We regularly clean all sorts of black hat SEO infections. During these infection cleanups, we often find compromised websites redirecting visitors to fake “Canadian Pharmacy” landing pages selling counterfeit men’s health pills from various .su and .eu top level domains.
Spammy Redirect File Names & Contents
These SEO infections usually come in the form of files containing random file names, like the ones seen below.
garbagesjz.php appreciablyx.php hooverizez.php germaniazd.php taxicabsxt.php crackingyo.php breathedy.php robelq.php scowlingg.php knifedp.php paleozoicg.php waterproofingve.php wp-content/reverencet.php ...
The files’ content look like this:
The only differentiating factor between these files is the “m(array” part at the very top, which contains encoded domain names for the redirect URLs.
Pharma Spam Variations
Another variation of this malware involves encoded PHP files, usually found as 404.php in WordPress themes. This malware creates HTML pages containing images of .eu and .su pharma sites, along with links to these domains.
One more variation is a simple HTML page which redirects to one of the spam sites using the <meta http-equiv=”refresh” tag. The doorway displays a random “viagra” image, along with a redirect message: “Please wait 5 seconds! Redirecting to site.”
Another variation combines meta refresh with a JavaScript window.location.href redirect.
Typical Filenames of HTML Doorways
In the case of the HTML redirect files, filenames are found to typically contain either random words with additional extra characters, or female name as seen below.
adrienne.html albertina.html amplificationk.html bellmenaq.html billboardwu.html categorizerspe.html chroniclesxn.html eleanore.html eugenie.html leia.html leatherndh.html …
Infected websites may contain many combinations of the redirect variants described above, and we sometimes find and clean hundreds these files on a single infected site.
Spam Domains and Servers
Here’s an incomplete list of websites that the malicious scripts redirect to.
thenaturalvalue[.]eu naturalmedsmall[.]su naturalsafeshop[.]su firstrxdeal[.]eu homesmartdeal[.]su curinghealinginc[.]su mytabsinvestment[.]su herbalglobalinc[.]eu goodfirstreward[.]eu hotprivatetrade[.]su canadianherbmall[.]su myhealthdeal[.]su curingdrugshop[.]su genericaiddeal[.]su puretablettrade[.]su seasonprice[.]su thepillcompany[.]su trustdelivery[.]su mymedicinalsale[.]eu smartnaturalmart[.]eu familysafemarket[.]eu excellenthotsale[.]eu etc..
These domains are typically hosted on servers with the following IPs:
90.139.249.23 185.155.96.62 94.158.246.20 95.84.156.166 139.60.161.67
Conclusion & Mitigation Steps
Bad actors are always looking for ways to monetize on compromised websites. As seen in our latest Hacked Trend Report, SEO spam redirects are one of the most popular methods for attackers to generate revenue.
Malicious redirects can have devastating effects on a website’s rankings and reputation. To mitigate the risk of an SEO spam infection, keep your website software patched with the latest updates. Implementing password security best practices for your web assets and server can also go a long way to preventing an infection in the first place.
If you believe that your website has been compromised and you need a hand cleaning up the infection, we’re here to help you clean up your hacked site.
Denis Sinegubko
Luke Leal
Justin Channell
Matt Morrow
Krasimir Konov
Ben Martin
Rianna MacLeod
Cesar Anjos
Salvador Aguilar
Peter Gramantik