Have you ever clicked a link and ended up somewhere unexpected? Or maybe you noticed a website acting strangely, sending you to other sites you didn’t ask for? This could be a sign of traffic hijacking.
Let’s break down what this means, how it works, and how you can protect yourself.
What is traffic hijacking?
Traffic hijacking is when someone secretly changes where a website’s links go, sending visitors to other sites. Often, for malicious reasons. This is bad for users (who get tricked or exposed to danger) and for website owners (who lose trust and revenue).
We’ve conditioned users to think it’s normal that, when they click “Pay”, the screen flashes and a brand new page loads from a completely different domain.
But this is a massive blind spot and attackers know it.
So if you’re protecting the payment form itself, by validating scripts on that page using cside for example, it makes perfect sense for a bad actor to hijack the click that brings users there instead.
We delve more into this tactic in this January PCI DSS update for SAQ A companies.
This specific tactic is known as clickjacking (simply a strategy of the traffic jacking), and it’s commonly used to impersonate trusted flows.
How does affiliate fraud work?
Affiliate fraud is when someone abuses affiliate programs (which pay for clicks or sales) by forcing users through their special links, even if the user never wanted to go there. This is unfair to both the real website and the companies running the affiliate programs.
A common tactic is link hijacking, where a script redirects a user through the attacker’s affiliate link before reaching the final destination. In more sophisticated cases, attackers insert affiliate links dynamically only for certain high-value users, or based on browser signals, making detection harder.
How do these attacks happen? (with simple code snippets)
Attackers use hidden JavaScript on websites.
Here’s how it works, step by step:
1. Detecting your browser
The script first checks what browser you’re using:
// Checks if you are using Chrome, Firefox, Safari, etc.
function getBrowser() {
// ...detects browser type...
}
2. Replacing download links
It finds all the download links and changes what happens when you click them:
// Finds all download links and changes their behavior
let links = document.querySelectorAll('a.dlink');
for (let link of links) {
link.setAttribute('href', 'javascript:void(0);');
link.addEventListener('click', function () {
// Instead of downloading, you get redirected
window.open('https://malicious-redirect[.]com', "_blank");
});
}
3. Tracking and limiting redirects
To avoid being too obvious, the script uses cookies to limit how often you get redirected:
function hasCookie() {
return document.cookie.includes('wpdlInterval=1');
}
What does this mean for you?
- For users: You might end up on scammy or dangerous sites, or your computer could get infected.
- For website owners: Your visitors lose trust, your reputation suffers, you are in risk of violation of compliance, and you lose out on real revenue.
How can you spot and prevent this?
For users:
- Be careful with download links, especially on unfamiliar sites.
- Use a browser extension or ad blocker that warns about suspicious redirects.
- Keep your browser and antivirus up to date.
For website owners:
- Regularly scan your site for unknown scripts.
- Use security plugins and keep your software updated.
- Set up alerts for unusual traffic patterns.
Final thoughts
Traffic hijacking and affiliate fraud are real threats. By understanding how these attacks work, you can better protect yourself and your website. Stay alert, and always be cautious with unfamiliar links.
For website owners, cside can help you protect 3rd party scripts on your site.
Sign up to get started or contact us here.