WiFi Router Hijacking: How it Works and Impacts eCommerce Customers & Revenue
February 4, 2019
by Ohad Greenshpan
By now, it’s well-known fact that connecting to a WiFi router poses a host of security risks. It’s no longer breaking news that the freedom provided by WiFi networks isn’t just enjoyed by consumers, but can be exploited by hackers and malicious actors for their own profit.
But what many eCommerce businesses are still not aware of is: What happens to that affected user when they visit an online store? That’s when the user is no longer the only one impacted.
To gain a better understanding of why WiFi router hijacking impacts the way both the affected user’s online experience — and as a result eCommerce revenue and other top metrics — let’s first break down exactly how hackers take control over a WiFi network:
How do WIFI routers get hijacked?
Here are the steps that normally occur to hijack a WiFi router:
1. Malicious code is downloaded on the user-side: While consumer-grade routers can also be penetrated by a resilient cyber attack, in most cases they aren’t even necessary. Most commonly, malicious code downloaded by the user is already running in the background on their browser. Once the malware begins running on the browser, the next time it connects with the router is typically what initially infects the router and opens it to intrusion.
2. Hacker conducts Brute Force Attack on the router: Hackers or malicious actors commonly use a brute force attack on the infected WiFi router’s internal IP. The simplest method of attack, this involves entering various combinations of usernames and passwords (usually using automated software) repeatedly over and over again until it guesses the right password. Brute force attacks can use tens of thousands of password variations or more until they break through a site or server with the correct password.
A brute force attack detected by Namogoo’s Code Insights Tool
3. A Proxy is created to reroute web traffic: Once the WiFi router admin password is cracked, hackers can essentially take control of the router’s admin console. They can set up a proxy to redirect network traffic coming from the user’s web browser to a malicious IP.
4. Hackers activate the proxy: To activate the proxy, hackers will force a reboot of the router.
A WiFi router reboot script captured by Namogoo’s Code Insights Tool
5. Hackers redirect traffic to their malicious IP address: Once the router has been rebooted, traffic can be re-routed from any device connecting to that router. For example, a user trying to visit cnbc.com from the hijacked router will unknowingly have their request re-routed to a malicious IP address. At this point, the WiFi hijacker will fetch cnbc.com’s web page and bundle it with the malicious code of their choice before serving this compromised page to the user.
Once the modified page is retrieved by the user, their browser is essentially infected. For the user, this means that every web session they have from then on is essentially compromised and vulnerable to being exploited by that code.
It’s this process that routinely hijacks WiFi users — whether from home, their local coffee shop, or waiting for their luggage at the airport — and compromises their online journey, security, and privacy.
But what about network security measures like HTTPS? If a hacker already has control of a WiFi network, they also have control over all traffic that takes place in and out of that network. One of the typical ways they work around HTTPS websites is wrapping the original web page’s content within an IFrame, and adding malicious code all around that page.
Therefore, they can sidestep HTTPS connections in that network and continue to re-route traffic from users to malicious IPs, instead. Stay tuned, as we’ll take you through the myths and truths of HTTPS when it comes to protecting your users in an upcoming blog.
What happens next? The impact on hijacked WiFi users
- Customer Journey Hijacking: Injecting unauthorized ads such as product recommendation widgets, banners, and pop-ups, into user eCommerce web sessions to redirect web traffic to other sites and promotions and skim conversions and revenue.
- Keyloggers: Malware that enables tracking of the user’s behaviour data, cookies, sites visited, and their browser’s local and session storage.
- Fake forms and surveys: Including fraudulent payment forms to acquire user information — or simply take it using the growing practice of Form Hijacking (code that hijacks data filled out in forms).
- Affiliate Hijacking: Redirecting site visitors to affiliate IDs (often for the same brand), resulting in commissions paid unjustifiably by the site owner.
- Ransomware: Locking files or data on on the user’s device to extort them for monetary payment.
- Malvertising: Injecting malware-laden advertisements into legitimate online advertising networks and webpages.
- Cryptojacking: Taking over the user’s CPU resources to mine for bitcoins or other cryptocurrencies, resulting in lagged performance and poor responsiveness for affected users.
Damaged user experience equals lost eCommerce revenue
These methods of WiFi hijacking harm much more than just the consumer’s personal browser or device — they disrupt the eCommerce experience businesses invest so much into creating. Receiving a suboptimal version of your planned customer journey results in earned web traffic either being diverted by invasive content, or bouncing off of your web pages due to slowed performance, poor responsiveness, and lost faith in your brand. The end result is lost conversions and revenue for online businesses.
WiFi Router Hijacking is yet another type of user-side threat that is monitored and detected by Namogoo’s Code Insights tool, which is constantly being used for research and analysis of injection and code behavior for ongoing improvement our machine learning technology.