Skip to main content


The hijacking or kidnapping it is an attempt to take over a specific element of the Internet environment through unauthorized routes. At the same time as URL hijacking, there are also domain, DNS, browser, TCP, session hijacking and much more.

Browser hijacking

Browser hijacking is normally done by means of a very small software program on the PC that it does not show due to its size. This program overwrites the default functions of a web browser without the authorization and knowledge of the user. Removing this type of software usually takes a lot of effort.

How could it work

  • The home page of the affected browser is overwritten. The user is automatically directed to the hijacker's website when he starts his browser.
  • The search engine does not show the regular ranking, but instead is redirected to the hijacker's search engine page. The hijacker makes money on this page through commercial promotion.
  • When you try to enter a particular shopping website, a page that belongs to an advertiser associated with the hijacker will show up instead, without you even noticing.


For such software to be installed on a PC, the owner's approval is first required. This occurs unknowingly when you click Accept in a pop-up window. These windows can also include false security alerts that the user intuitively wishes to deactivate with OK. To prevent this type of software from installing on your PC, you should always briefly evaluate the pop-up window. In case of doubt, never click ok.

Domain Hijacking

In domain hijacking, a domain is illegally taken from the rightful owner. Its most aggressive form is domain theft. These scammers usually have access to the domain registry through the Identity Theft. The hijacker assumes the identity of the rightful owner and modifies the registry information to reassign the domain to himself and thus steal it. Some registry services act quickly when such fraud is detected. However, it also happens that measures are only taken when they are applied by law. In some cases, the hijacker can maintain control of the domain. In most cases, the victims do not have the will or the financial means to carry out lengthy and slow legal proceedings that would return ownership. The fact that the kidnappers act in another country is also a deterrent factor. Meanwhile, the hijacker has full control over the domain and can freely own content or redirect HTTP status codes.


In many domain registrations, there is the opportunity to work with a special authentication code that only the domain owner knows. This provides protection against unauthorized access.

Contrast with the legal acquisition of expired domains

Domain hijacking should not be confused with acquisition of expired domains. In the latter, the value of expired domains is used. Shortly after a domain expires or is deleted, backlinks, PageRank, and trust in the domain still exist. This makes the domain valuable, since it means that a lot of traffic keeps coming to it. As long as search engines don't detect that the web portal has new content, its new owners can charge. However, over time, a website of this type loses its value. These expired domains can be bought legally.

Content Hijacking

In content hijacking, the content of other websites is published as your own. This is done by means of duplicate content that will be detected by search engines, however. Another way is to integrate a condensed version of the existing content on your website that is partially automated. Content theft may result in the website with the original content losing PageRank, while the page with the stolen content appears higher in search results. Therefore, the latter gets more traffic and can be profitable, for example, through online business promotion.

DNS hijacking

In DNS hijacking, an attacker stands as a man in the middle between the DNS client and the DNS server. In this position, you can intercept, read and manipulate all messages.

URL hijacking

In URL hijacking, a page is incorrectly removed from search engine ranking and replaced by a page linked to it.

Network hijacking

In network hijacking, an insecure server that is part of an intranet, wireless local area network (WLAN), or equivalent network takes over. Often the 'actual server owner hangs.

Typo hijacking / typographic hijacking

For this case, the types of search engines are exploited. Many times, well-known versions of websites with incorrect spelling are used to direct you to a different page. Thus, the hijacker can benefit from the prominence of the web portal.

Search engine hijacking

Search engine hijacking can occur with browsers that offer a separate field for search engines, so you do not have to separately call the respective web portal. In the past it happened that the search engine was inadvertently changed to another with keyword.URL. In response, Mozilla made changes to versions 19 and 20 of the Mozilla Firefox web browser in late 2012. Users must first confirm a change to the default search engine.

TCP hijacking

TCP hijacking refers to the acquisition of a foreign TCP connection. The goal may be to take over the connection while taking down a communication partner. On the other hand, you can keep the connection to inject instructions.

Session hijacking

Session hijacking refers to the exploitation of a valid session. For this, the session ID must be stolen, which can be done through passive listening when it is sent to the other server through cookies in many apps. As long as the session ID is valid, the attacker is in control of the session and can use or abuse the app on behalf of the actual owner.


  • The basis of any data transmission on the Internet must be an HTTPS connection, which encrypts the data using SSL, as in the case of encrypted search. When data packets are intercepted, the content must be decrypted to get the session ID.
  • Protection against cross-site scripting is also useful. These prevent smuggling JavaScript code and cookie reading.
  • Session IDs should not be included in the URL. These are stored in log files and can be easily read by attackers.

Web Links