28 Jun, 2018

Malware Under the Radar - A Forgotten Method for Malware Redirects on Websites

Traffic hijacking is a major problem for companies in all industries, so how can you make sure you remain protected against malware redirects?
As a cybersecurity company, we focus on helping our clients protect their website and customers from threats which range from vulnerable WordPress themes to malicious code injection. However, most of our customers think about data breaches and ransomware and may miss other threats.
Malware Redirects - A Common (but oftentimes overlooked) Threat
The fact is that one of the most common threats remains URL redirection malware. The software causes malicious malware redirects on websites, sending the user to a scammy or dangerous site instead of the one they intended to visit. In some cases this results in the user seeing a third party website with shady deals and multiple pop-ups.

Thankfully, modern browsers generally deal with the pop-ups, but for the website owner this means they may lose sales and their reputation. Customers cease to trust the site and refuse to spend their money there. In some cases, URL redirection can come through advertising networks. Traffic hijacking is a major problem for companies in all industries, with even top-tier websites sometimes falling victim to both malicious redirects and "malvertising."
How Can Malware Redirects be Solved?
Tracking Malware is Harder Than You'd Think
It can be hard to track URL redirection, as it can be programmed to only affect certain users based off of IP address, geolocation, or operating system. In other cases the redirection is a result of malware that has been inserted into the user's system. Traffic direction systems (TDS), a common form of malware, can pick up on all kinds of factors, including precisely targeting users of older and unpatched operating systems. Many site owners are completely unaware that their site is redirecting visitors until somebody complains. Even when somebody complains, a targeted redirect may not show up in testing.
Search Your Site for Malicious Code
You need to carefully search your site for malicious code. Site redirect code is often sneaked in at the http, html, or javascript level. If you find malicious code on your site, you need to remove it and change all passwords so that the hackers find it harder to get back. Practice good cyber hygiene at all times and make sure that you use strong passwords, change them regularly, and consider two-factor authentication for access to the "nuts and bolts" of your website.

  •  HTTP redirects generally involve the HTTP return code 3XX and location header being set to something other than your site.

  •  An HTML issue can include meta tags that resemble the following:
    <meta http-equiv="Refresh" content="10; url=https://quttera.com">

  • . That would redirect users to quttera.com instead of the site they intended to go to.

  •  Finally, JavaScript may include a location change such as
      document.location = "https://quttera.com.

Some malicious redirects may also be a result of malware in WordPress themes, so always use themes that you have coded yourself or acquired from a reputable source and check your WordPress code for malicious additions regularly.
What is the 'Refresh" Header?
One older method that has been showing up again of late is the "Refresh" http header. The most "recent" post we could find on the matter was this one, which is over ten years old. The trick uses the "meta http-equiv='Value'" tag. Back in HTTP 1.0, the value could be provided in the form of an HTTP response header. So, this is the same as an HTTP header that reads "Refresh: 10; url=https://quttera.com". This would have the same effect as the html meta tag above...it would redirect the user to quttera.com regardless of where they intended to go (We're using our own site as an example here for clarity).

The "Refresh" header has been around since 1995. It was introduced in the original version of Netscape Navigator, if anyone remembers that. For some reason, it has been forgotten in the mists of time, but has crept into more recent browsers as "legacy" code, supported by new browsers, but seldom used by legitimate web coders.
Solving the Issue of the "Refresh" Header
So, what can a site owner do about it? The first thing to do is regularly test your website using different locations and operating systems (for example, it is a very good idea to test your site on Android phones, Apple phones, and even Mac computers, as all three have been targeted.) If you don't have the device on site, find a trusted friend who does who can load your site every so often and let you know if there is odd behavior or if the site is showing a malware warning.

If something does crop up, immediately back your data up and then go through your site to look for meta tags and alterations. As "Refresh" is a common word in malware code, it is a good one to search for. You can also get from the tester or the customer the URL of the site they are being redirected to. If the redirect appears to be the result of something going on in your advertising network, then you will need to talk to them.

Check your website access logs. Thankfully, modern browsers are now introducing features to help block malicious redirects, but you should still check your site for them regularly. Practicing good website security protects you and your customers and helps you retain customer loyalty.
Catch Malware Redirects Before They Become an Issue
If you are having issues with traffic redirection systems or other malware redirects, then you may want to invest in an anti-malware monitoring service. Malicious redirects on websites are a problem for both users and website owners.

Users, often unaware of the various issues, will often blame the site owner for the problem. They may also consider that if you cannot protect your website from malware, you may not be able to protect their information from data breaches. Thus, it is vital to keep monitoring your website and deal with any inserted malware as soon as it is discovered.

We offer anti-malware monitoring services, acting to fix traffic redirection and malicious redirects every single day, and we will help you improve your website's security so that you never become a vehicle for the latest malware or data breach. By hiring a website monitoring service, you do not have to worry about malicious redirects and searching your code, but can instead concentrate on the important things about your business and your core activities.