Browser Hijacking: The Evolution of Deceptive Search Pages

By /

Listen to this Post

Featured Image
Palo Alto Networks Unit 42 has observed a surge in domains mimicking Chrome’s “New Tab” page, associated with Browser Hijacking. These deceptive pages now more closely resemble legitimate browser interfaces, making detection harder.

Key Findings:

  • Old Hijacker Pages:
  • Example URLs:
    – `goto.searchpoweronline.com`
    – `go.mennythanks.com`
  • New Hijacker Pages:
  • Example URLs:
    – `cast.larianot.com`
    – `drop.bringithis.com`
  • Increased Activity: Telemetry shows a rise in hijacker sites since 2022-Q3.

You Should Know: How to Detect & Remove Browser Hijackers

Detection (Linux/Windows/Mac)

1. Check Browser Extensions:

  • Chrome: `chrome://extensions`
  • Firefox: `about:addons`

2. Scan for Malicious Processes:

  • Linux: 
    ps aux | grep -i "suspicious_process" 
netstat -tulnp | grep -i "unknown"
  • Windows: 
    tasklist /svc | findstr "unexpected" 
netstat -ano | findstr "LISTENING"

3. Inspect Hosts File:

  • Linux/Mac: 
    cat /etc/hosts
  • Windows: 
    type C:\Windows\System32\drivers\etc\hosts

Removal Steps

1. Reset Browsers:

  • Chrome: `chrome://settings/reset`
  • Firefox: `about:support` → Refresh Firefox

2. Remove Suspicious Registry Entries (Windows):

regedit → Navigate to: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Use Anti-Malware Tools:

  • Linux: 
    sudo apt install clamav && sudo freshclam 
clamscan -r /home
  • Windows: 
    Start-MpScan -ScanType FullScan

What Undercode Say

Browser hijackers are evolving, blending into legitimate interfaces. Always:
– Verify URLs before clicking.
– Audit browser extensions regularly.
– Monitor network traffic: 

sudo tcpdump -i eth0 -n not port 22

– Block malicious domains via `/etc/hosts` or firewall: 

sudo iptables -A INPUT -s malicious-domain.com -j DROP

For Windows, enforce Group Policy:

gpedit.msc → Computer Config → Admin Templates → Windows Components → Internet Explorer

Expected Output:

  • Clean browser with no redirects.
  • No unknown processes in tasklist/ps aux.
  • Blocked hijacker domains in firewall logs.

Reference: Palo Alto Unit 42 Report

References:

Reported By: Unit42 Browserhijacking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: