If you’ve ever launched your web browser, expecting it to open your homepage, only to see it display some random page you’ve never seen before, odds are you were the victim of a browser hijacking attack. Browser hijacking is a widespread online attack that targets web browsers, and changing your homepage isn’t the only thing it can do.
Browser hijacking can be somewhat benign (homepage replacement) or more serious (malware infection stealing your PII). But whatever the case, it’s not going to be fun.
In this post, we provide an overview of browser hijacking attacks, how they work, the damage they can cause, etc., and tips on protecting against them and removing them if you’re stuck with one.
Let’s start.
What is browser hijacking?
Browser hijacking is an attack in which unwanted software gets installed on your computer (usually without your knowledge) and alters some of the functionality of your web browser. The above example changed the user’s homepage but could just as easily replace an error page or your default search engine. Browser hijacking attacks can also display ads, install additional malware (like a keylogger), and funnel your personal information, such as passwords and credit card numbers, or redirect some of your traffic and force hits on a site controlled by the attacker to augment its ad revenue.
Many browser hijacking attacks have a phishing component. Attackers might send an email or a text message to the victim with a malicious attachment that installs the unwanted software or instructs victims to click urgently. Clicking the link directs the user to a compromised website, which installs the unwanted software on the user’s device.
Other times, browser-hijacking programs are found in software bundles that include multiple programs. The offending program would either be hidden or disguised as something “useful” to the user, like browser extensions or toolbars (this was much more prevalent in the early 2000s).
Sometimes, marketing companies will actually perform browser hijacking attacks by dropping code snippets on users’ devices to track their activity and run ad measurement analytics. When marketing companies do this, they tend to call it “business intelligence” (or some other euphemism), but it’s browser hijacking. To be fair, most marketers rely on cookies and browser fingerprinting today, but it could still happen.
Whatever the intent, whether malicious or mercantile, you’re much better off with a browser that hasn’t been hijacked.
Examples of browser hijackers
Let’s look at some notable examples of browser hijackers.
Babylon toolbar
The Babylon toolbar is arguably one of the most prevalent browser hijackers. It changes your browser’s homepage and sets your browser’s default search engine to isearch.babylon.com. In addition to those modifications to your browser, the Babylon toolbar also displays ads and collects the search terms you enter.
Babylon toolbar came bundled in various software packages. In 2011, CNet’s sister site, download.com, bundled the Babylon toolbar with open-source packages that were available on its site. Babylon toolbar was removed shortly after, and the president of download.com, Sean Murphy, apologized for the blunder.
Ask toolbar
Similar to the Babylon toolbar, the Ask toolbar is commonly bundled with free software packages. Once installed, it displays the Ask toolbar in your browser right under the actual URL bar, making it easy to perform an “Ask search” by mistake.
In 2015, Microsoft labeled the Ask toolbar malware and made Windows Defender remove it. Subsequent versions of the Ask toolbar were not considered problematic by Microsoft, and Defender would let them be. So keep your eyes peeled.
Conduit Search
Conduit Search is another browser hijacker—and this one is pretty bad. Installed through free software bundles, once it has access to your browser, it alters your browser by changing your default search engine, homepage, and new tab page, among other things.
From there, Conduit Search will generate unwanted pop-up windows, display ads, and steal your personal info. VConduit victims have reported phishing attempts via email and phone calls in which their personal information was disclosed.
Conduit Search also blocks users’ attempts to modify their browser’s settings, ensuring that malicious modifications remain in place. If you try to uninstall the program with its official uninstaller, your Windows machine will be unbootable.
You want to steer clear of this one.
Snap.do
Snap.do is a search bar produced by Resoft that you can download from the Resoft website (though I can’t think of a single good reason to do that). When you install it, you agree to its terms of service (which are terrible) and allow Resoft to collect the following data points:
- Your IP address
- Your screen resolution
- The timestamps at which you interact with Resoft products
- The pages you visit with Snap.do installed, among others
If that weren’t bad enough, the toolbar could download and install additional malware on users’ systems, such as DVDVideoSoftTB, General Crawler, and Save Valet.
How to tell if your browser has been hijacked?
We’ve already listed some of the consequences of browser hijacking (redirected homepage, redirected traffic, PII collection). While a redirected homepage may be pretty obvious, not all of the harms that come from browser hijacking will be immediately visible.
The main symptoms to look out for are:
- Your homepage has been changed.
- You’re getting redirected to other websites when typing URLs into your browser.
- Your search engine has been replaced.
- You’re seeing a large number of pop-up ads when using your browser.
- You’ve got unknown toolbars or browser extensions installed.
- You notice your device’s performance is unusually poor, and its sluggish download speeds. This can occur if the browser hijacking program is running intensive background tasks. It could be an indication of a more severe browser hijacking attack.
Again, an attacker could also install additional malware onto your device and use keyloggers or other viruses to stealthily funnel your personal information. In such cases, detection will be difficult but not impossible (more on that below).
How to remove a browser hijacker
If you suspect (or know) that you’ve fallen victim to a browser hijacking attack, you should try to uninstall the offending program yourself. If you don’t know the program’s name, look for software installed when you started experiencing issues or any program you don’t recognize that seems suspicious. To delete it, follow the steps outlined below.
Uninstalling on Windows
- Type Add or Remove Programs in the Windows Search bar at the bottom left of the UI. Add or Remove Programs appears in the search results.
- Select Add/Remove Programs. The Add/Remove Programs page is displayed.
- Scroll down the list until you find the program you want to delete. Select it and click the Uninstall button.
- Once the program is uninstalled, reboot your computer.
Uninstalling on macOS
- Open to the Applications folder.
- Search for the application you want to remove.
- Select the app and drag it to the Trash.
- Empty the Trash and reboot your computer.
Safe mode / Antivirus
Sometimes, uninstalling the program isn’t enough. More pernicious browser hijackers may be able to survive regular uninstallation. If you’re in that situation, the next step is to boot your computer in safe mode (with networking) and, once booted up, download an antivirus program to scan your computer and remove the hijacker.
Windows
- Restart your computer while holding down the Shift key.
- Once restarted, your computer displays an option menu. Select Troubleshoot.
- Another set of options is displayed. Select Advanced options.
- Yet another set of options is displayed. Select Startup Settings. The Startup Settings menu is displayed.
- Click Restart. Your computer will restart.
- Once restarted, the Startup Settings menu is displayed with a new set of options. Press F5 to select Enable Safe Mode with Networking.
- Once your computer has booted into Safe Mode, you can download an antivirus program and run a deep/complete/full scan.
macOS
Intel macs
- Restart your Mac while holding the Shift key until you see a login window.
- Log in. You should see Safe Boot in the menu bar.
- Once your computer has booted into Safe Mode, you can download an antivirus program and run a deep/complete/full scan.
Apple silicon macs
- Shutdown your MacMac completely.
- Press and hold your Mac’s power button until you see Loading startup options displayed on the screen.
- You’re prompted to select a volume. Select the volume with macOS on it (typically Macintosh HD).
- Press and hold the Shift key, and click Continue in Safe Mode.
- Your computer will restart and after logging in, you should see Safe Boot in the menu bar.
- Once your computer has booted into Safe Mode, you can download an antivirus program and run a deep/complete/full scan.
How to protect against browser hijacking
Defending against browser hijacking attacks will mainly entail common-sense online security measures, focusing on resisting phishing tactics commonly used to fool users into installing unwanted software.
- Stay away from free software bundles available online. Only install reputable software produced by vendors you trust. That will go a long way to protecting your device from browser hijacking.
- Clear your browser’s cookies and cache frequently.
- Be mindful of consistent slowdowns, sluggishness, and overheating of your device.
- Don’t open attachments in emails unless you know who the sender is and you’ve confirmed with that person that they really did send you that email. You should also ensure they know the email contains an attachment and know what the attachment is.
- Don’t click links (URLs) in emails unless you can confirm who sent you the link and its destination. It might also be good to contact the sender through another channel (not email) to ensure the sender is not impersonated. Also, check the link for incorrect spelling (Faceboook instead of Facebook or Goggle instead of Google). If you can reach the destination without using the link, do that instead.
- Use a firewall. All major operating systems have built-in incoming firewalls, and all commercial routers on the market provide a built-in NAT firewall. Enable both. You’ll thank me if you click a malicious link.
- Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. Keep your antivirus updated and set it up to run frequent scans and real-time monitoring.
- Keep your operating system updated – You want the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Make sure you install them as soon as they’re available.
- Never click on pop-ups. Ever. Pop-ups are just bad news—you never know where they will lead you.
- Don’t give in to “warning fatigue” if your browser displays yet another warning about a website. Web browsers are becoming more secure daily, which tends to raise the number of security prompts they display. Still, you should take those warnings seriously. So if your browser displays a security prompt about a URL you’re attempting to visit, pay attention to your browser’s warning and get your information elsewhere. That’s especially true if you click a link you received by email or SMS – it could send you to a malicious site. Do not disregard your computer’s warning prompts.
Wrapping Up
So, that was an overview of browser hijackers. Some are worse than others, but none are welcome. We looked at how these attacks work and the harm they can cause. We provided instructions on removing browser hijackers and tips on how to steer clear of them.
Hopefully, with that information in hand, your browser will be hijacker-free for the foreseeable future.
Stay safe.