[David Strom's Web Informant] Stopping malicious website redirects

David Strom david at strom.com
Wed Aug 30 07:09:08 EDT 2017

Web Informant, August 29, 2017:
Stopping malicious website redirects

In my work as editor of Inside Security’s email newsletter
<http://inside.com/security>, I am on the lookout for ways that criminals
can take advantage of insecure Internet infrastructure. I came across this
article yesterday that I thought I would share with you and also take some
time to explain the concept of the malicious redirect. This is how the bad
guys turn something that was designed to be helpful into an exploit.

A redirect is when you put some HTML code on a web page because that URL is
no longer in service, but you don’t want to lose that visitor. The most
likely situation is that someone could have clicked on an old link and
gotten to that location. So you direct them to the appropriate place on
your website. Simple right?

Now the bad guys have used this, but instead of being helpful, they use the
redirect code to point you to a place that contains some malware, in the
hopes that you will not notice that the new web page is a trap and in an
instant, your computer is now infected with something. Surprise! Sadly,
this happens more and more.

In a post on Sucuri’s blog
researchers describe several ways the malicious redirect can happen. One
way is by leveraging configuration files such as .htacess or .ini files.
These are files associated with web servers that control all sorts of
behavior and are usually hidden from ordinary browsing. Usually, your
website security prevents folks from messing with these files, but if you
made setup errors or if you aren’t paying attention, the configuration
files can be exposed to attackers. Another way is by having an attacker
mess with your DNS settings so that visitors to your site end up going
somewhere else. How does some attacker gain access to your DNS servers?
Typically, it is through a compromised administrative account password. Do
you really know who in your organization has access to this information?
Probably more people than you realize. When was the last time you changed
this password anyway?

My office is in a condo complex that has several doors to a public alley.
Each of the doors has a combination lock and all of the doors have the same
combination. A year or so ago, the board was discussing that it might be
time to change the combination because many people – by design – know what
this combination is. This is just good security practice. Now the analogy
isn’t quite sound – by design, a lot of people have to know this number,
otherwise no one can get out to the alley to take their trash out – but
still, it was a good idea to regularly change the access code.

Neither of these exploit methods is new: they have been happening almost
since the web became popular, sadly. So it is important that if you run
websites and don’t want your reputation ruined or have some criminal
spreading malware that you at least understand what can happen and make
sure that you are protected.

But there is another way redirects can happen: by an attacker grabbing an
expired domain name and leveraging its associated Wordpress plug-in. Since
a lot of you run Wordpress sites, I want to take a moment to describe this
attack method.

·         Attacker finds a dormant plug-in on the Wordpress catalog. Give
the thousands of plug-ins, there are lots of them that haven’t been updated
in several years.

·         Check the underlying domain name that is used for the plug-in. If
it isn’t active, purchase and register the name.

·         Set up a website for this domain that contains malicious
Javascript code for the redirect.

·         Change the code on your plug-in to serve up the malware whenever
anyone uses it.

·         Hope no one notices and sit back as the Internet spread your
nasty business far and wide.

Moral of the story: Don’t use outdated plug-ins, and limit the potential
for attacks by deleting unused plug-ins from your Wordpress servers anyway.
Make use of a tool such as WordFence to protect your blogs. Update your
blog with the latest versions of Wordpress and the latest plug-in versions
too while you are at it.

When I first started using Wordpress more than a decade ago, I went plug-in
crazy and loaded up more than a dozen different ones for all sorts of
enhancements to my blog’s appearance and functions. Now I am more careful,
and only run the ones that I absolutely need. Situations such as this
malicious redirect are a good reason why you should follow a similar

Comments always welcome here: https://blog.strom.com/wp/?p=6139
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20170830/60c834fd/attachment.html>

More information about the WebInformant mailing list