A client emailed me today about an issue they were having. The problem was that if they visited their website via Facebook, the website would redirect to a different URL. However when they visited the website directly it worked fine. This took me by surprise for a few seconds, the malware was only acting if the user can from an external link? First thought was that the client's system was infected by some sort of malware, however, when I tried their link from Facebook, the same thing happened on my end. So the issue was not only on client's machine, either it was on Facebook (unlikely) or the client's hosting server was compromised. So I quickly opened Chrome Inspector and started observing the network tab as I clicked the link on Facebook. There it was, a "301 Moved Permanently" header which redirected the website to the malware website. The next obvious place to check was the .htaccess and bam! there it was:
The code itself is simple and elegant, if the referrer is anyone of the listed above, redirect to the malware URL. The brilliance about this hack is that the probability the client will find out directly is very low, in fact it was probably by chance they clicked on their own link on Facebook and saw this issue (or one of their viewers informed them).
So why did this happen? An unprotected .htaccess. Even if the hosting server was infected, the chances of malware actually having root access is fairly low. Thus, a simple chmod has secured this file from further abuse!