Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Pharming Pharmaceuticals

Created: 27 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:18 GMT
Vikram Thakur's picture
0 0 Votes
Login to vote

Earlier today there was a report about AlGore's site, climatecrisis.net, being hacked. The site contained linksthat weren't visible to the visitors, which pointed to variouspharmaceutical products. The links could be viewed by looking into thesource code of the page being displayed. The fact that Al Gore's sitegot hacked or compromised, while definitely of significance, uncovers amuch bigger technique now being used by spammers. Here is a snapshot ofthe links from the hacked climatecrisis.net site:


(Click for larger image)

As you can see, there are loads of links to a university's server.None of the links work. However, the hackers were able to get to thetop of search results by creating links such as these. No one visitingthe hacked site would have noticed these links or been affected by anymalicious program - not as of yet anyway.

Here is a picture showing the results of a search for "discountzovirax c.o.d." What you'll see is that most of the results show up asbeing served from some university or other legitimate business site notaffiliated with such pharmaceutical products:


(Click for larger image)

How did this happen? Well, the comment spammers added tons ofcomments into various forums using custom search terms. These commentsall lead to either a link within one of the forums or another site. Thenumber of links from these forums pointing to one entry or page raisedits position in the search engine's results:


(Click for larger image)

Following that link from the forum leads one to the following page:


(Click for larger image)

As you can see, the spammers were able to get a hacked universitypage to the top of the search engine results. Following that link leadsyou to the eventual pharmaceutical Web site being marketed here:


(Click for larger image)

The spammers and hackers took over legitimate blogs, mostly runningsome vulnerable version of WordPress Web publishing software. Once theywere able to inject their code into these pages the search engineslooking at this source were able to pick them up and place them highenough for visibility. In some cases, it seems like the server hostingthe vulnerable versions of WordPress was completely compromised. Hereis a snapshot of one of the search results:


(Click for larger image)

Clicking on the link using the search engine takes us to'http://www(dot)canadacertified(dot)com'. However, if you copy andpaste the URL shown in the search engine, you'll not be referred to thepharmaceutical site and are instead shown a "404 Page Not Found."

We've seen the spammers go from comment spamming to hackingWordPress, to injecting links, to getting top listing on the searchengine results, to finally marketing pharmaceutical sites through alarge network of interwoven links. So far, the only visible damagecaused is for the administrators of the servers with the hacked WordPress. This could have been much worse had the hackers decided toinsert links to malicious programs. Fortunately, the ka-ching! of cashtrumps notoriety.