Browsing List.

Google started with the Safe Browsing List in 2006, but the diagnostic tool is still frequently updated with the latest websites that pose a threat to internet users.

What We’ve Learned

Browser hijacking happens quite often and, in many cases, users aren’t aware that their browser is infected with certain malicious software.

Hackers use multiple methods to hijack browsers. The hijacking software is sometimes hidden in the installation process of third-party software, but phishing emails and compromised add-ons are also popular methods to hijack browsers.

It’s therefore important to always read the installation process steps carefully and check for any unexpected checkboxes that might be selected by default. Also, never open URLs or attachments in emails you don’t trust.

Be careful when it comes to browser extensions, too, because many browser extensions tend to be outdated and are therefore exploited by hackers for fraudulent activities. Hackers even design browser extensions themselves, simply to infect it later with malicious scripts.

Whenever you’re browsing the web and you’re blocked from visiting a website, and Google’s Safe Browsing List pops up with a warning message, it’s better not to ignore it or proceed to the website anyway.

The good news is that browser hijacking doesn’t have to happen to you now that you know what it is. Remember these ways of preventing it, and you won’t fall for fraudulent tricksters!