Monday, February 13, 2012

Follow up on Russian scam

Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers.

Often, vulnerable sites are hacked by many groups for various purposes including spam delivery, such as Blackhat SEO, other scams, etc. Many of the sites hosting the Russian scams are now used for other malicious purposes.

Blackhat SEO

One of the parameters that is used to determine the rank of a web site in the search results is the number of links to a given page. As such, spammers take advantage of vulnerable sites by adding links to site that the attackers want to promote and these links are often hidden from visitors to the page. The most common technique used involves adding a hidden DIV tag at the end of the page. This was done on http://goingonfive.com/ for example:

Spam links
In this example, the DIV tag is moved out of the screen, to the left. The links for Viagra and other drugs point to other pages uploaded on the same site (in the /include folder), as well as to other hijacked websites (http://airtravel-services.com/js/index.html, etc.).

The spam pages claim to be a "Google Pharmacy":

http://goingonfive.com/includes/

The pages then link to grand-pills.com where people can order the drugs:

http://www.grand-pills.com/catalog/Erectile_Dysfunction/Cialis.htm
There is also a second groups of spam links hidden on http://goingonfive.com/. These links point directly to Canadian Pharmacy sites, rather than using hijacked sites for redirection. These links may have been added by a different group.

Hidden spam links
One of the Canadian Pharmacy sites is http://viagra7online.com/:

Canadian Pharmacy

American and other Russian scams

The Russian scam I reported on initially is using  http://goingonfive.com/modules/mod_wdbanners/resmmdnd.php. The directory /modules/mod_wdbanners/ contains many other pages redirecting to other scams.

Pages uploaded on http://goingonfive.com/
 You can find the same list of files on other DreamHost sites: http://dev.orioncombat.com/wp-content/uploads/, http://chicagoexposedstrippers.info/wp-content/plugins/extended-comment-options/, etc.

Most of these pages redirect to another Russian scam at http://arhivi-familii.com/. I noticed this one about a month ago.

http://arhivi-familii.com/
At this site, you are supposed to be able to lookup information on the family tree of anybody. The service looks free, but at the very bottom of the page the site mentions that the user will be charged 186 rubles every 10 days via SMS. Many people have complained about high charges for no actual service on Russian forums. Here are the cost details translated in English:

the service is NOT free!

Two other pages redirect to a US scam that I detailed in an earlier post: get rich working from home, which abuses a Facebook Like widget to look legitimate.

"Work from home" scam

These sites will probably host more and more spam and malicious content until they get blacklisted by popular lists, at which point, the hackers will move to new targets.

3 comments:

loks said...

So how deep down this rabbit hole do you have to go to start being flooded with malware? Do fake pharama sites like these ever lead to malware at all, if they do, at what stage? After you inadvertently buy something from them?

Julien Sobrier said...

@loks The end game for these "pharmacy" is to sell the pills, not to spread malware. But the same sites, and the same techniques, can be used to redirect users to malware instead of a spam/scam page. This what happened when more software-related searches redirected to malware instead of fake stores (scam), see http://research.zscaler.com/2011/11/more-software-related-searches-lead-to.html

Anonymous said...

Examples are way to small to read but they appear to be or contain HTML links. Now, really, do you expect people to click on an unknown link to see where it might take them? What is the game here, anyway?