What is cyber hijacking?

Is ransomware the primary cyber hijacking threat?

Cyber hijacking focuses more on ransomware attacks than any other security threat. In the current cybersecurity landscape, the seizure of a system or network to demand a ransom is one of the fastest and most efficient ways for hackers to turn a profit. It is also one of the most disruptive -- harming not only the victim's bottom line, but also their reputation.

Cyber hijacking is a favored attack for hackers intent on installing ransomware. It offers a wide range of attack points and methods, making it easier to execute than many other forms of system or network invasion.

What are the different types of cyber hijacking attacks?

Cyber hijacking comes in several different forms, including the following:

• Browser hijacking.
• Domain hijacking.
• Domain name system (DNS) hijacking.
• Session hijacking.
• Clipboard hijacking.
• Page hijacking.
• Internet Protocol (IP) hijacking.

What is browser hijacking?

Browser hijacking is a tactic used by hackers and unscrupulous online advertisers to take control of a web browser. In practice, browser hijacking is most often used to redirect web traffic, alter default browser settings or force a victim to click on advertisements. However, hackers also use hijacked browsers to intercept sensitive information and even make unwitting victims download additional malware.

Victims sometimes willingly download a browser add-on or toolbar plugin bundled with browser hijacking capabilities. Usually, these developers go to great lengths to hide this fact. In other instances, hackers might exploit security flaws within browsers to force victims to install their browser hijacker, also known as hijackware.

What is domain hijacking?

When a person or group tries to seize ownership of a web domain from its rightful owner, they're attempting domain hijacking. For example, a cybercriminal could submit phony domain transfer requests in hopes of securing a trusted domain to orchestrate sophisticated phishing campaigns.

At the other end of the spectrum, a company that owns a trademarked brand name could use legal threats to pressure the owner of the web domain to transfer rights. These corporate takeover attempts are called reverse domain hijacking.

What is DNS hijacking?

DNS hijacking and domain hijacking are similar in that both are attempts to hijack control of a web domain. DNS hijacking describes the takeover in a technical sense, whereas domain hijacking is a takeover through legal coercion or social engineering.

Hackers and cybercriminals find DNS hijacking attractive because, similar to browser hijacking, successful DNS attacks enable them to redirect a victim's traffic to generate revenue through ads, create cloned websites to steal private data and even censor or control the free flow of information.

There are several ways hackers might carry out a DNS hijack. For example, they could attack vulnerabilities in the hardware and software systems used by DNS providers or install malware on a victim's machine that's programmed to change DNS settings. Hackers could even turn to man-in-the-middle (MitM) attacks to take control of an established connection while it's trying to intercept DNS messages. This enables them to gain access to or modify the messages before retransmission or use DNS spoofing to divert traffic away from valid servers and toward illegitimate servers.

What is session hijacking?

Session hijacking enables hackers to gain unauthorized access to a victim's online account or profile by intercepting or cracking session tokens. Session tokens are cookies sent from a web server to users to verify their identity and website settings. If a hacker successfully cracks a user's session token, the results can range from eavesdropping to the insertion of malicious JavaScript programs.

Session hijacking was common for hackers in the early 2000s because the first version of HTTP wasn't designed to protect cookies adequately. However, in recent years, modern encryption and newer standards, such as HTTPS, have done a better job of protecting cookie data. Better cookie protection makes session hijacking less likely, albeit not impossible.

What is clipboard hijacking?

Copying and pasting images, text or other information temporarily stores that data in the section of RAM known as the clipboard. Clipboard hijacking happens when hackers replace the contents of a victim's clipboard with their own -- often malicious -- content. Depending on the technical ability of the attacker, clipboard hijacking can be hard to detect and can be spread inadvertently by victims when they paste information into web forms.

What is page hijacking?

Also known as 302 redirect hijacking or URL hijacking, a page hijacking attack tricks web crawlers used by search engines into redirecting traffic to the hacker. The web community introduced 302 HTTP responses to give website owners a way to temporarily redirect users -- and search engine crawlers -- to a different URL in cases where a website is undergoing maintenance or testing.

Bad actors realized that, by implementing carefully planned 302 redirects, they could take over a victim's site in search engine results. Web crawlers mistake a new page -- created and owned by the hijacker -- as an honest redirect from the old page. Essentially, all the victim's page authority and ranking signals are transferred to the hijacker's page due to the false assumption by the web crawler that the victim configured the redirect.

While still technically possible, page hijackings decreased as web crawlers became more sophisticated.

What is IP hijacking?

Routers used by internet service providers (ISPs) rely on a routing protocol known as Border Gateway Protocol. BGP is designed so routers operated by one provider can announce to routers operated by other providers the IP address blocks it owns.

IP hijacking happens when an attacker hacks or masquerades as an ISP claiming to own an IP address it doesn't. When this happens, traffic destined for one network is redirected to the hacker's network. The hacker then becomes a MitM and can carry out a range of attacks from eavesdropping to packet injection -- covertly inserting forged packets into a communication stream -- and more.

Due to its high level of difficulty, IP hijacking is usually the work of hostile government actors or well-funded cyber gangs. Furthermore, although BGP-based IP hijacking is well known, the real-world extent of the threat is hard to study because of the walled-off nature of ISPs.

Recent cyber hijacking attacks

In November 2024, retail and grocery supply chain software supplier Blue Yonder experienced a ransomware attack. The attack severely disrupted warehouse management systems and internal payroll issues. The hackers stole 680 gigabytes (GB) of Blue Yonder data, including thousands of email lists and more than 200,000 insurance documents. The Termite gang claimed responsibility for the breach.

A month earlier, an overseas ransomware attack on Casio in Tokyo gave hackers access to its employees' personal data and information on its business partners. This included contract, invoice and sales data and a large cache of internal legal documents -- only the customer database was untouched. The hackers used a phishing scheme to execute the attack, grabbing 204 GB of sensitive data.

In 2020, hackers compromised software company SolarWinds' Orion IT monitoring and management software. Used by thousands of government agencies and businesses around the world, the hackers -- suspected to be nation-state actors -- deployed malicious code in Orion, thereby gaining access to the data, systems and networks of not just SolarWinds customers, but also those of organizations' customers and partners.

The SolarWinds attack is an example of cyber hijacking in that the hackers hijacked Orion's software compilation process to place a backdoor inside legitimate, digitally signed software updates. SolarWinds then pushed these updates out to customers, including tech behemoths Microsoft and FireEye, as well as U.S. government agencies, including the departments of Homeland Security, State, Commerce and Treasury.

How can organizations protect against cyber hijacking?

Some of the best defenses against cyber hijacking attacks are also some of the easiest to implement and include the following measures:

• Use strong password policies. Change passwords frequently and avoid reusing the same password across other systems.
• Implement multifactor authentication. Adopt a system that uses two or more credentials to verify a user's identity to log in to a system.
• Use virtual private networks. VPNs encrypt internet traffic and mask the organization's IP address.
• Implement network firewalls. Use firewalls to filter network traffic and block attacks.
• Regularly update software. Apply security patches as soon as possible.
• Conduct penetration testing. Perform pen testing and vulnerability scanning regularly.
• Create an incident response plan. Ensure the plan for response and recovery is well designed and up to date.

Learn how generative AI is affecting cybersecurity -- for both good actors and bad actors.