Have hackers got the mobile version of your website?

Have hackers compromised the mobile version of your website? It’s worth checking.

(This post on the hacking of mobile versions of websites falls squarely between WriterWay.com and iPhone4Tips.wordpress.com. Therefore, I’m posting it on both blogs.)

A few weeks back at iPhone4Tips.com, I wrote about the increasing proportion of website users who are using mobile devices (Where are the Smartphone-friendly websites?).  While researching that story, I tripped over a far uglier one: Hackers who go under the radar to redirect websites — but just their mobile pages. Let me start at the beginning of this topic and work up to the rather complex explanation behind it all.

While writing the story on the need for mobile-friendly web pages, I checked to see if the organizations I work with are walking the talk. Did they have mobile-friendly pages?

I got distracted almost immediately because the second group whose site I checked had all the mobile versions of its pages redirected to a website in Russia that urged visitors to download something that claimed to be “Adobe Flash.” (Yeah, right.)

When I checked the same site from a desktop computer, it looked just fine. I was puzzled, so I called two friends and asked them to check both desktop and mobile versions of the site. They confirmed what I was seeing — but we discovered along the way that iPhones and Androids were being redirected to different Russian download pages.

I alerted the two volunteers who act as sysops for the website. Both are experienced programmers and website designers, and neither had come across this before.

The bottom line is that someone had obtained our not-very-secure password, compromised our .htaccess file, and inserted their redirect rules in our code. Fortunately, we were able to correct it by filing a ticket with the ISP to get this the .htaccess file corrected. A far more secure password is now in place.

There’s plenty online about attacks through .htaccess file rewrites, but I’ve found very little written about the hacking of the mobile pages of otherwise unscathed websites. It’s quite clever. Many sysops, such as ours, interact with sites only using desktop machines, and would be unlike to spot malicious hacking activity that affected only mobile pages and mobile users. Thus the hackers get to work under the radar — until a mobile user feels inconvenienced enough that he or she goes to the trouble to report that the pages have been redirected.

For those of you with a technical background, I asked our sysop to share what we did to troubleshoot and solve the problem. He writes:

I verified that the redirect was only happening on mobile browsers and not desktop.  Suspecting the behavior was user-agent-string based, I switched my desktop’s user-agent to spoof an Android browser and, sure enough, got redirected.  It was likely to be either a cross-origin scripting vulnerability (where malicious JavaScript is injected into the content of our page), or a redirect at the HTTP level which would mean our Apache configuration was compromised.
I couldn’t see any malicious code in the content of our page, but just to be sure, I used the UNIX “curl” tool to manually look at the response coming back from a request by a mobile browser.  Sure enough, it was an HTTP 301 redirect, saying the requested page had been moved to a new location on a malware site in Russia.  Unfortunately most browsers will “helpfully” perform that redirect automatically, so you need a fairly low-level tool to diagnose when it is happening.
Having identified it as an Apache configuration issue, I contacted [ISP], and they confirmed that our .htaccess file had been compromised and the new redirect rules had been inserted there.  They fixed the offending file, and the problem went away.  I then immediately changed our passwords to prevent the same attacker from continuing to have access.
I can’t be sure how the compromise happened, however our old password was pretty insecure. It may have just been guessed, or somebody who knew the password might have been infected with a keylogger. I doubt it was a targeted attack, because our site is unlikely to have a very large Russian readership who would actually be vulnerable. More likely it was an exploit of opportunity.
It doesn’t appear that we suffered anything beyond some embarrassment from being hacked. It could have been much worse. Take a look at your mobile pages — today!