• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Pharma Spam Redirects to .su & .eu Sites

November 4, 2019Denis Sinegubko

FacebookTwitterSubscribe

We regularly clean all sorts of black hat SEO infections. During these infection cleanups, we often find compromised websites redirecting visitors to fake “Canadian Pharmacy” landing pages selling counterfeit men’s health pills from various .su and .eu top level domains.

Typical “Canadian Pharmacy” landing page
Typical “Canadian Pharmacy” landing page

Spammy Redirect File Names & Contents 

These SEO infections usually come in the form of files containing random file names, like the ones seen below.

garbagesjz.php
appreciablyx.php
hooverizez.php
germaniazd.php
taxicabsxt.php
crackingyo.php
breathedy.php
robelq.php
scowlingg.php
knifedp.php
paleozoicg.php
waterproofingve.php
wp-content/reverencet.php
...

The files’ content look like this:

Typical pharma redirect code found on .su and .eu domains
Typical .su and .eu pharma redirect code

The only differentiating factor between these files is the “m(array” part at the very top, which contains encoded domain names for the redirect URLs.

Pharma Spam Variations

Another variation of this malware involves encoded PHP files, usually found as 404.php in WordPress themes. This malware creates HTML pages containing images of .eu and .su pharma sites, along with links to these domains.

Image map with pharma links
Decoded: Image map with pharma links

One more variation is a simple HTML page which redirects to one of the spam sites using the <meta http-equiv=”refresh” tag. The doorway displays a random “viagra” image, along with a redirect message: “Please wait 5 seconds! Redirecting to site.” 

Meta refresh redirect
Meta refresh redirect

Another variation combines meta refresh with a JavaScript window.location.href redirect.

Meta refresh and Javascript redirect
Meta refresh and Javascript redirect

Typical Filenames of HTML Doorways

In the  case of the HTML redirect files,  filenames are found to typically contain either random words with additional extra characters, or female name as seen below.

adrienne.html
albertina.html
amplificationk.html
bellmenaq.html
billboardwu.html
categorizerspe.html
chroniclesxn.html
eleanore.html
eugenie.html
leia.html
leatherndh.html
…

Infected websites may contain many combinations of the redirect variants described above, and we sometimes find and clean hundreds these files on a single infected site.

Spam Domains and Servers

Here’s an incomplete list of websites that the malicious scripts redirect to.

thenaturalvalue[.]eu
naturalmedsmall[.]su
naturalsafeshop[.]su
firstrxdeal[.]eu
homesmartdeal[.]su
curinghealinginc[.]su
mytabsinvestment[.]su
herbalglobalinc[.]eu
goodfirstreward[.]eu
hotprivatetrade[.]su
canadianherbmall[.]su
myhealthdeal[.]su
curingdrugshop[.]su
genericaiddeal[.]su
puretablettrade[.]su
seasonprice[.]su
thepillcompany[.]su
trustdelivery[.]su
mymedicinalsale[.]eu
smartnaturalmart[.]eu
familysafemarket[.]eu
excellenthotsale[.]eu
etc..

These domains are typically hosted on servers with the following IPs:

90.139.249.23
185.155.96.62
94.158.246.20
95.84.156.166
139.60.161.67
You can find hundreds of similar pharma spam sites associated with these servers, which are located in Latvia, Estonia, Moldova, Russia, and the USA.

Conclusion & Mitigation Steps

Bad actors are always looking for ways to monetize on compromised websites. As seen in our latest Hacked Trend Report, SEO spam redirects are one of the most popular methods for attackers to generate revenue.

Malicious redirects can have devastating effects on a website’s rankings and reputation. To mitigate the risk of an SEO spam infection, keep your website software patched with the latest updates. Implementing password security best practices for your web assets and server can also go a long way to preventing an infection in the first place.

If you believe that your website has been compromised and you need a hand cleaning up the infection, we’re here to help you clean up your hacked site.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Hacked Websites

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.