Pharma Spam Redirects to .su & .eu Sites

We regularly clean all sorts of black hat SEO infections. During these infection cleanups, we often find compromised websites redirecting visitors to fake “Canadian Pharmacy” landing pages selling counterfeit men’s health pills from various .su and .eu top level domains.

Typical “Canadian Pharmacy” landing page

Spammy Redirect File Names & Contents

These SEO infections usually come in the form of files containing random file names, like the ones seen below.

garbagesjz.php
appreciablyx.php
hooverizez.php
germaniazd.php
taxicabsxt.php
crackingyo.php
breathedy.php
robelq.php
scowlingg.php
knifedp.php
paleozoicg.php
waterproofingve.php
wp-content/reverencet.php
...

The files’ content look like this:

Typical pharma redirect code found on .su and .eu domains — Typical .su and .eu pharma redirect code

The only differentiating factor between these files is the “m(array” part at the very top, which contains encoded domain names for the redirect URLs.

Pharma Spam Variations

Another variation of this malware involves encoded PHP files, usually found as 404.php in WordPress themes. This malware creates HTML pages containing images of .eu and .su pharma sites, along with links to these domains.

One more variation is a simple HTML page which redirects to one of the spam sites using the <meta http-equiv=”refresh” tag. The doorway displays a random “viagra” image, along with a redirect message: “Please wait 5 seconds! Redirecting to site.”

Another variation combines meta refresh with a JavaScript window.location.href redirect.

Typical Filenames of HTML Doorways

In the case of the HTML redirect files, filenames are found to typically contain either random words with additional extra characters, or female name as seen below.

adrienne.html
albertina.html
amplificationk.html
bellmenaq.html
billboardwu.html
categorizerspe.html
chroniclesxn.html
eleanore.html
eugenie.html
leia.html
leatherndh.html
…

Infected websites may contain many combinations of the redirect variants described above, and we sometimes find and clean hundreds these files on a single infected site.

Spam Domains and Servers

Here’s an incomplete list of websites that the malicious scripts redirect to.

thenaturalvalue[.]eu
naturalmedsmall[.]su
naturalsafeshop[.]su
firstrxdeal[.]eu
homesmartdeal[.]su
curinghealinginc[.]su
mytabsinvestment[.]su
herbalglobalinc[.]eu
goodfirstreward[.]eu
hotprivatetrade[.]su
canadianherbmall[.]su
myhealthdeal[.]su
curingdrugshop[.]su
genericaiddeal[.]su
puretablettrade[.]su
seasonprice[.]su
thepillcompany[.]su
trustdelivery[.]su
mymedicinalsale[.]eu
smartnaturalmart[.]eu
familysafemarket[.]eu
excellenthotsale[.]eu
etc..

These domains are typically hosted on servers with the following IPs:

90.139.249.23
185.155.96.62
94.158.246.20
95.84.156.166
139.60.161.67

You can find hundreds of similar pharma spam sites associated with these servers, which are located in Latvia, Estonia, Moldova, Russia, and the USA.

Conclusion & Mitigation Steps

Bad actors are always looking for ways to monetize on compromised websites. As seen in our latest Hacked Trend Report, SEO spam redirects are one of the most popular methods for attackers to generate revenue.

Malicious redirects can have devastating effects on a website’s rankings and reputation. To mitigate the risk of an SEO spam infection, keep your website software patched with the latest updates. Implementing password security best practices for your web assets and server can also go a long way to preventing an infection in the first place.

If you believe that your website has been compromised and you need a hand cleaning up the infection, we’re here to help you clean up your hacked site.