Has your browser been hijacked?

20 Jul 2011
laptopHand

"Prevention is always better than cure," says Davey Winder in his investigation of browser hijacking

Browser hijacking is alive and well but, rather than having your web browser diverted to Cuba, you’re much more likely to find yourself landing on some advert-sodden search engine you’ve never heard of.

Although you might have thought of browser hijacking as something that was a problem a decade ago, the truth is that the insidious process of replacing your homepage (or search page, or even error pages in some instances) with an interloper is still an issue.

Why would anyone want to do it? Well, whether it’s done as part of a malware attack or by an otherwise reputable company looking to build market share, the underlying reason is the same: increased web exposure equals increased bottom line. Yep, as with just about all cybercrime these days, money is the driving force.

Some of the more sophisticated attacks even employ rootkits to ensure they remain active after every reboot

The nature of a browser hijack is such that it’s usually pretty damn easy to spot when you’ve fallen victim to one as your web-browsing experience will change. The most common approach is to redirect you from your default search engine – be that Google or Bing – and force you to use a below-par service that you haven’t heard of and wouldn’t ever use out of choice.

Sometimes it can become obvious even before you attempt to perform a search, because the hijacker simply replaces your default homepage with one that hits you with banner ads and pop-ups instead. Perhaps the hijack that’s most insidious, and increasingly popular among cybercriminals looking to make a fast profit, is one where homepages, search engines and error messages are all hijacked so that a “malware infection warning” pop-up is displayed.

This of course leads you to those rogue antivirus software sting pages, where you end up parting with your cash for software to clear up a non-existent infection, and which nine times out of ten actually installs more malware on your machine.

Too obvious?

But what’s the real problem with such a hijack if it’s so obvious? Surely a savvy user would just pop into their browser settings and return things to normal? They might, but as soon as they restart their browser or reboot their machine the problem might return, since these hijacks write themselves into various places such as your hosts file or the system registry, for example.

Some of the more sophisticated attacks even employ rootkits to ensure they remain active after every reboot. Clearing up after a hijack is a lot more difficult than falling victim to one, especially since some of the more sophisticated ones will prevent your browser from visiting the most popular antivirus and security vendor sites, where you might otherwise be able to get help.