According to AdSecure’s Violations report 2022, 18.9% of User Experience Violations were Back Button Hijack detections. The number of Back Button Hijack detections increased in Q1 2023 from Q4 2022 by +6.3% with Cybercriminals targeting Mobile 44.1% and Desktop 55.9%. But, what exactly is Back Button Hijack? In an era where we do most of our searches online, you have probably experienced this situation: You click on the back button of your browser in order to go back to the previous or original page that you were browsing, and instead of taking you back, you are trapped in a loop in the same page - and this page keeps reloading again and again! If you have indeed been in this confusing situation, then that means that your browser history has been hijacked!

The function of the back/forward button on your browser is to simply navigate you across the pages stored in your browser history. Back Button Hijacking is an ad security threat which manipulates the end user’s browser history, keeping them stuck on a certain page by inserting one or several redirects in their browser history, to then forward them back to that specific page. This abusive behavior of hijacking a user's browsing history has been considered a violation by Google Advertising Policies. See below the description for Destination Experience requirements:

Are you then wondering how to stop Back Button Hijack? Keep on reading to learn more about this ad security threat!

Why is Back Button Hijack one of the most popular advertising tactics?

Malvertisers using hijacking back buttons, insert scripts in order to direct users to a different page when the back button is clicked. They want users to stay on their page or site longer rather than leaving the website right away. In fact, with the script, users can be directed to any page, it could be exactly the same page, or an ad, or any place that could help the website owner generate more revenue. The cyber criminal wants to control the end user’s browsing experience for some kind of gain.

If the page inserted between the current page and the previous page is an ad, then every time the user clicks on the back button, the page will reload and generate a new ad. The more impressions the ads on a website get, the more revenue for the owner. For this reason, lots of marketers use the Back Button Hijacking ad security threat as a tactic to get a second chance for their product or service to be seen, which results in more profit.

Is Back Button Hijack an ad security threat to end users?

If the redirection page or Javascript inserted is designed only to manipulate the user's browser history, then it will simply cause a deeply annoying user experience for them. However, the script could be malicious and pose a real ad security issue, which means that the user could be at serious risk of getting their sensitive personal information accessed by cyber criminals, or being spied on by hackers - that is an even more compelling reason, either as a publisher or an ad network, to learn how to stop Back Button Hijack threats!

Dan Petrovic, SEO expert, once did an experiment on recording user behavior on his competitor's websites by hijacking the user's back button. Once visitors landed on his website and clicked the back button in order to go back to the Google results page, his JS code sent the users to a copy of his SERP (Search Engine Results Page). Then, when users clicked on any competitor's name, it would take them to a mirror of his competitor's site, where he was able to generate heatmaps, scrollmaps, record screen interactions and typing. Interestingly, he found out that only about 50% of users found anything suspicious on his fake site - So this tactic has got the potential to represent a huge ad security threat for the end user!

If a hacker uses this tactic to redirect users to a phishing site, then any information users provide when on their website can be monitored or recorded, which could lead to a critical information or financial loss.

How to stop Back Button Hijack with AdSecure

It is the responsibility of ad networks and publishers to learn how to stop Back Button Hijack and protect end users against this and other ad security, experience or advisory threats. Back Button Hijack is not only an abusive behavior forbidden by Google, but also causes end users to become exposed to unsafe ads or unwanted content. At AdSecure, we can help our clients monitor their whole ad supply chain and keep their end users away from such manipulative behavior and negative user experience.

Whenever Back Button Hijack scripts are detected, the AdSecure system will notify our clients in real time so they can perform informed actions on their campaigns. They can also take the time to educate their advertisers about the importance of the negative experience that browser hijacking brings, preventing them from repeating this mistake in the future, and keeping their ads and campaigns fully compliant. This is a hugely necessary detection to keep track of, especially if you want to strengthen your business relationship with your partners and maintain a positive reputation for your business, and of your ad quality

It is time to take ad security threats seriously! To learn more about how to stop Back Button Hijack and what other threats AdSecure can detect, check out our detection table.

Get in touch for more information on AdSecure's services!