Investigations so far suggest that there is some type of conditional redirect exploit/hijack being planted on many WordPress websites redirecting search engine referred visitors to fake award/survey sites such as “moviesuddenvalley”, “applefacetook”, “hurryexpectsugar”, “mouthtroubleask”, “ondiesmall”, “thendownmeat”, “makemodernfive”, “sayhitome”, “whateyeweight” among several others typically ending in a “.live” or “.top” address. While this Hijack, as far as I have seen appear to predominantly affect some WordPress websites, I wouldn’t be surprised to learn that this possibly affects other types of websites as well.
In my experience, for sites that are affected, to replicate…
(These most certainly could differ depending on the site affected)
- Prerequisites…
- Needs to be done from an IP address that has yet to access the site in question. (e.g Mobile Data Connection, activate and deactivate airplane mode to get a new IP address)
- Chrome or Firefox browser (Win 10 or Android) in Incognito Mode (No plugins). Reportedly in other variations of the exploit, it only occurs on Safari under iOS
- Search for the site in Google search
- Click on the search result that points to the website. Instead of loading up the website as expected, you get redirected to a hijack site.
The hijack will not fire If you access the site directly (via bookmarks or typing the address directly in the address bar of your browser). This appears to be some conditional exploit based on visitors coming from Search Engines. (e.g by typing the site URL directly into the Address bar, you won’t get redirected) and it looks like it will only fire once per IP Address each week (resets at the start of each week).
I probably should add that many so called WordPress vulnerability scanners online I’ve discovered aren’t even set up to detected this sort of hijack. The scanners based on “Securi” certainly will not detect this exploit, I’ve found.
Other resources…
- WordFence – Removing Malicious redirects
- CoreRecon – Identifying a conditional redirect hack (Beware, annoying pop up)
—
Original Post (Old):
Noticing some apparent weird intermittent redirect hijack on the general web where some sites are allegedly redirecting to some dodgy website with names such as “mouthtroubleask”
Update – 2020-09-11T06:55:00+12:00: Added steps to replicate (from my own experience)
Update – 2020-09-12T18:20:00+12:00: Added note to mention that all of the online WordPress malware scanners I’ve tried won’t detect this sort of hijack.
Any update on this?
Have just flicked you an Email.
For me, only replicable on Safari mobile browser private mode.
Not replicable on any other platform for me.