For the last few months we’ve been tracking a very large blackhat SEO spam campaign initiated by basicpills.com, and many other pharma-related domains (mostly located at 18.104.22.168 and 22.214.171.124).
The method used is very simple, where the attackers inject a single spam link on every post of the web site (generally WordPress). These are some of the links you will see in an infected site:
<a href="http://247pharmaceutical. com/">online prescription drugs without a prescription..
<a href="http://webemed. com/">Buy Generic Cialis Onlin.
<a href="http://getrxpills . com/buy/levi tra.html”>lev itra 10 mg..
The really annoying part is that the domain and anchor text change on every post, making it very hard to delete and detect. These are some of the domains being used:
Some of these domains are being registered through Godaddy by:
York, Steve firstname.lastname@example.org
6041 Pierless Ave
Sugar Hill, GA 30518
7709450281 Fax —
And we would love to get them disabled.
For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately, and checking the permissions of your wp-config.php file.
If you have any questions or comments, please let us know.