fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Search hijackers change Chrome policy to remote administration

Search hijackers change Chrome policy to remote administration

Search hijackers change Chrome policy to remote administration

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can’t be removed because the browser is managed from the outside.

As you can imagine, that has freaked out quite a few Chrome users.

We have talked about the search hijacker’s business model in detail. Suffice to say, it is a billion-dollar industry and a lot of search hijackers want a piece of this action as even a small portion can amount to a hefty income.

One search hijacker doesn’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn’t care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

Also read: Things to Know about the Spam Control Act (Singapore)

What have they done this time?

We were alerted by some of our customers who said they were unable to remove Chrome extensions as they ran into this restriction:

Basically, this is telling the user that the browser may be managed outside of Chrome and the administrator has installed an extension. Even users that have Administrator accounts on the affected systems are unable to remove these extensions.

The extension in question is easily spotted in an overview of all the installed extensions as it is the one that has no “Remove” option.

There is no “Remove” button for the spotted search hijacker

We have found several of these search hijackers in the Chrome webstore but installing them from there does not lead to the “managed browser symptoms.” It takes a Windows installer to make the necessary registry changes, so users that installed it from the webstore should be able to remove it themselves in the normal way.

Installed from the webstore the extensions have a “Remove” button

What all the hijackers that use the managed browser technique have in common is that they add the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist    
 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist

under which the forced extensions are numerated as registry values like this:

"1"="REG_SZ", "lpfpbajbnhddlpljjnfndngbkkfkjfna;https://clients2.google.com/service/update2/crx"

The description in the Chromium documentation about the ExtensionInstallForcelist states:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

How do these hijackers land on victim’s systems?

We are not completely sure but we did manage to round up some stand alone installers from the Temp folder on affected Windows systems. And it looks as if these installers were part of a bundler.

What victims will typically see is an installer notice like this one:

and then nothing until they open Chrome and see this new tab:

and the “your browser is managed by a remote administrator” type of comment scattered throughout the Chrome menu and settings.

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

  • The hijacker redirects victims to the best paying search engine.
  • The hijacker redirects victims to their own site and show additional sponsored ads.
  • The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

  • The extension lets the hijacker take over as the default search engine.
  • The extension takes over as “newtab” and shows a search field in that tab.
  • The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

This family is of the kind that uses their own site as a redirect to the search engine they get paid by, and the extension takes over as default search engine. The default is the one that gets queried when the user searches from the address bar.

Removal

Malwarebytes recognizes these hijackers and removes them from affected systems. You can find a few removal guides on our forums:

Removal guide for Mazy Search

Removal guide for SearchSpace

And at the rate they are pushing out new ones, more will probably follow.

IOCs

Extension identifiers

fhmghdmcgkkdadabbnkmnejhoncccjio (Capita)

lpfpbajbnhddlpljjnfndngbkkfkjfna (search space)

fifailmmmlkdabfkkoejgffjdfgbieji (Mazy)

Domains

search-space.net

mazysearch.com

capita.space

defaultsearch.link

Also read: Free Privacy Policy Compliance Review

Stay safe everyone!

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us