About Start Page Hijacking

Function

• Hijacking a web browser start page is a relatively simple operation, as it exploits a common web browser feature designed for user convenience. The start page (sometimes referred to as the "home" page) of an Internet web browser is the first page displayed when the browser is started. Because individual users have varying tastes and preferences, most browsers allow users to customize what page is displayed when the web browser is started; a college student, for example, may choose to display her school's student page when she launches her browser, while corporate users may prefer a company news page to be displayed. When a user is surfing the Internet and stumbles across a page he particularly enjoys, he can easily set the page to appear at browser start-up by changing only a few browser options (users of popular browsers like Internet Explorer and Firefox can simply drag the page icon to the "Home" icon to set the home page preference). Malicious websites use simple HTML or javascript code embedded in the web page to automatically change the start page, however, with or without the user's consent.

Identification

• For most web browser users, it is very difficult to determine if the start page has been changed. Malicious websites rarely give any notice that the page is being changed, though some older computers may pause briefly or quickly flicker as the browser's internal setting is adjusted. Many times, the user will remain unaware of the start page hijack until the browser is closed and reopened, at which time the malicious page is displayed again. Users who wish to check their home page settings on occasion, however, can quickly determine when a hijack has taken place; perusing the browser's "Preferences" section will quickly reveal whether the selected start page is unfamiliar.

Types

• While a significant chunk of start page hijacking is done behind the scenes with no input from the user, some hijacks are actually performed by the user himself. A growing number of malicious web pages offer a pop-up box (known as an "on exit" pop-up) asking the user if he wishes to set the current page to his start or home page. Busy, inattentive or harried users may inadvertently click "yes," even without reading the dialogue in the box. Malicious webmasters may go a step further by reversing the order of the "Cancel" and "OK" buttons on the box, increasing the likelihood that an inattentive user will inadvertently click "OK." Once the selection is made, the code to change the start page is executed and the browser's settings are updated.

Benefits

• When a user happens upon an interesting, useful, or frequently visited page on the Internet, he can quickly and easily set this page to appear when his browser is first started. The process of updating this setting is fairly straightforward, though it can be somewhat streamlined if the webmaster has included a link to automatically update this setting. For the typical Internet surfer, however, the benefits end there.

  Malicious webmasters, by comparison, stand to gain additional benefits from hijacking the start pages of their website visitors. Webmasters who employ "pay per impression" advertising, for example, stand to realize a financial gain each time advertisements on their sites are displayed. Likewise, merchants who hijack start pages to display their wares gain an increased audience for their products, potentially increasing the likelihood of a sale. Truly malicious hijackings, however, may set the browser to display advertisements for expensive anti-virus and anti-spyware programs in an attempt to extort high profits from those who buy these products hoping to restore the browser's functionality.

Prevention/Solution

• When a browser's start page is hijacked, the easiest and most straightforward fix is to manually adjust the browser's settings in the "preferences" or "options" section. Some malicious webmasters, however, execute the hijack code when the page is exited, effectively undoing these manual adjustments. Newer operating systems, such as Microsoft Windows Vista and Macintosh OS X, may offer users the ability to adjust their software preferences without actually launching the program, allowing users to bypass the malicious webpage altogether. For serious start page hijacks or virus infestations, though, specialized software, such as AVG Antivirus or Trend Micro's Hijack This!, may be necessary to clean the infected computer and restore proper operation (see Resources below).