The pharma hack is not new. In the past we saw, many popular CMSes being targeted with the pharma malware. But, it was only recently that we saw them redirecting to .su & .eu sites.
As we already know, the pharma malware can vary based on its purpose. Some are designed to steal data while others are designed to inject spammy links into a website for blackhat SEO purposes. In fact, the pharma hack for the black hat SEO infections is fairly common.
It redirects your site traffic to fake sites that claim to sell viagra, Cialis or other pharma drugs. Recently a number of such sites have come up with TLDs like .eu and .su. Moreover, this type of infection is hard to detect as the malware serves varying content to hide its presence.
With this article, you will get an insight into how this malware works.
Are you hacked? Raise an immediate malware cleanup request with Astra.
Pharma Hack Redirects
There is a large number of things that can go wrong and lead to an infection like this. I am listing some of the common ones here:
- XSS or SQL injection vulnerabilities or any other injection vulnerabilities.
- Weak FTP passwords or default credentials.
- Ouptdate plugins or unpatched CMS vulnerabilities.
- Improper Configurations.
This infection can land into your website exploiting any of these (or more) vulnerabilities. It creates malicious files and hides inside them. These files are usually randomly named. Some such infected PHP files which redirect users to fake pharma sites are named as the following:
Not all variants of the pharma hack that redirect malware use PHP files. Some rely on HTML files which are, again, randomly named. The list of names of infected HTML files:
In order to avoid detection, the malware uses some cunning techniques. One such technique is mentioned here.
Evasion Techniques Used
Look at the code below:
The array at the top of the code contains encoded domain names for the redirect URLs. However, the URL is cleverly hidden it gets extracted by the malware using the function m() and the function d() of the above code.
Here, an array is passed on the function m() in the first line of the code. Function m() in turn passes it to the function d(). The function d() uses the “array_shift” method to obtain the first element of the array. In this case, it is 79.
Thereafter it loops over each element of the array using the “foreach” function of PHP. Then one by one, it subtracts the first element 79 from each element of the array. The number so obtained is converted from its ASCII code to the respective character using “chr” function of PHP.
For example, the second element of the array is 183. So, 183-79=104 which maps to the character ‘h’ of ASCII. Therefore, the domain that it finally redirects to is (http:// hotprivatetrade[dot]su)
A quick search of this domain reveals that it is a fake pharma store selling Viagra, Cialis and other products. The fake site contains an entire catalog and even a cart to trick users into giving credit card info.
After a user checks out, the credit card phishing page is hosted on another malicious domain with even an SSL certificate. For instance, https://checkoutzdsuyfsw[dot]saferxprovider[dot]com/cart/checkout/.
The malware also redirects to other websites as given in the image below. These websites are hosted on IPs given at the end of the image.
PHP files which are named as 404.php are used to show custom error messages on your site. One variant if the malware creates encoded 404.php files inside the WordPress themes as shown in the code below.
As seen in the code, this malware uses the <map> tag of HTML which typically creates a clickable area on the image. This clickable area then redirects the users to malicious pharma sites.
Another type of the same malware uses the <meta http-equiv=”refresh” tag of HTML to redirect users. The “http-equiv” attribute helps in simulating an HTTP header response. While the content=5 options refresh the page in 5 seconds after which the user is redirected to the location specified in “url” option. Also, the following message is displayed while redirecting user: “Please wait 5 seconds! Redirecting to site.”
One more variant of the same malware uses a meta refresh combined with window.location.href redirect. The window.location object is typically used to redirect users to a new page and to get the current page address. Here, if the meta tag is unable to redirect users for some users, the window.location.href would.
This kind of pharma spam can have a devastating effect on your site. Not only can it increase your bounce rate but, it can have long term effects on the reputation of your website. To avoid getting infected from pharma hack redirect malware you can do the following things:
- Check for weak configurations on your website and use random strong passwords.
- Avoid using defunct plugins and themes. Remove any such suspicious plugin.
- Keep your CMS version, plugins and themes updated.
- Conduct regular security audits and use a firewall.
If your website is infected with such malware, raise a malware cleanup request with Astra. Astra will not only clean your site but also ensure that no such infection happens again. With competitive prices, Astra security solution comes loaded with other great security features.
Not convinced yet? Take a demo now and see for yourself!