I got an email alert from the Department of ICT on June 9, 2023. I felt embarrassed as I read the contents. You see the email warned that one or more of our hosted gov.ph sites at www.bnshosting.net were redirecting users to casino and gambling sites.
This was the SAME issue I wrote about https://mb.com.ph/2023/01/03/why-are-some-gov-ph-websites-redirecting-users-to-gambling-sites-2/ Now, together with our clients, we’re on the receiving end this time:
Read further and I will explain how malicious footer injections work, how to identify them, and most importantly, how to clean up these codes while working with search engines to clear their cached results.
Understanding Malicious Footer Injection:
Malicious footer injection involves the unauthorized insertion of harmful code into a website’s footer section. The footer, typically found at the bottom of a web page, contains elements such as copyright information, links to important pages, and other site-wide details. Hackers exploit vulnerabilities in a website’s security to inject hidden or obfuscated code, which often includes URL redirects to malicious or phishing websites.
How Malicious Footer Injections Work:
- Exploiting Vulnerabilities:
Cybercriminals search for security weaknesses in a website’s code, such as outdated plugins, weak passwords, or unpatched software. Once identified, they gain unauthorized access to the site’s backend. - Inserting the Malicious Code:
The hackers modify the website’s footer files, either by directly editing the code or leveraging compromised administrator accounts. They inject obfuscated JavaScript or HTML code, which redirects users to their desired destination. In our case, they included links to footer_ads1.php. And inserted the file footer_ads1.php that contained logic that redirects users to Casino sites but ONLY when the user comes from Google and other search engine results pages. - Diverting Traffic:
When visitors access the compromised website, the malicious code activates and redirects them to harmful sites. These sites can distribute malware, collect sensitive information, or engage in other fraudulent activities.
Spotting Malicious Footer Injections:
Detecting malicious footer injections requires vigilance and regular security audits. Here are some signs to look out for:
- Unexpected Redirects:
If your website redirects users to suspicious or unrelated websites without any legitimate reason, it’s a clear indication of a potential footer injection. You can also use Google Dork Technics: search site:<yourdomain.com> Casino. And see if your domain is included in the search results. - Unusual Code Modifications:
Monitor your website’s code for any unauthorized changes, especially in the footer section. Look for unfamiliar or obfuscated code snippets that may contain URL redirects. - Searching for a specific string in the web files:
Eskie Maquilang suggested this string pattern: “Googlebot|AdsBot-Google|Mediapartners-Google|Yahoo! Slurp|y!j|yahoo|bingbot” since this was in the footer_ads1.php malicious code. - Antivirus Alerts:
If your visitors’ antivirus software triggers warnings when accessing your site, it could indicate the presence of malicious redirects. However, in our case, the antivirus did not detect anything. We also passed the footer_ads1.php to virustotal.com. It too, failed to detect the malicious codes.
Virustotal output on the footerads.php
Sudden Drop in Traffic or Bounce Rate:
Malicious redirects can harm your website’s reputation, leading to a decline in organic traffic and an increase in bounce rate. Monitor these metrics closely.
Cleaning Up Malicious Codes:
Taking prompt action to clean up malicious footer injections is crucial to safeguarding your website and users. Here’s what you can do:
- Backup Your Website: Before making any changes, create a complete backup of your website’s files and databases.
- Remove Unauthorized Code:
Inspect your website’s footer files thoroughly and remove any suspicious or unfamiliar code. Pay attention to all directories, including subdomains. Here you can comment the lines that “include” the footer_ads1.php. This will prevent the page from ‘hooking into’ the malicious footer_ads.php and the malicious page will not be served to the user. - Update Software and Plugins:
Keep your website’s CMS, plugins, themes, and other software up to date to prevent vulnerabilities that hackers can exploit. - Strengthen Security Measures:
Enhance your website’s security by implementing strong passwords, using two-factor authentication, and regularly scanning for malware. You can also remove the write permission access to the theme’s folders if you don’t need them. This makes it more difficult for bots/hackers to insert stuff into the folder.
6. Seek Professional Help:
If you lack technical expertise or suspect a more extensive compromise, consult a cybersecurity professional or your website hosting provider. (or register for the webinar, more details below)
Working with Search Engines:
Clearing search engine cached results is essential to remove any traces of malicious redirects from the web. Follow these steps:
Submit a Removal Request:
Use the search engine’s webmaster tools (now known as Search Console) to ask Google to remove from its search engine indexes all the known subfolders that were used by the malicious codes:
If you read all the way to this portion, please register to attend our webinar where we demo the actual steps we took to detect, clean and ask Google to remove the offending links? Register now at : https://us02web.zoom.us/meeting/register/tZYtd-yoqzMrGNHjCIeKU9F7xfDX0JwjCHmt