• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

COVID-19 Chloroquine Pharmaspam

August 20, 2020Luke Leal

FacebookTwitterSubscribe

A recent SiteCheck scan of an organization’s website showed an interesting pharmacy spam injection targeting COVID-19-related pages of websites. The HTML that was flagged by our SiteCheck signature, spam-seo.hidden_content?100.2, shows why the pharmacy spam text was not displayed on the infected web page:

Pharma Spam InjectionThis spammer is trying to obfuscate their link injection by assigning a custom function, get_style, to store the none display element value. This essentially hides any of the element’s text that comes after the function is called, then uses the custom function end_ to remove the none display element.

By using these custom functions, the spammer hopes that malware scanners will not easily detect the injection.

Injected Content in Web Page

It’s evident that this pharmacy spam is targeting interest around COVID-19. It is explicitly advertising Aralen, the brand name for the drug chloroquine.

HCP4 injection to malicious domain

The domain found in this sample belongs to a third-party local government website that was compromised and used to host pharmacy spam. Since it is a local government website, people may incorrectly believe that the page is legitimate, rather than a pharmacy spam posting created by a spammer.

compromised government website

Since pharmacy spam injections are ultimately displayed onto a publicly accessible web page, they can be detected through a website scanning service like SiteCheck.

If you believe your website may be compromised and serving spam, we’re here to help.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, SEO Spam

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.