(This post on the hacking of mobile versions of websites falls squarely between WriterWay.com and iPhone4Tips.wordpress.com. Therefore, I’m posting it on both blogs.)
A few weeks back I wrote about the increasing proportion of website users who are using mobile devices (Where are the Smartphone-friendly websites?). While researching that story, I tripped over a far uglier one: Hackers who go under the radar to redirect websites — but just their mobile pages. Let me start at the beginning of this topic and work up to the rather complex explanation behind it all.
While writing the story on the need for mobile-friendly web pages, I checked to see if the organizations I work with are walking the talk. Did they have mobile-friendly pages?
I got distracted almost immediately because the second group whose site I checked had all the mobile versions of its pages redirected to a website in Russia that urged visitors to download something that claimed to be “Adobe Flash.” (Yeah, right.)
When I checked the same site from a desktop computer, it looked just fine. I was puzzled, so I called two friends and asked them to check both desktop and mobile versions of the site. They confirmed what I was seeing — but we discovered along the way that iPhones and Androids were being redirected to different Russian download pages.
I alerted the two volunteers who act as sysops for the website. Both are experienced programmers and website designers, and neither had come across this before.
The bottom line is that someone had obtained our not-very-secure password, compromised our .htaccess file, and inserted their redirect rules in our code. Fortunately, we were able to correct it by filing a ticket with the ISP to get this the .htaccess file corrected. A far more secure password is now in place.
There’s plenty online about attacks through .htaccess file rewrites, but I’ve found very little written about the hacking of the mobile pages of otherwise unscathed websites. It’s quite clever. Many sysops, such as ours, interact with sites only using desktop machines, and would be unlike to spot malicious hacking activity that affected only mobile pages and mobile users. Thus the hackers get to work under the radar — until a mobile user feels inconvenienced enough that he or she goes to the trouble to report that the pages have been redirected.
For those of you with a technical background, I asked our sysop to share what we did to troubleshoot and solve the problem. He writes: