Hey Habr! We all love it when a site works great on any device, regardless of screen size, control and interaction methods. Often, content needs to be slightly adapted to the device on which the user is viewing it: for example, optimizing for a small smartphone screen involves changing images and other content elements. To make it easier for mobile visitors, it's not uncommon for developers to use a pop-up navigation bar. If such modifications are implemented properly and are intended to improve user experience, we do not consider them to be a violation of Google's policies.
The same applies to redirects to mobile sites. It will be more convenient for smartphone users to work not with the regular version of the site, but with the mobile one. Therefore, redirection, for example, with example.com/url1 on m.example.com/url1 justified. However, silently redirecting mobile users to third-party pages interferes with the experience and violates Google's Webmaster Guidelines.
Violation example: A search results page on a computer and a mobile device shows the same URL. By clicking on this link, the computer user will be taken to the landing page, while the smartphone user will be redirected to another URL.
What where When?
Today there are many ways to create a website. From ready-made engines, plugins and themes, to comfortable IDEs that require almost no knowledge in the field of layout. Many large or old resources have long ago (back in the days of ordinary phones with JAVA browsers) a mobile version, which can be very different from the “full-fledged” one. However, we believe that the content of the site and the information provided should be essentially the same on all devices. Let's look at the main challenges of mobile redirection.Problem handling of mobile devices
Sometimes webmasters set up redirects for mobile visitors themselves, usually in violation of our guidelines . If it harms users, we manually take action to fix the problem (read more about this at the end of the article). However, we are also aware of cases where a covert redirect is performed without the knowledge of the site owner.
Intentional redirection for promotional purposes
A script or element placed on a site to display ads or monetize content may redirect mobile users to a site of a different theme without the knowledge of the webmaster. And it doesn't matter if you yourself posted a "problematic" script or your site was hacked: if you do not understand the source code of the plug-ins, getting a Trojan horse is easy.
Redirecting mobile users as a result of a site hack
If your site is hacked, it may redirect mobile users to domains that are spamming, illegally collecting personal data, or stealing money from bank cards. What to do if you become a victim of such redirects?
The general program of action is as simple as one, two, three: identify, isolate, prevent. For business!
How to detect hidden redirects for mobile devices?
In order to properly deal with a problem, it must be defined. You may not even know that someone is “stealing” your mobile users until someone complains or you yourself accidentally stumble upon the results of malicious scripts.Messages from visitors can carry little useful information and cause panic: “I opened your website, and it gave me A-a-a-a-a-a, O-o-o-o-o-o-o-o-o-o-o-o-o-s and offers rotten fruits at wholesale prices”. No problem page, no device or browser information.
So step one: find the problem. The advice may seem obvious, but as practice has shown, when it comes to real problems, many users and webmasters get lost and don't know where to start. You should start with the simplest:
- Open the site on your smartphone and see if you get to another resource
We recommend checking your site by going to it from Google search results on your smartphone. With today's diversity in the mobile device market, it is more convenient to debug using emulation of mobile devices in computer browsers. This feature is supported by Chrome , Firefox and Safari . In the latter case (Safari), you will need to open the browser settings and check the box "Show the Develop menu in the menu bar". - Read visitor reviews
Users may see your site differently than you. Someone has an old browser, someone else has a mountain of extensions (they can also be attacked and start slipping ads / redirecting users). Always read customer reviews and pay attention to their complaints in order to identify problems in time. If necessary, ask clarifying questions, ask to send a screenshot or tell how exactly the user got to the problem page. - Track visitor actions and analyze site statistics
Unusual mobile user behavior can be detected by examining web analytics data. Statistics is a powerful tool that allows you to identify problems where single checks and tests show nothing. For example, if the average time spent on the site by mobile device owners (and only by them) has dropped dramatically, this can be caused by a redirect.To be immediately aware of significant changes in mobile user behavior, you can set up custom alerts in Google Analytics.
Try creating an alert about a sharp decrease in the time spent by mobile visitors on the site, or a decrease in their number. Keep in mind, though, that significant changes in these metrics are not always a direct consequence of stealth redirects, but traffic declines are still worth looking into. You didn't just make a website, did you?
Hidden redirect detected for mobile users on my site. What to do?
Let's say you found the problem? What's next? How to deal with it? Step two: isolate the source of the problem. There can be two sources of redirection - external or internal influence.In the first case, someone gained access to your site (vulnerabilities for popular engines are regularly found and are not always quickly closed). In the second, you, unwittingly, planted a “time bomb” by inserting some kind of script without checking its contents. Optionally, the site engine could independently update the elements from some repository that was hacked. In any case, to eliminate such problems, the algorithm is the same.
- Check if the site is hacked
Open section Security issues in Search Console: if we have detected a hack, you will find a corresponding notification inside.
In addition, it is worth exploring additional information about the typical signs of hacked sites and examples from our practice. If you are using any engine or framework - look at the news of the corresponding community, maybe not only you have encountered a problem. - Check if there are any extraneous scripts and elements on the site
If your site is not hacked, check if there are any third-party scripts or redirect elements on it. To do this, follow these steps:- Attention! Before making any changes to a working site, create a backup copy of the site, check its performance.
- Find the page that redirects users to. If there are other people's scripts and elements on it, feel free to delete them one by one.
- After each deletion, check from your mobile device or through the emulator if the redirect occurs.
- After localizing the element responsible for the covert redirect, remove it from all pages. If the element is critical and necessary for the functioning of the site - ask its supplier to help you with debugging.
We protect the site
Step three: prevent a recurrence. Everything is simple here. You found the reason for the redirect - script, element, module, whatever. If you know where it came from - you should probably stop using this source of extensions. If not, check the list of known vulnerabilities for your engine or framework, set of libraries. Perhaps the developers managed to release urgent updates.The human factor should not be excluded either. If there was no hacking and you did not place scripts / libraries / elements, but they appeared - look at the history of accesses to the site, it is possible that proactive moderators or content administrators could intentionally or unintentionally bring infection to the site.
Check the permissions for reading / writing to certain folders, if writing is not required - set the read only attribute, it will prevent intruders and malware that got through a narrow loophole from registering in working folders and elevating the level of privileges.
Use Search Console
If a user is redirected to other pages to display content other than what is shown in the search results, this is against the Google Webmaster Guidelines. You can read more about hidden redirects.The Google Search Quality Team may take action on such sites, such as removing the URL from our index. If this happens, you, as the site owner, will see appropriate alerts in the Search Console. This is just one of the reasons why we encourage you to register an account with Search Console. The service itself is extremely flexible and allows you not only to receive timely notifications of problems, but also to analyze the current state of the site, as well as send requests to Google for re-checking. Fast, convenient, and most importantly - in one place.
One more thing
Choose advertisers that won't direct your visitors to unexpected pages. If you're looking to build trust in the industry, check out our ad network best practices. You can start by looking at the IAB site quality guidelines.There are many ways to monetize content for mobile devices that provide a high level of user experience and do not result in your site being removed from the search results. Use them.
One morning, while checking my mail, I found a "letter of happiness" from Yandex, in which I was notified that one of the sites posed a threat to users and was marked as malicious in the search results. A visit to the webmaster's personal account confirmed the problem.
I go to the site from a smartphone through Yandex. And I get this picture on the screen.
I started researching the problem on the Internet. It turned out that if the file. htaccess is not changed, then the problem is on the host side. And since all my files on the server are protected from being overwritten and making changes without my knowledge is impossible, then we write to the hosting support.
your message(11/11/2013 11:32:00 AM) The last few days, when logging in from mobile devices, getpdainfo.com throws here and offers to update the flv player. And if you come in a second time from one ah-pee, then it no longer redirects. You come in from another again throws. .htaccess is clean. All site files are checked by several antiviruses. An online check by DrWEB and others says everything is clean. The site has a Wordfence anti-virus plugin - it also writes that everything is clean. Suspicion that this redirect is attached to the page on the fly on the web server. Look here please!
We get an answer.
Support message (11.11.2013 16:11:49)
Hello.
On the sayga12.ru website, you have quite a few redirects in the “.htaccess” file, probably the reason for redirecting mobile traffic is in one of them.There are no redirects from the web server side.
Well, as expected... The website files were downloaded to your computer and scanned by antiviruses. All is clear. Critical files of the site and admin theme were also checked manually. Also unchanged. The site has been checked by several online scanners, incl. Drweb. No hints of problems with the site files. Put a clean one just in case. htaccess. But when entering from a smartphone, we again get a redirect to a viral site.
We write to the host again.
your message (11.11.2013 16:40:02)
The same redirects are registered on three more sites and there is no such problem.
There is a blacklist of sites. I'll try to put a clean htaccess but I'm more than sure that the problem will remain. This file has been standing for half a year already, but the problem has just appeared.
Well, again the unsubscribe of the host.
Support message (11.11.2013 19:37:02)
Please check the code of your site for vulnerabilities, apparently it was hacked, and the attackers wrote the redirect code in .htaccess
We continue to hammer the hoster, because Everything has been checked several times. The problem is clearly on the host server. The question is how to convince them of this ...
your message (11.11.2013 19:42:42)
htaccess put \"naked\". The problem, as I expected, remained. Guys - you seem to have a virus on your web server. Look at what server the site sayga12.ru and my other sites are on. The problem is only with sayga12.ru.
your message (11.11.2013 19:48:58)
As for hacking, it's unrealistic. Six months there is a ban on changing all files. Any change is sent to me by e-mail. The redirect clings on the fly when accessing the site, its code is not in the site files. The problem with this redirect is known - it is hosted. Since the summer of 2013, she has been hammering all hosters since RU-center. Whatever I do with the site files now is useless, because. they are clean.
Finally the host gives up. It's been 11 hours since the first call.
Support message (11.11.2013 22:04:45)
Okay, we'll check the server software.
By the end of the day, I began to look with horror at the decrease in the site's positions on all LI charts. Yandex mark brought down daily traffic by 3 times! Transitions from Yandex from the average daily for the last week 84 people fell to 4!
However, in the morning I receive such a letter from the host.
Support message (12.11.2013 01:38:11)
Hello,
1) thank you for contacting
2) today, based on your complaint, we made a thorough analysis of the situation,
thanks to your request, we found a compromised module for the web server,
at the moment the module is already disabled and there are no redirects, how it happened and
for what reason this could have happened at all - we understand
according to our records, this happened on "Nov 9 21:48". We also carried out a complete analysis
all other machines - only ftp30 was compromised3) within the next 24 hours (more precisely, within the next 12 hours), all software
the software on this server will be updated (kernel and system software),
and the configuration files will be re-uploaded from the repository4) I offer you my deepest apologies for the inconvenience caused -
and I repeat we will make every effort to investigate this fact5) as compensation, I credited you with half a year of maintenance free of charge
6) if you care about the content of your sites
you can use the backup service in the control panel and order
restoring a backup for November 9 in this archive there should be no foreign content
shouldn't
I would also recommend that you reset mysql passwords in the control panel
(also in config files)7) if you wish - we can transfer your account to another server
Thanks again for reaching out
All the best!
I also received a second letter about the accrual of bonuses to my account.
An application to Yandex for re-checking the site was sent the day before. We are waiting for the results. And we get it in half a day. The traffic started right away.
The last check of the site on November 13, 2013 did not reveal any pages containing malicious code. In the search results, the site is displayed without marks.
—
Sincerely,
Yandex.Webmaster
The problem was solved within a day. It's good that adequate people were found in the hosting support and correctly assessed the situation and, most importantly, were not afraid to admit their problem. And at the beginning of the correspondence, I already began to think about changing the hoster, because a lot of money and effort have been invested in the sites, and such incidents nullify everything that has been done for years.
I hope my article will help you solve your problems with a mobile redirect if you encounter it on your sites.
“Project manager of the Business Motor team, webmaster, copywriter.
Website security is one of the prerequisites for a successful user experience. We talk about non-obvious threats to users. Why mobile redirect is dangerous and how it affects user experience
Website hacking is a danger that every webmaster has to deal with. However, penetration results can be very different. It's one thing if the consequences of hacking are obvious: the site stops working or, for example, unauthorized content appears on its pages. Such events require immediate intervention, but at least you can respond to the incident as quickly as possible, because the problems are obvious to every visitor.
Unfortunately, events often develop according to a different scenario. After gaining access to the site, attackers can add malicious code to it, the effect of which is not obvious at first sight. Such activity can go unnoticed and leads to the fact that in the medium and long term the site is pessimized by search engines or even falls under sanctions, loses positions, customers and sales.
In today's article, we will look at one of the most common threats of this kind - a mobile redirect, due to which a commercial site can lose 25-40% of visitors. And that means potential and very real sales. Learn more about how it works and how to eliminate malicious code in time before the consequences of its presence become critical.
How does mobile redirect work?
The insidiousness of this threat lies in the fact that on desktop computers and laptops, interference with the site code does not manifest itself in any way. The injection works only if the user accesses the web page from a mobile phone (immediately or after performing some action - for example, clicking on any link).
The execution of malicious code leads to the fact that the user is prompted to download and install an application to optimize the memory of a smartphone or, for example, an antivirus. Other options are also possible: an offer to update the software, install the game, and so on. Most often, this cover hides mobile phishing tools that can steal personal data and / or money from the user's account.
The danger of a mobile redirect lies in the fact that for an inexperienced user, an offer to install a useful application or update it sounds quite adequate. The consequences of such an action, as we mentioned above, can be very serious.
How to identify a mobile redirect?
According to the SiteSecure project , about 52% of owners of sites infected with mobile redirect are unaware of the problem. This is due to the fact that, in common practice, they do not visit the resource from a mobile device, using only a desktop computer or laptop.
Mobile redirect and search engines
Over time, the infection of the site is diagnosed by search engines - Google and Yandex. A corresponding warning begins to appear in the offices of webmasters of search engines.
In the Yandex.Webmaster dashboard, the results of the check look like this (in the verdict field, "Mobile redirect" will be indicated):
A similar message appears in the Google Search Console. Details can be seen, for example, in the section "Measures taken on the site":
Unfortunately for the site owner and fortunately for users, warnings about site infection also appear in search engine results. In Yandex, it may look like this:
Thus, after identifying a threat from a search engine, additional restrictions are imposed on the site that can drastically reduce the number of transitions. It is noteworthy that preventive measures may apply not only to mobile issuance, but also to users of stationary computers. In other words, at a certain stage, a mobile redirect leads to a pessimization of the site as a whole with a multiple decrease in its traffic.
Self-diagnosis
There is another important detail: search engines do not detect a threat instantly - in real time. And in some cases they are not detected at all. On the one hand, this can lead to larger project losses in the long run. But if the webmaster was able to detect a mobile redirect earlier - before the imposition of sanctions by search engines - then this has its advantages. At the very least, you can do without losing traffic from Google and Yandex, as well as from the need to remove these sanctions in the future.
In other words, it is much better to discover the problem yourself than to solve it already when the site traffic drops to a minimum. And you can do this in several ways:
- Self-analysis of the site - periodically view pages from a mobile phone. At the same time, just opening the site is not enough: it is important to make several clicks on links to different pages. It is noteworthy that a mobile redirect can be designed for all operating systems, as well as specifically for Android or iOS. So it is preferable to test the site from different devices.
Periodically check the site using an online service, which allow you to emulate opening a web page from different systems.
Treatment of a mobile redirect
Each site "engine" and each malicious code has its own characteristics, so there is simply no universal solution. General recommendations for troubleshooting are given in the Yandex help. To detect the source of the threat and infected files, the service can also be very useful. AI-Bolit , the basic functionality of which is available for free use.
conclusions
Hacking and / or infection of the site is not always obvious. In some cases, malicious activity is not obvious, but because of this, it is even more dangerous for the progress of the project.
One type of infection that can go unnoticed is a mobile redirect – a redirection of a user who opened a web page from a smartphone. In this case, the visitor is usually prompted to download spyware disguised as a browser update, a useful application, or another product.
When a mobile redirect is detected, search engines mark the site as undesirable to visit. Already in the short term, this leads to a sharp decrease in traffic and pessimization of positions in the issue.
It is better to detect a mobile redirect on your own. This will help special online services and scripts for the site.
We continue to acquaint readers with widgets that threaten the security of the site or visitors. Today we will talk about the callback service Chaser.ru. The service offers the webmaster to install a widget on a commercial resource to increase conversion.
A couple of days ago, a client contacted us with a complaint about a hidden mobile redirect. According to him, the site was redirecting visitors coming from mobile devices to a paid subscription service (shortly - wapclick redirect). As usual, the redirect occurs once per mobile device per day. And only if the visitor logged in via mobile Internet, not via WIFI.
UPD 27 March 18:30— the service developer discovered the hacking of the service and fixed the problem:
Scanning the site's files did not reveal malicious scripts that could cause redirects, so the next step was to analyze the traffic at the time the site page was loaded.
Based on the results of the analysis, a wapclick redirect was found that occurs along the following chain:
chaser.ru » mc.yaship.ru » mobempire.ru » watchland.space » moipodpiski.ssl.mts.ruIt turned out that when entering from different browsers, the Chaser.ru widget loads different versions of the http://chaser.ru/widget/1.1/js/chaser.js javascript file. The version for mobile devices contains a dynamic script injection from the mc.yaship.ru domain (a phishing domain masquerading as Yandex.Metrica). This script, if downloaded from a 3G/LTE network of a mobile operator, redirects to the mobempire wapclick affiliate, and then redirects visitors to paid SMS subscriptions, which we have already written about more than once.
An HTTP session in detail looks like this:
If you open the site in a regular browser, then there will be no mc.yaship.ru injection in the file. When uploading a file from a mobile device, a fragment appears in the code of a static file, which is highlighted in the screenshot:
This is not the first time that seemingly legitimate widgets have caused problems for webmasters and commercial site owners. Moreover, the source of the redirect, in fact, becomes the webmaster himself, who voluntarily places a dangerous widget on the pages of the site. The problems that a webmaster condemns his site primarily relate to sanctions from search engines: search engines are great at detecting “wap clicks” and other types of hidden redirects, as a result of which they punish site owners by excluding sites from mobile search results or pessimizing in search results .
Additionally, I would like to draw your attention to the fact that callback widgets that use “clickjacking” to recognize a visitor’s profile in social networks are now gaining popularity. For this "cheating" the search engine also severely bans the site. Be careful!
And to check the reliability of the service, you can use our web scanner or contact us at
