Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Recherche sur la sécurité

Follow Up on Russian Scam

image
JULIEN SOBRIER
février 13, 2012 - 3 Min de lecture
Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers.

Often, vulnerable sites are hacked by many groups for various purposes including spam delivery, such as Blackhat SEO, other scams, etc. Many of the sites hosting the Russian scams are now used for other malicious purposes.

Blackhat SEO

One of the parameters that is used to determine the rank of a web site in the search results is the number of links to a given page. As such, spammers take advantage of vulnerable sites by adding links to site that the attackers want to promote and these links are often hidden from visitors to the page. The most common technique used involves adding a hidden DIV tag at the end of the page. This was done on http://goingonfive.com/ for example:
 
Image
Spam links
In this example, the DIV tag is moved out of the screen, to the left. The links for Viagra and other drugs point to other pages uploaded on the same site (in the /include folder), as well as to other hijacked websites (http://airtravel-services.com/js/index.html, etc.).

The spam pages claim to be a "Google Pharmacy":
 
Image
http://goingonfive.com/includes/

The pages then link to grand-pills.com where people can order the drugs:
 
Image
http://www.grand-pills.com/catalog/Erectile_Dysfunction/Cialis.htm
There is also a second groups of spam links hidden on http://goingonfive.com/. These links point directly to Canadian Pharmacy sites, rather than using hijacked sites for redirection. These links may have been added by a different group.
 
Image
Hidden spam links
One of the Canadian Pharmacy sites is http://viagra7online.com/:
 
Image
Canadian Pharmacy

American and other Russian scams

The Russian scam I reported on initially is using  http://goingonfive.com/modules/mod_wdbanners/resmmdnd.php. The directory /modules/mod_wdbanners/ contains many other pages redirecting to other scams.
 
Image
Pages uploaded on http://goingonfive.com/
 You can find the same list of files on other DreamHost sites: http://dev.orioncombat.com/wp-content/uploads/, http://chicagoexposedstrippers.info/wp-content/plugins/extended-comment-options/, etc.

Most of these pages redirect to another Russian scam at http://arhivi-familii.com/. I noticed this one about a month ago.
 
Image
http://arhivi-familii.com/
At this site, you are supposed to be able to lookup information on the family tree of anybody. The service looks free, but at the very bottom of the page the site mentions that the user will be charged 186 rubles every 10 days via SMS. Many people have complained about high charges for no actual service on Russian forums. Here are the cost details translated in English:
 
Image
the service is NOT free!

Two other pages redirect to a US scam that I detailed in an earlier post: get rich working from home, which abuses a Facebook Like widget to look legitimate.
 
Image
"Work from home" scam

These sites will probably host more and more spam and malicious content until they get added to popular denylists, at which point the hackers will move to new targets.
form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.