Chris Mosby at myITforum.com

Pharming Pharmaceuticals

Earlier today there was a report about Al Gore's site, climatecrisis.net, being hacked. The site contained links that weren't visible to the visitors, which pointed to various pharmaceutical products. The links could be viewed by looking into the source code of the page being displayed. The fact that Al Gore's site got hacked or compromised, while definitely of significance, uncovers a much bigger technique now being used by spammers. Here is a snapshot of the links from the hacked climatecrisis.net site:

(Click for larger image)

As you can see, there are loads of links to a university's server. None of the links work. However, the hackers were able to get to the top of search results by creating links such as these. No one visiting the hacked site would have noticed these links or been affected by any malicious program - not as of yet anyway.

Here is a picture showing the results of a search for "discount zovirax c.o.d." What you'll see is that most of the results show up as being served from some university or other legitimate business site not affiliated with such pharmaceutical products:

(Click for larger image)

How did this happen? Well, the comment spammers added tons of comments into various forums using custom search terms. These comments all lead to either a link within one of the forums or another site. The number of links from these forums pointing to one entry or page raised its position in the search engine's results:

(Click for larger image)

Following that link from the forum leads one to the following page:

(Click for larger image)

As you can see, the spammers were able to get a hacked university page to the top of the search engine results. Following that link leads you to the eventual pharmaceutical Web site being marketed here:

(Click for larger image)

The spammers and hackers took over legitimate blogs, mostly running some vulnerable version of WordPress Web publishing software. Once they were able to inject their code into these pages the search engines looking at this source were able to pick them up and place them high enough for visibility. In some cases, it seems like the server hosting the vulnerable versions of WordPress was completely compromised. Here is a snapshot of one of the search results:

(Click for larger image)

Clicking on the link using the search engine takes us to 'http://www(dot)canadacertified(dot)com'. However, if you copy and paste the URL shown in the search engine, you'll not be referred to the pharmaceutical site and are instead shown a "404 Page Not Found."

We've seen the spammers go from comment spamming to hacking WordPress, to injecting links, to getting top listing on the search engine results, to finally marketing pharmaceutical sites through a large network of interwoven links. So far, the only visible damage caused is for the administrators of the servers with the hacked Word Press. This could have been much worse had the hackers decided to insert links to malicious programs. Fortunately, the ka-ching! of cash trumps notoriety.

Posted by Vikram Thakur on November 27, 2007 03:37 PM

Source: Symantec Security Response Weblog: Pharming Pharmaceuticals