• All Articles

How do ads hijack my Back Button? Back-button-hijack in the US

Copy of Adsecure New Web (1)

According to a report on cybersecurity by USA Today, the cost of Malvertising in the US would reach a massive $9.5 trillion in 2024 and exceed $10.5 trillion in 2025. And in fact, in AdSecure’s Report on Malvertiser activity in the US vs in the EU for Q1 2024, we detected that 14.8% of all worldwide violations took place in the US. And the top 1 violation in this GEO was Back-button-hijack, constituting 26.8% of all violations country-wide, also a whooping 41.1% inside its own category, User Experience. So, what is a Back-button-hijack violation and why are such Malvertising attacks so popular in the US? Keep reading this article to find out how to answer the questions 'How do ads hijack my Back Button' and 'How to prevent Malvertisers hijacking browser back button'?

What is a Back-button-hijack attack and why is it dangerous for the end user?

First of all, let's find out 'How do ads hijack my Back Button?' The function of the back and forward buttons on your browser are to help end users navigate across the pages stored in their browser history. Back Button Hijacking is an ad security threat which uses code to manipulate the end user’s browser history, keeping them stuck on a certain page by inserting one or several redirects in their browser history, to then forward them back to that specific page. So, if you have ever had the experience of trying to go back to the previous or original page that you were viewing but instead you end up trapped in a reloading loop in the same page, chances are that your browser history has been hijacked! This is how ads hijack end users' Back Buttons.

If the Back-button redirection code is designed only to manipulate your browser history to keep you on the same page, then this violation will be very annoying but it doesn’t go beyond that. However, the script could be malicious and pose a real ad security issue, for instance, redirecting the end user to a malicious or infected page! This could pose a real risk of getting sensitive personal information harvested by cyber criminals, or being spied on by hackers. All the more reason, either as a Publisher or an Ad Network, to implement ad security measures to prevent this and other violations!

This abusive behavior of hijacking an end user's browsing history has been considered a violation by Google Advertising Policies. Namely, ‘sites that disable or interfere with the browser’s back button’ are not allowed.

Why are Back-button-hijack attacks popular and how do they affect American online businesses?

Back-button Hijacks can be used as an illegitimate marketing technique by American Malvertisers: They don't want the end user to leave the page where they have landed, because as long as they're there, they will be clicking stuff and potentially generating more income or downloading Malware. Or even buy them more time to steal their data! 

So the Back-button-hijack keeps the end user stagnant in the page: When they press back they go back to the redirect. The redirect sends them back to where they started in a closed loop, or to an entirely new page with unwanted content, where they can come across Phishing attacks, Ransomware, Unwanted Programs and similar scary tactics.

This attack can really damage online businesses in the US and, really, across the world because it often results in a heavily impaired end user experience or even leading to their safety being threatened, thus directly impacting the brand reputation and Google ranking of the website where the online scam was found:

  • Loss of trust for the brand and frustration: An end user that has landed on a website and encountered themselves trapped in it will not only have a frustrating experience, but also is likely to end up avoiding the page altogether in the future.
  • Security concerns and data protection: This is obviously especially true in these cases when the redirects happen in order to allow the Malvertiser enough time to steal end user data. But in general, an end user who suddenly realizes they are stuck on a page will most likely assume that they are on a fraudulent page or that their data has been compromised. Which once again negatively affects your brand reputation as a website Publisher. 
  • Indirect effects on website performance: Your website being seen as unreliable, annoying and dangerous by end users ends in lower traffic numbers and also less backlinks, which affects your Google ranking, metrics and revenues.

Why is Malvertising difficult to track in the US?

According to a recent report by the US Government Accountability Office, the US federal law enforcement’s efforts have limitations that have left the country less prepared to combat these crimes. First off, Malvertising victims, either individuals or online businesses don’t always know where to report an online attack, and sometimes aren't even aware that something can be done about it! Which makes them hesitant to report it. For US businesses this can represent a huge hazard to their brand reputation.

On the other hand, the very nature of Malvertising makes it difficult to detect it by law enforcement: Through the internet, Malvertisers can remain anonymous, and also they can launch their attacks from other states or internationally. This means that in some cases law enforcement has to coordinate with other countries, which will have different policies and regulations than the US, adding challenges to prevention operations.

But probably the biggest factor contributing to the US being more vulnerable to Malvertising is that American federal law enforcement faces internal limitations that prevent it from fully utilizing the information provided by Malvertising victims. The main one is that federal law enforcement agencies such as the FBI, Secret Service and Drug Enforcement Administration do not define Malvertising the same way. Meaning that what is considered Malvertising at one agency may not be at another, impacting each agencies’ ability to communicate information and join efforts. Federal agencies also lack a central repository for the Malvertising data collected through portals and other means, which makes it difficult to look at these attacks historically. 

All this combined makes the US a great target for Malvertisers across the world, so there is a real need for Ad Networks and Publishers to use dedicated software to protect their end users and clients from such attacks. 

How to protect your end users against Malvertising in the US and worldwide!

Back Button Hijack is not only an abusive behavior forbidden by Google, but also causes end users to become exposed to unsafe ads content. We can help our Publisher and Ad Network clients to monitor their whole ad supply chain and keep their end users safe. Whenever Back Button Hijack scripts are detected, the AdSecure system will notify our clients in real time so they can perform informed actions on their campaigns. Get in touch to learn more or why not try AdSecure now for free?

Share this article on


Anna

Blog