Attackers make their way into user’s device even with advanced security in action. Here is everything a publisher should know to fight malicious redirects.
Ads are a great way to monetize online traffic for publishers. However, some hackers are out there waiting to inject their own links onto your site and redirect them to an unsafe location.
With the Coronavirus pandemic affecting much of the world, publishers are decreasing their floor prices and with that hackers are also standing ready to take advantage. One of the techniques used by there hackers is to inject their malicious code to publisher’s website. Here is what you need to know about malicious ads with redirecting links and how you can stop them.
What is a Malicious Redirect?
A malicious redirect is code that a hacker inserts into a web publisher’s site to redirect the person using their site to go to another website. Hackers may use this process to lure your users away to their similar products or services, or they may try to install malware and other harmful viruses on your users’ devices, which may compromise their personal information and may potentially subject you to liability.
A key difference between this type of attack and others is that the attack starts from a legitimate website (publisher’s website) instead of a virus on a user’s hardware or software.
Once the user clicks on a link (or ad), he is taken to another site where their information may be stolen. In one study, researchers developed a monitoring system to detect URL redirects and identified more than 100,000 of them across 776 websites. Researchers found that a significant number of these redirects occurred after a user clicked on an ad.
One prominent example of this problem occurred with the London Stock Exchange’s website in 2011. A malicious advertisement from a third-party ad network caused malicious malware to be downloaded on web users’ devices without their consent. Google ended up placing a warning alerting web users that the site might contain malware after testing 281 pages on the site and finding 65 pages caused the download and installation of malware.
How Are Malicious Code Injected?
Hackers exploit weaknesses to infect computer networks. In a study by the United States General Accounting Office, 10 out of 15 of the nation’s largest federal agencies had weaknesses that made them vulnerable to attack. The weaknesses were divided into the following areas:
- Security program management, which provides the framework for ensuring that key team members understood the potential risks and were able to select and implement effective controls.
- Access controls, which ensure that only authorized individuals are able to alter or delete data.
- Software development and change controls, which limit who can implement software programs.
- Segregation of duties, which helps to reduce the risk that one person will have the access to independently perform inappropriate actions without others being able to detect it.
- Operating systems controls, which provide sensitive programs that support multiple applications from tampering and misuse.
- Service continuity, which ensures that operations that are dependent on computers are not interrupted.
If a hacker can access your code because of one of these weaknesses, he or she can add malicious code. Website developers input code to create a website. If the code includes the eval() function, users can input code and this function evaluates the code and incorporates it into the website. Websites that use the eval() function to allow user input which can alter your code and result in addition of a malicious redirect. This malicious code may be added to:
- Form fields
- File uploads
- Query string parameters
What are the Types of Insertions
The malicious ads may be included in the following locations:
- In your pages or posts,
- Website’s files,
- .htaccess files,
- And ad network
The location of the malicious ad will affect how you can remove it and protect your site. We will discuss more about these in later sections.
What Types of Devices Are Most at Risk for Malicious Ads?
Any device that has access to the internet can potentially be exploited by malicious ads, including computers, tablets, phones, laptops and others. However, mobile phones are at a greater risk because they generally lack an antivirus software and other safeguards in place to protect against this type of attack.
For example, Wired reported a surge in malicious ads with redirect links that targeted cell phones. If you publish content and make it mobile-friendly, you may need to be concerned about malicious redirects having easier access to infect these devices.
Risks of Being Hacked by Malicious Code
Malicious redirects can cause your users to be lured away by competitors or hackers, resulting in a loss of revenue for your business.
Additionally, malicious redirects may send your users to spoof sites that collect their Social Security number, credit card numbers, or online banking logins. This can compromise their personal information and make them vulnerable to identity theft.
Another possible threat is that the hacker may install a virus or malicious software on the user’s device. If many of your users are affected by the malicious code, you may have a data breach to worry about.
How to Determine If Your Site is Infected
While you can inspect your site occasionally and click on the links to ensure that they only go to your approved locations, sometimes the attack only occurs on mobile devices or unprotected computers. Hence, you may not be able to find the problem once it is reported to you.
However, you can use a reputable program that will routinely scan your site for this possible attack, as well as others. Once you identify the problem, you can take steps to remove the malicious redirect and restore the functionality of your site.
Finding and Removing Malicious Redirects
How you remove the malicious redirect will depend on where it is located. As a web publisher, you may need to check the following locations for possible malicious redirects:
Pages or Posts
This type of redirect may be easier to find than others because it is often on all of your posts and pages. You may see a long line of script that you do not recognize. You can remove the malicious redirects by using your content management system, a database tool that allows you to edit multiple pages at a time, or by downloading the text offline and then uploading the clean script.
A common place hackers place these redirects are within a theme’s header. If this is the case, you may notice a large amount of script right after your header in your source code. However, these redirects can be anywhere in your files. Follow these steps to identify and remove the redirect:
- Check which script is causing the malicious redirect by viewing the source of your site and searching for the term ‘script’.
- Look at the code next to each “script” you find to determine if it is malicious or part of your site’s functionality.
- Remove the malicious script by using your site’s theme editor or take the source offline and clean it up before loading it back onto your server.
If the malicious script is in your .htaccess file, it may be more difficult to find because these redirects often base the offending code on the type of browser that is used or who sent the user to your site, so it may appear differently. This may require that you get some outside help to locate the script and make the necessary corrections.
This type of code can also be inserted into your widgets. To remove it, you will need to download your site to your computer. You can search for the malicious code manually or with a scanning program designed for this purpose. You may need to check multiple locations to find the offending script, including:
- .js files
- .json files
- Theme files
- Core files
You will then need to clean the files and then upload them back to your server.
Some third-party ad networks may not be stringent about the types of advertisements they allow. For example, during the pandemic, some are allowing even riskier advertisements on their site to avoid losing revenue. The only cure for this is to use a reputable ad network.
How to Fight Against Malicious Injections?
There are several ways that you can guard against future attacks, including:
- Install strong antivirus software
- Complete routine scans of your site
- Validate inputs
- Use static code
- Avoid vulnerable evaluation constructs
- Work with a reputable ad network
Get Good Ads
While there may be malicious hackers out there, there are proactive ways that you can protect yourself. Simultaneously you can protect your users from them and prevent your website’s security from getting compromised. As a web publisher, knowing how to secure your website can help you reap the benefits of monetizing your ads while building a valuable audience.
This is a guest post by Ben Hartwig. He is Web Operations Director at InfoTracer who takes a wide view from the whole system. He authors guides on the entire security posture, both physical and cyber. Ben Enjoys sharing the best practices and does it the right way!
The URL redirection vulnerability allows an attacker to force users of your application to an untrusted external site. Typically, the attack is carried out by sending a link to the victim, who clicks the link and is unknowingly redirected to a malicious website.
These URL redirection attacks are used by cybercriminals to gain users’ trust. By embedding URLs in website code, an .html file is used to redirect traffic to a malicious web page. A phishing email or htaccess file. 17% of malware infections are caused by URL redirection attacks.
If you click on a phishing link, the attacker will automatically receive some basic data, such as your device statistics, approximate location and any other information you may have voluntarily provided.
Shubham is a digital marketer with rich experience working in the advertisement technology industry. He has vast experience in the programmatic industry, driving business strategy and scaling functions including but not limited to growth and marketing, Operations, process optimization, and Sales.