Wonderstab.com

Cybersecurity researchers have analyzed a rogue browser extension known as the Wonders Tab and found it to be specifically designed to promote a fake search engine called wonderstab.com. Upon installation, the Wonders Tab extension alters browser settings to redirect users forcibly to the wonderstab.com site. Because of this intrusive behavior, the Wonders Tab is classified as a browser hijacker.

Wonderstab.com Takes Over and Replaces Fundamental Browser Settings

Browser hijackers alter the default search engines, homepages, and new tab settings of Web browsers. As a result of these changes, users might be redirected to a promoted website when they type a search inquiry into the URL bar or open a new tab. The Wonders Tab operates in this way, directing traffic to the fake search engine wonderstab.com.

Fake search engines like wonderstab.com cannot generate their own search results. Instead, they redirect users to legitimate search engines. For instance, wonderstab.com has been observed creating various redirection chains that eventually led to the genuine Yahoo search engine.

The redirection paths can vary with each search attempt, potentially influenced by the user's geolocation data. Some of the suspicious Web addresses that wonderstab.com redirects through include kosearch.com, myhoroscopepro.com, favisearch.net, and search-more.com before finally landing on Yahoo. However, both the redirection chains and the final landing page may differ.

Browser hijackers often employ mechanisms to ensure their persistence. These can include restricting access to settings related to their removal or undoing changes made by users, thus preventing the browser from being restored to its original state.

Additionally, the Wonders Tab might have data-tracking capabilities, a common feature among browser hijackers. Information collected may include visited URLs, viewed Web pages, search queries, Internet cookies, account log-in credentials, personally identifiable information and financial data. This gathered information can be monetized through sales to third parties.

Browser Hijackers Often Attempt to Mask Their Installations by Utilizing Questionable Distribution Tactics

Browser hijackers often use deceptive distribution tactics to mask their installations and avoid detection by users. Here are some common methods they employ:

• Bundling with Free Software: Browser hijackers are frequently bundled with legitimate free software downloads. When users install the desired software, the hijacker is installed alongside it, often without explicit consent or with consent buried in the fine print of the installation process.
• Misleading Installation Prompts: During software installation, users might be presented with misleading prompts or pre-checked options that authorize the installation of the browser hijacker. These prompts are designed to look like essential parts of the main software installation, causing users to agree to install the hijacker inadvertently.
• Fake Software Updates: Some hijackers disguise themselves as critical software updates, such as updates for popular browsers, media players or system utilities. Users who are tricked into believing they are updating legitimate software end up installing the hijacker.
• Phishing Emails: Hijackers can be distributed through phishing emails that contain links or attachments leading to the download of the malicious software. These emails usually appear to come from legitimate sources, tricking users into clicking on them.
• Malicious Advertisements (Malvertising): Browser hijackers can be spread through fraudulent online advertisements. Clicking on these ads can initiate the download and installation process without the user realizing what is happening.

By employing these tactics, browser hijackers can stealthily integrate into users' systems, often remaining unnoticed until they begin to alter browser settings and redirect user activity.