Issues With Unwanted (Often Malicious) Website Redirects

Issues With Unwanted (Often Malicious) Website Redirects

Let's say your company has a well-promoted website, plenty of traffic, and decent conversion rates. You have never come across hacker attacks and mal

10 accreditations to improve your career in the security industry
Details of the 10 most prevalent safety risks
The 5 most recommended learning aids for cyber-security learners

Let’s say your company has a well-promoted website, plenty of traffic, and decent conversion rates. You have never come across hacker attacks and malicious scripts, and you have never had to remove viruses and hacker scripts from the site before.

The site worked fine for a couple of years and did not create any problems for you, until one day, say, a weekend, you tried to access the company’s website from a mobile device. You look at it and cannot understand what happened. Where has the familiar homepage with the pre-holiday sales promotion gone? Maybe you made a mistake when entering the site address? You check the address bar, delete characters, retype again but nothing helps, it’s the same effect. A completely different site opens. Sometimes with content for adults or advertising a drug forbidden in our country.

When you reach your home computer and visit the company’s site again everything is in order. You think it was a temporal error. And only later, having settled comfortably in an armchair to watch a movie recommended by your friends, you decide for a final check – a nearby smartphone will help you. Alas, your worst fears got justified. Once again, you find yourself not on the company’s website, but on a suspicious web portal that tarnishes the reputation of your company and, possibly, even infects mobile devices with a virus. The next thought: “Our clients will see the same thing!”

Congratulations! You have got acquainted with a mobile redirect. It’s time to start “repairing” your website, removing viruses from the site, and strengthening protection against subsequent hacker attacks and redirects.

How do you find the bad guy?

So, a mobile redirect is the “bad guy” that gets activated as soon as a user visits an infected website from a mobile device. That is why the majority of site owners, who view the pages of their website mainly from desktop computers, often do not even suspect that their web resource is infected and threatens the safety of users, while the company’s reputation, along with customer loyalty, is going down dramatically.

Today, even if your business is not focused on mobile users, you need to pay attention to protecting your site from mobile viruses and redirects. The mobile Internet audience is in the millions and continues to grow every year. Hackers make incredible money by infecting tablets and phones with mobile banking Trojans, redirecting mobile visitors to dubious affiliate links, etc. Therefore, any popular website is a tasty piece of cake that an attacker is aiming at.

How to remove a mobile redirect

So, you found out that your site is infected and the hacker targets mobile users. To start removing viruses on the site, first of all, you need to know their location.

Malicious code can be placed by a hacker in various locations across the site and can be either static (unchanging) inserts of malicious code, or dynamic, changing and encrypting regularly in order to complicate their detection.

Static infections:

  • Templates.
  • Scripts (for example JavaScript).
  • Server configuration files.
  • Database.
  • Loaded as 3rd party components.

Dynamic infections:

  • Complex obfuscated JavaScript or polymorphic fragment that is generated in PHP, Python, PERL scripts.

For example, a dynamic redirect can use different domains to redirect visitors to. Thus, if you open a site infected with a redirect several times, it will often redirect you to different sites.

  • The dynamic injection can be performed from the side of infected server modules.

If a hacker breaks into a dedicated server, then he can use a malicious module of the Apache webserver or the Nginx caching server. In this case, when generating a page “on the fly,” a fragment of some JavaScript will be inserted, which will infect site visitors.

To detect redirects and remove viruses from the site, it is necessary to recreate a test environment that would simulate a user visiting a website from a mobile device.

Test environment setup

  • You need an Internet access via a 3G or LTE channel to catch mobile redirects that are activated only for mobile Internet users.
  • Traffic sniffer (Wireshark, Fiddler Web Debugging Proxy, HTTP Sniffer).
  • The User Agent field of the web browser must be set as on the mobile one (moreover, the same value must be available from the JavaScript of the Navigator object).
  • Clean cookies (some codes use cookies to track the number of views of malicious code, so they are inserted only once to one user who comes from the same browser).

The test environment is ready. Now you can find the HTTP session in the HTTP sniffer, analyze the chain of redirects to the infected website, and start looking for the code that caused the transition.

Removing viruses from the site: an algorithm for destroying mobile redirects

  • Analyzing the recorded HTTP session, you can find out what code caused the redirection of visitors to a third-party site.
  • Next, you look for a malicious fragment in files on the server, for example, by searching for the detected fragment in all files of the site.
  • Finally, you can find the viral code that generates the mobile redirect and delete it.

It is important to understand that removing viruses from a website is always a fight against the consequences of hacking. The main task is not only to find and remove malware but also to establish the cause of the infection – to find vulnerabilities (on a website or server) and eliminate\patch them. And after that, put protection so that new viruses and hacker attacks could not bother you again. If you find it difficult to remove a redirect from a site yourself, contact a specialist.