Cybercrime is becoming popular with criminals as a way to scam the naive. In our series on cybercrime, we’ve looked at phishing, ransomware and botnets. Now, we’re tackling one of the most common and dangerous cybersecurity threats: browser hijacking.
Browser hijacking is common because non-techies often don’t realize they have it. We’re going to explore what browser hijacking is, infamous examples of it, how to get rid of it and how you can protect yourself in the future.
There’s crosstalk between cybersecurity threats, and browser hijacking is no different. If the symptoms we lay out don’t exactly align with software you’ve encountered, our solutions for removing and protecting against it should still work as long as the general purpose of the malware is the same.
What Is Browser Hijacking?
Browser hijacking is whenever software modifies your browser settings, usually your homepage, default search engine and extensions, without your permission. It seems innocent enough, but it’s often used to redirect you to websites you don’t want to go to and steal personal information.
It’s known as a potentially unwanted application or a potentially unwanted program in the cybersecurity world. You never asked for the program, and you certainly don’t want it, but it’s installed anyway.
Browser hijackers are typically used as a means to distribute other malware. They install adware, keyloggers, spyware and more. In bad cases, the browser hijacker can redirect you when you try to log in to banking websites, or anywhere else, sending your username and password to the hacker instead.
It’s not always a cybercrime, though. Ironically, many antiviruses perform some sort of browser hijacking. McAfee, for example, will automatically configure your search engine to its “safe” option if you don’t tell it not to (read our McAfee Total Protection review for the service’s good qualities, though).
For the purposes of this guide, we’re not going to talk about the soft touch browser hijacking that legitimate software sometimes performs. It’s annoying, but easily reverted.
We’re talking about the nasty stuff that uses your naivety as a profit machine. There are general symptoms of hijacking, such as sluggish performance from redirects and a different default search engine, but the best way to understand the attack is through example.
Examples of Browser Hijacking
Chrome, as one of the most secure browsers available, has done a lot to protect against browser hijacking. Still, you can get this malware using a different browser and it can infect all of the others installed on your machine.
There are many examples of browser hijacking, so we’ll look at some of the most infamous to better understand how they work.
The Babylon Toolbar started circulating in 2011. The CNET-owned website, download.com, began bundling the software with downloads without the developer’s consent. The Babylon Toolbar changed the default search engine on the default browser to search.babylon.com and slowly infected the other browsers on the machine.
The toolbar was a form of adware, displaying ads in search results and collecting money from sponsored links. It also collected user data and reported it to advertisers for additional profit.
The vice president of download.com issued a statement in December 2011, acknowledging Babylon and apologizing for its circulation, saying, “The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.”
Conduit is one of the nastiest browser hijackers to ever circulate. It looks simple on the surface, a bundled browser hijacker that changes your default search engine, new tab page and other browser settings.
It’s a bundled software with many free downloads called Conduit Search Protect, masquerading as a tool that protects browser settings. In reality, it changes your browser settings and locks them, even from administrator changes.
Conduit is a combination of adware and spyware, as are most browser hijackers. It changes your default search engine to one of Conduit’s many options, collects personal and confidential data and displays pop-up and in-text advertisements on nearly every webpage.
It’s scary, though, because it’s so difficult to remove. Conduit uninstalls itself, along with core Windows files, making it impossible to boot the OS. It’s among the hardest malware to deal with and a prime example of how nasty a browser hijacker can get.
Conduit is loud, but MyStart.IncrediBar Search is quiet, which makes it more dangerous. It’s an adware and spyware combo, which is common for a browser hijacker, but also behaves like a virus and worm.
IncrediBar uses its toolbar, usually in Firefox, to redirect users to MyStart websites, mystart.incredibar.com in particular. The redirect can slow a machine down slightly — so little that no one would notice — or suck up so much of the resources that the only option for recovery is a clean install of Windows.
MyStart rebuilds itself after you try to uninstall it, though. It makes registry changes, installs new files on your machine and configures options in Windows without your permission, meaning it’s claws don’t leave once they’ve set in.
It doesn’t have a reason for the registry entries it changes or the files it creates, either. Its madness depends on the OS version, browser, hardware configuration and more. Antiviruses have had issues with it in the past, too, but options such as ESET can go toe-to-toe with it.
There’ll be more on that later.
How to Remove a Browser Hijacker
Removing a browser hijacker can be a rigorous process. In most cases, though, a simple uninstall will do the trick. It’s best to start with your browser and work your way to your operating system to see how far-reaching the hijacker is.
Remove suspicious and unnecessary toolbars and extensions. They can be reinstalled, so it might be a good idea to delete everything. After you’ve done so, close your browser and restart your computer.
Once your computer has restarted, verify that what you removed is still gone. If it is, change your browser settings — default search engine, homepage, etc. — and everything will return to normal. If you’re still being redirected or an extension won’t uninstall, you’ll have to go deeper.
Manually Removing a Browser Hijacker
First, clear your DNS cache. In Windows, you’ll need to open the command prompt and type in the following:
Press “enter” and let the DNS cache flush. After it’s done, you’ll see “Windows IP Configuration. Successfully flushed the DNS Resolver Cache.” Clearing it will remove DNS redirects in your network configuration.
Next, go through your add/remove programs area and remove applications tied to the browser hijacker. If there’s something you don’t recognize, make sure to search it before deleting, preferably on an uninfected device.
Reboot again and see if the problem is solved. If it is, you can use a program such as AVG TuneUp (read our AVG review) to clear registry entries that the browser hijacker may have created.
If the problem still isn’t fixed, you’ve contracted a nasty browser hijacker and a full system restore may be in order. That is one of the many reasons online backup is so important. You can find a provider in our best online backup services guide or go easy mode and sign up for IDrive. It’s our top choice and you can read more about it in our IDrive review.
As long as you have a backup secured, you can safely reset Windows and restore it to its default settings. No matter when you catch malware on your machine, that’s a foolproof way to get rid of it.
How to Protect Against Browser Hijacking
Like most malware, browser hijackers can be delivered in different ways. If the hacker was determined enough, they could deliver it with its own trojan, but, as hijackers are often just part of a larger malware scheme, that’s a lot of work for little payoff.
Usually, browser hijackers are delivered as a bundled addition to free software, which is one of the hazards of downloading something that should be paid for. The free software ecosystem needs to monetize somewhere down the line and, in most cases, they get a cut from installing a browser hijacker with their software.
That’s just a risk, though, and not all free software comes with unwanted extras. The threat is generally greater if you download a free application from a different source. For example, many sites offer uTorrent. The original installer is notorious for bundling unwanted software, but someone uploading it to a different website could tweak it to include their browser hijacker.
Common sense will get you past unwanted additions to an installer. Make sure you read through every page before clicking “next.” Not doing so is a poor habit and usually the reason you end up with a browser hijacker.
Browser Hijackers You Can’t Protect Against
You can get a browser hijacker elsewhere, though. Drive-by downloads are downloads that trigger without your input when you land on a malicious webpage. Hackers are using them to install malware at an increasing rate.
That’s why an antivirus is necessary. Instead of just scanning for the malware on your machine, the best antivirus software provides real-time protection, shielding you from PUAs and malicious webpages while you browse online.
ESET handles PUAs the best. It prompts you each time a drive-by download is attempted. We like that you can choose if you’d like to install the application. That way, ESET isn’t messing with legitimate requests. It also made it onto our most secure antivirus list, and we took kindly to its scan options in our ESET NOD32 review.
Browser hijacking is becoming less common, especially if you’re a Windows user. Windows 10 doesn’t allow applications to make changes to a web browser without user permissions. Like any security precaution, hackers can bypass it, though. While you may not see the malware as often, it still exists.
As long as you use common sense, backup your data with online storage and protect yourself with the most secure antivirus software, you’ll be prepared to face any cybersecurity threat.
Have you been a victim of browser hijacking? More than one of us has, so let us know your story in the comments below. As always, thanks for reading.