Most of the time when we talk about spam, we think about mindless machines that create posts or comments to advertise a business related to drugs, accessories, or essays.
But what if a hacker tried to convince your clients to click on malicious links based on the content of your website?
A Customized Spam Campaign Targeting Pizza Delivery
We recently found a very interesting case where a pizza delivery website was compromised. The bad actors used this website’s existing content to create personalized spam campaigns.
The hacker wrote a single paragraph on the homepage to advertise their diet pills. Simultaneously the hacker reminded the reader that pizza is one of the products responsible for weight increase in young men and women.
Xenical Spam Masked as Legitimate Content
The text says:
“Pizza is delicious, satisfying, appetizing, but do not forget that the pizza is a lot of flour products. Increasingly, Americans are overweight, and fast food products, hamburgers, pizzas and a quick snack only worsens the situation and the weight of young men and women is becoming more and more. If you want to start losing weight, it’s worth reading about Xenical, which is sold in every us pharmacy. Before you start taking Xenical you should consult with your doctor, or read the information on DietxPills about the best drugs for weight loss and choose the most effective drug for yourself. Xenical works in an interesting way, the food that enters the body is not absorbed into the intestine, and Xenical as it creates a protective film in the intestine, thereby protecting against the absorption of food. We wish you to be healthy and happy and if you are not obese, we invite you to our cozy place.”
The hacker even tries to impersonate the pizza company by making the content appear to be a legitimate post from the website. However, they end it with an offensive line towards obese people.
Malicious Redirects Lead to Weight Loss Websites
Clicking the hyperlinks in the message redirects the visitor to hxxps://www[.]dietxpills[.]com/, a site which sells weight loss pills and diet products.
By searching for the IP, we discovered that the site shares a server with at least 46 other sites used for the same purpose: selling drugs without a prescription.
We came up with a pretty simple solution to this case.
We discovered that the content wasn’t encoded. By searching for it we found the malicious paragraph in the themes file—specifically in the /inc/meta.inc.php file. This file is located inside the WordPress theme directory.
During the investigation process, we also found a malicious WordPress user—websysadmin—that had to be removed.
Cause & Prevention of Spam
When we received this case, the website had been using outdated software: WordPress version 4.9.6.
The most plausible explanation for how the hacker gained access to the site, is that they leveraged the vulnerability to plant their spam content.
We encourage website owners to keep everything in the website up to date, be it plugins, themes, or CMS installations.
Placing the site behind a website firewall would have blocked the hacker from being able to create users and modify content.
Our website security platform protects your website from malware and attacks so you don’t have to worry about a malicious spam campaign disrupting your online business.