Link injection, basicpills dot com and Blackhat SEO spam

For the last few weeks we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, generic-ed-pharmacy.com, getrxpills.com and a few other domains (all located at 212.117.161.190).

They basically infected thousands of WordPress sites and inject spam links directly in their databases (the wp-post table). These are some of the links you will see in an infected site:

<a href="http://basicpills . com/">online prescription drugs without  a prescription..

<a href="http://generic-ed-pharmacy . com/">Buy  Generic  Viagra Onlin.

<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..

What is very annoying for the infected site owners is that those links appear in the middle of the text (sometimes in the middle of other tags). This typically occurs in ALL of their posts making it hard to identify where the dirty links are, and even more of a challenge to remove them. In some of these sites, we’ve seen the attackers create new admin users allowing access back to the site at any time.

Another worrying point is that these spam domains seem to rank pretty well on Google. Their antics seem to be working, just Google for “Buy generic drugs without prescription” for an example:

Whois information for those domains (same people):

Registrant:
Pavel freeh0st@mail.ru +3.80444515342
getrxpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Registrant:
Pavel dext@coreimpacts.com +3.80444515342
basicpills.com
ul.Kalyaeva, 53
Dnepropetrovsk,Dnepropetrovsk,UA 49489

Here are some of the infected sites (according to Google all of these domains seem to be shared hosts):

freshdaily.ca
aka.me
www.hugeog.com
www.intrepidusa.com
innovationinteaching.org
spinorbinmusic.com
www.caerlas.org.uk
www.slcan.org
chicagopublictransit.org
acme-web-design.info
idevicepro.com
www.unifemcar.org
aiisf.org
www.jimhudson.org
www.f2a.org
www.aafcs-ca.org
www.jazzbassment.com
ffw.com.br (popular Brazilian portal)
www.b2b-i.com
www.winnipegfolkfestival.ca
www.awrta.org
legoengineering.com
wemc.org
www.ssta.org
www.zentra.com
recitpresco.qc.ca
guildhall.smu.edu
dcms.beloit.edu
timecapsule.asu.edu
moodle.westwind.ab.ca
www.searchengineacademy.com


For the site owners out there, you can check if your site has been infected by scanning it with Sucuri Sitecheck. Sitecheck is our free malware and spam scanner. It will show you if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file. If you need help cleaning up the mess, send us an email support@sucuri.net or over at Sucuri.

If you have any questions or comments, please let us know.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.