Investigations so far suggest that there is some type of conditional redirect exploit/hijack being planted on many WordPress websites redirecting search engine referred visitors to fake award/survey sites such as “applefacetook”, “hurryexpectsugar”, “mouthtroubleask”, “ondiesmall”, “thendownmeat”, “makemodernfive”, “sayhitome”, “whateyeweight” among several others typically ending in a “.live” address. While this Hijack, as far as I have seen appear to predominantly affect WordPress websites, I wouldn’t be surprised to learn that this possibly affects other types of websites as well.
In my experience, for sites that are affected, to replicate…
(These most certainly could differ depending on the site affected)
- Needs to be done from an IP address that has yet to access the site in question. (e.g Mobile Data Connection, activate and deactivate airplane mode to get a new IP address)
- Chrome or Firefox browser (Win 10 or Android) in Incognito Mode (No plugins). Reportedly in other variations of the exploit, it only occurs on Safari under iOS
- Search for your site in Google search
- Click on the search result that points to your website. Instead of loading up your website as expected, you get redirected to a hijack site.
The hijack will not fire If you access your site directly. This appears to be some conditional exploit based on visitors coming from Search Engines. (e.g by typing the site URL directly into the Address bar, you won’t get redirected) and it looks like it will only fire once per IP Address.
I probably should add that many so called WordPress vulnerability scanners online I’ve discovered aren’t even set up to detected this sort of hijack. The scanners based on “Securi” certainly will not detect this exploit, I’ve found.
- WordFence – Removing Malicious redirects
- CoreRecon – Identifying a conditional redirect hack (Beware, annoying pop up)
Original Post (Old):
Noticing some apparent weird intermittent redirect hijack on the general web where some sites are allegedly redirecting to some dodgy website with names such as “mouthtroubleask”
Update – 2020-09-11T06:55:00+12:00: Added steps to replicate (from my own experience)
Update – 2020-09-12T18:20:00+12:00: Added note to mention that all of the online WordPress malware scanners I’ve tried won’t detect this sort of hijack.