Various Fox Websites Hit With Pharma Hack

If you’ve been following Sucuri, you’ve seen a bunch of discussion around the steadily growing Pharma Hack. As we continue research on the issue we find more and more variations of the exploit.

Earlier this evening, we started noticing various domains from the same network of sites appearing in our test results. It looks like various pages on sites owned or operated by Fox Television Stations, Inc. and/or their affiliates have been compromised. We’ve followed up and scanned a set of these sites, and at the time this post was written, they were still serving the spam exploit.

Here is a preliminary list (not a complete listing) of the exploited sites we’ve found indexed on Google:

community.myfoxatlanta.com
community.myfoxhouston.com
community.myfoxchicago.com
community.myfoxaustin.com
community.myfoxdc.com
community.myfoxorlando.com
community.foxsports.com
community.myfoxny.com
community.myfoxla.com
community.fox4kc.com
community.fox8.com
my.foxsearchlight.com
fox17online.com
my.foxreno.com
fox40.com
speedtv.com

Performing the following query on Google will result in a list that includes these sites and more:

inurl:..com “cheap viagra” inurl:fox

Here are a couple of the scans we performed:

It has become evident that this is not an exploit only affecting a specific application, or hosting provider. It is much larger than that. We’ve seen shared hosting services, VPS’s, and dedicated servers get nailed by this annoying spam attack. WordPress, Joomla, even static sites have made an appearance on Google’s long list of Viagra spamming interwebs.

Have you been exploited? Are you researching the issue as well? We’d like to hear your comments about the latest blackhat SEO spam exploit.

If you need any help cleaning up the mess or you need a partner to help with your security needs, Sucuri is here to assist.

Protect your interwebs!