How to stop a mobile redirecting virus on my website

What is that and how it can damage your business

Malicious mobile redirect is a virus attack that activates as soon as a user visits an infected website from a mobile device. That is why the majority of website owners who view pages of their web resource mainly from stationary computers often do not even suspect that their web resource is infected and threatens the safety of users, and the company’s reputation, meanwhile, along with customer loyalty, is systematically moving down the drain.

Today, even if your business is not focused on mobile users, you need to pay attention to protecting your resource from mobile viruses and redirects. The mobile Internet audience is in the millions and continues to grow every year. Hackers earn fabulous money by infecting tablets and phones with mobile banking trojans, redirecting mobile visitors to WAP affiliates, etc. Therefore, any resource visited in the slightest way represents a tasty piece of the pie that the attacker is targeting.

Are there malicious redirects on my website?

To competently deal with a problem, it must be defined. You don’t have to guess that someone is “stealing” your mobile users until someone complains or you accidentally stumble upon the results of malicious scripts.

Unfortunately, messages from visitors can carry little useful information and cause panic, so here are a few measures you can take on your own:

Open the site on your smartphone and see if you get to another resource
Study the feedback of visitors and pay attention to their complaints, if necessary, you can clarify with them the details of the infection they encountered
Track the actions of visitors and analyze site statistics (you can also use different webmaster tools)

How to remove malicious redirects from your site

So, you found out that your site is infected, and the target of the hacker is mobile users. To start removing viruses on the site, first of all, you need to calculate their location.

Malicious code often looks like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteRule ^(.*)$ http://malicioussite.com/index.php?t=6 [R=301,L]

Such redirect rules will redirect users from Google and Bing search engines to malicioussite.com. In general, everything related to Rewrite is worth checking where the redirect goes.

You can also manually check the following places on your site:

/index.php
/WP-config.php (for WordPress)
/configuration.php (for Joomla)
/wp-content/themes/yourtheme/functions.php (for WordPress)

Remember that malicious inserts are most often encoded and you will have to carefully look for fragments that seem suspicious in these files.

Malicious code can be placed by a hacker in various components of the site and can be either static (unchanging) inserts of malicious code, or dynamic ones that change and are encrypted in order to complicate their detection.

Let’s review most popular of them.

Static:

templates
scripts (e.g. JavaScript);
server configuration files;
database;
loaded as 3rd party components.

Dynamic: complex obfuscated JavaScript or polymorphic fragment that is generated using PHP, PERL, Python scripts.

Dynamic malicious redirect can substitute different domains into the code to which redirects take place. That’s the way how malware mobile redirect works. Thus, if you open a site infected with a redirect several times, you will often be redirected to various sites.

Dynamic injection can be performed by infected server modules. If a hacker breaks into a dedicated server, then he can introduce a malicious module of the Apache web server or the caching nginx server. In this case, when generating the page “on the fly”, a fragment of some JavaScript’s will be substituted, which will infect site visitors.

To detect malicious redirects and directly deal with the removal of viruses on the site, you must recreate a test environment that would simulate a user visiting a web resource from a mobile device.

Test environment setup:

Internet access through a 3G or LTE channel to catch mobile redirects that are activated only for users of mobile Internet;
traffic sniffer (Wireshark, HTTP Sniffer, Fiddler Web Debugging Proxy, Charles Web Debuging Proxy);
The User Agent field of the browser should be set as on the mobile (moreover, the same value should be available from the javascript of the Navigator object);
clean cookies (some codes use cookies to track the number of times a malicious code was displayed to a particular visitor, therefore they are inserted only once to one user accessing from the same browser).

After the test environment is ready, shoot the HTTP session in the HTTP sniffer, analyzing the chain of malicious redirects to the infected website and start looking for what code caused the transition.

The algorithm for malicious mobile redirects removal:

analyzing the recorded HTTP session, we find out what code caused the browser to redirect visitors to a third-party site;
look for a malicious fragment in the files on the server, for example, by searching for the detected fragment in all the files on the site;
find the virus code that generates the mobile redirect and delete it.

Treat the cause, not the effect

It is important to understand that removing viruses on a site is always a fight against the consequences of hacking and infection! The main task is not only to find and remove malware, but also to establish the cause of the infection – to find vulnerabilities (on the site or server) and eliminate them. And then put protection against hacking the site so that later the viruses on the site and hacker attacks are not afraid of you.

If it is difficult for you to remove mobile redirect malware from the website yourself, contact a specialist.