Out of all the forms of malicious software targeting Macs, a browser hijacker is probably one of the most annoying malwares. Once your device gets infected, your web browsing preferences suddenly slip out of your control, which means forcibly forwarding of your traffic to unwanted and malicious websites. Although this type of attack can’t be considered severe, it is nonetheless exasperating, especially when you have to deal with ads that won’t close. So, if a browser hijacker somehow slipped into your system, your Mac will then require a thorough cleanup.
One of the most recent browser hijackers that have been terrorizing Mac users is the Search Baron or Searchbaron.com. This browser hijacker has infiltrated several Mac computers over the past few weeks and has caused some major chaos in the security industry. The malware manifests itself by taking control of the default internet settings of the browser to redistribute the user’s web traffic. When the affected user tries to visit a website, the browser redirecting to Searchbaron.com is not visible and the user only sees the traffic being redirected to bing.com.
What is Searchbaron.com?
Searchbaron.com is a malicious website that supposedly improves the user’s browsing experience by generating better search results. This website is usually promoted by various rogue applications and potentially unwanted programs that infect computers without the victim’s knowledge.
Searchbaron.com is usually distributed via deceptive pop-up ads, fake flash player installers, torrent file downloads, and free software installers (bundling). One of the legitimate apps that Searchbaron.com attaches itself to is Spaces, a program that allows users to connect with fellow workers and network with professionals.
However, unlike most browser hijackers, Searchbaron.com does not modify browser settings. The malware detects whenever the user types in a search query and then redirects the traffic to searchbaron.com, which then initiates another chain of redirects to bing.com via the Amazon AWS service. In the end, the user ends up searching via Bing even though it is not the default search engine. Redirects like this are not particularly harmful since Bing is also a legitimate search engine. However, they can significantly affect the user’s browsing experience.
You also need to keep in mind that potentially unwanted programs (PUPs) and fake search engines are designed to collect sensitive information from the user, including IP addresses, browsing history, web pages viewed, search queries, and other seemingly unimportant details. The gathered information is then shared or sold to third parties to generate revenue. This does not only cause more annoying ads to appear on your Mac, but can also lead to serious privacy issues or even identity theft.
On top of all this, the process to remove Searchbaron.com redirect on your browser can be quite complicated because the malware just keeps coming back if all the components are not completely deleted. You need to thoroughly get rid of Searchbaron.com to prevent re-infection.
How is Searchbaron.com Being Distributed?
Browser-hijacking software usually gets into computers without the users’ knowledge, since authors or cybercriminals distribute them via intrusive ads or through a deceptive marketing method called bundling. Intrusive advertisements basically redirect the user to suspicious websites, where some even run scripts to download or install unwanted applications.
Bundling, on the other hand, is the stealth installation of third-party apps together with a legitimate software. Developers understand that most users often rush the installation processes, do not read the instructions, and skip steps. Therefore, bundled apps are usually hidden behind Custom/Advanced options of the installation processes.
There are also users who prefer to watch advertisements to skip some installation steps, without realizing that they are inadvertently installing rogue apps. By doing this, the users expose their systems to the danger of various malware and compromise their data privacy.
How Does Searchbaron.com Work?
At first, the idea behind this browser-hijacking attack doesn’t make much sense. When you think of it, why give a Mac’s browser settings an overhaul, then take them to Bing, which is an authentic search engine? The logic behind this campaign is more subtle than it appears, though. Whenever the redirect occurs, it follows a complicated path which involves in-between domains, including the known-malicious searchnewworld.com or other webpages hosted at AWS (Amazon Web Services) platform. The searchroute-1560352588.us-west-2.elb.amazonaws.com is one of those AWS-hosted pages that have been reported by several Mac users.
The use of legitimate cloud networks for parking suspicious web resources makes it easier for cybercriminals to evade blacklisting. You’ll notice that these sites are not noticeably shown in the browse, but are actually visited as part of the rerouting. The malware thereby drives traffic to specific web pages while making it seem like the only resolved website is Bing.com. This trick is not anything new, but it has been an effective way to intercept traffic for monetization purposes.
The Search Baron browser hijacker is so pesky that users don’t realize another malicious quirk of this malware. When running on macOS, Search baron additionally monitors the victim’s online activities. It silently keeps a tab on which websites are visited and what search queries are typed in. On top of that, Searchbaron.com may target sensitive credentials, including online banking details, email logins, and cloud services. By collecting all these details, the author behind Search Baron can form a complete profile of the unsuspecting victim and use this information to carry out identity theft and phishing stratagems. There is also a high chance that the data will be sold to third parties, such as marketer, advertisers, or other high-profile hacking groups.
When the Search Baron gets into your Mac, it adds itself to the login items for persistence. It also changes the settings of the user’s preferred web browser, setting the search engine and homepage default to searchbaron.com. If you’re keen enough, you’ll notice that the URL has a tail that reeks of malvertising. For example, the string can be something like searchbaron.com/v1/hostedsearch or http://www.searchbaron.com/v1/hostedsearch?pid=252428&subid965&keyword={searchTerms}.
The annoying thing is that you can’t revert the changes done to Safari, Chrome, or Firefox, no matter how many times you try to select the right services manually. This is because of the malicious plugin installed by the malware to make those browser changes again and again. Search Baron also adds a new administrative profile under System Preferences. This new profile prevents the cleanup process from being completed and the malware just keeps coming back. To completely Remove Searchbaron.com redirect on browser, you need to get rid of the Search Baron virus proper, along with its components meant for privilege escalation. Once these have been removed, you can then revert the changes done to the affected web browser.
How to Remove Searchbaron.com
As mentioned earlier, Searchbaron.com installs components into your system that makes it hard to get rid of. To make sure that it is totally removed from macOS, you need to follow our step-by-step removal guide (insert removal guide here).
Once Searchbaron.com has been deleted, practice good online security habits to prevent this malware and its other kins from reinfecting your computer. Make sure you install a good anti-malware program and always keep your system updated to minimize vulnerabilities. You should also schedule a regular maintenance of your Mac using a reliable Mac cleaning app. Always be wary of the apps you download and the links you click on the internet.