You open the client's homepage. It looks normal.
The client opens it. Also normal.
A visitor arriving from Google on a mobile phone gets sent to a casino, fake antivirus page, or phishing site.
That is not an impossible bug. Conditional redirects are a common way to hide a compromise from the people most likely to investigate it.
A malicious redirect may trigger only for:
The attacker wants revenue or traffic without making the compromise obvious to the site owner.
Google's spam policies explicitly describe hacked redirects that depend on referrer, user agent, or device. The site can appear normal during a direct desktop visit and behave differently for search visitors.
Common locations include:
.htaccess or Nginx rules;Removing the visible redirect is not enough. The vulnerability and persistence mechanism must also be found.
Geo-targeted behavior will not appear from one probe location.
Test desktop and mobile profiles. If the site serves materially different redirect chains, investigate.
Use controlled referrer scenarios for critical landing pages. Never automate queries against search engines in violation of their terms; reproduce the request context you own.
Store:
"The page is up" is useless when the final URL belongs to another domain.
Some compromises replace the page instead of redirecting. Verify a stable marker that should exist on the final page.
One abnormal response may be an edge or network error. Repeat from another probe, but do not wait so long that real visitors remain exposed.
Unexpected cross-domain redirect
URL: https://client.example/services
Expected host: client.example
Final host: suspicious-example.tld
Trigger: mobile user agent, search referrer
Regions confirmed: Frankfurt, Virginia
First detected: 08:14 UTC
This gives the responder evidence and a reproducible condition.
Do not publicly claim "no data was affected" until that is verified.
Pingvera checks redirects, content, availability, noindex, forms, links, SSL, and
domains from outside the client's stack.
Not every redirect is malicious:
The monitor should compare the observed chain with an allowed destination, not treat every 301 or 302 as an incident.
Alert on:
The malicious rule may exclude logged-in users, known cookies, desktop devices, or direct traffic. Reproduce the original visitor context.
Only if it validates the redirect destination and content. A basic checker that follows redirects and accepts the final 200 response may mark the attack as healthy.
It depends on visitor risk and the ability to isolate the affected path. Protect users first and coordinate the decision with the incident owner.
Read next: a website can return 200 and still be hacked and accidental noindex monitoring.