Pharma Hack

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Pharma Hack

Postby David166 » Sun Mar 23, 2014 6:40 pm

My WordPress website was recently hacked. Since that time I have been trying to educate myself and others about this particular hack. I'm very frustrated because I see that WordPress sites are being hacked on a massive scale and the WordPress community seems to fighting back one hacked site at a time.

There are some exceptions to this generalization such as some good firewalls and the new automatic update feature but in general they seem to have given up or never had the idea of any offensive strategy. One of the things I have discovered it that it is very short sighted to look at the pharma hack as a single hacked site. It is a web of hacked sites and if you know the URL of one it is easy to find the URLs of a hundred or more. Here is an oversimplified diagram of a tiny portion of the hidden web.

hidden-link-site1.com \
hidden-link-site2.com — pharma-hacked-site1.com –> pillstore.info
hidden-link-site3.com /

By the way pillstore.info is a real URL of a real pharmaceutical site used by the hackers.

The hackers are very clever a hiding code and the people at places like Sucuri.net are focused on finding it, removing it and hardening the site. This hack has a very big weakness that seems to be being overlooked. It tries to hide from the site owners but in order for it work it has to be visible to search engines.

I am thinking that if someone developed the right software thousands of hacked sites might be identified in days. But even if they were there isn't an easy way to to contact the owners of the sites. I have had some very limited success trying to do this.

This hack is very vulnerable to an offensive strategy. For the life me I don't understand why Google and WordPress don't bring this particular hack to its knees. I've tried but I cannot get their attention. Maybe it is my lack of sales skills.

Google could and should be doing much more to fight this. They have come with what I think are very half hearted ways to help webmasters learn that they have been hacked but have put little or no effort into making sure webmasters are aware of them.

The WordPress world seems to be so money driven that unless they can make a buck off it they want to ignore it. They also seem to be protective of the reputation of their cash cow to the point of sweeping problems under the rug. It baffles me. I cannot think like them. See what I mean about my sales skills. I piss everyone off.

Anyway, thanks for the use of your soapbox and if there is anyone here that can tell me what else I can do to have an impact on this thing and end my frustration please let me know. Despite my frustration I feel very optimistic that if I can find the right audience the days of this hack or numbered.

Oh, I have run across some strange sites in the Pharma Hack web that I cannot figure out. If anyone thinks they can tell me please let me know and I will give you the URLs of some of them so you can take a looks. I really could use help if anyone cares.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby AlphaCentauri » Wed Mar 26, 2014 2:29 am

Welcome, David166! Sorry for the delay.

I'm no Wordpress expert. Those sites do get hacked frequently, but part of the reason is that they have made use of their product easy enough that people can put up websites with no idea of what they are doing, and with little intention to maintain their sites into the future. Those abandoned sites that don't get updated and never get new passwords are the most common victims -- which is why is close to impossible to find an owner to notify.

There are a lot of free Wordpress add-ons that can help with security. Some block visitors from known bad IP addresses, some change the default file folder names so a bot can't go directly to a target URL, etc. Hackers usually aren't personally visiting these types of websites. They have computer scripts that just try thousands of sites in order to breach a few, because they don't really care which site is breached. They take advantage of the fact that thousands of sites have exactly the same Wordpress structure to create software to attack a common vulnerability. It's not like trying to get into a single high-value target, where you are making multiple attempts on a single site. A hacker doesn't have to guess your password and deal with being locked out after 5 wrong guesses and waiting an hour, and the statistics about how many thousand years it would take to guess a password of a certain number of characters don't apply. They can use a single common username/password combination one time each on thousands of sites until one lets them in.

It's helpful to not have your administrative user named "Administrator" or "Admin," because bots are programmed to try those. And it's important to have long, complex passwords that are not on the list of common passwords:
https://xato.net/passwords/more-top-worst-passwords/
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Pharma Hack

Postby David166 » Wed Mar 26, 2014 12:46 pm

There is another diagram I should have included to better illustrate the webbed nature of thls hack.


................................ / pharma-hacked-site1.com
hidden-link-site1.com — pharma-hacked-site3.com
................................ \ pharma-hacked-site4.com

Thanks to a plugin called Wordfence I have been able to observe live traffic on my site. I have a very good idea about what a hackers fake Google-bot is looking for.

Somewhere there is a hacker with a large database of software vulnerabilities that they can survey and probe for. That is clear.

I've seen them make about 30 dictionary log-in attempts within about a minute. Since I tend to be a bit paranoid now I use 2 factor authentication, strong passwords and other steps I will not get into.

The hackers also have, at the very least, a database of every site that has the pharma hack. I sure they know everything about these sites and their possible weaknesses. Such a database would be an invaluable resource for a hacker or for anyone attempting to slow them down. There is so much to learn by looking at these hacked sites.

Such a database would be so easy to create. That is why I am baffled. By my calculation Black Hat SEO Hacks should have been beaten back long ago.

Your response is typical of the responses I get. I will continue work on my communication skills.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby Red Dwarf » Wed Mar 26, 2014 10:05 pm

Welcome!

Oh, I have run across some strange sites in the Pharma Hack web that I cannot figure out. If anyone thinks they can tell me please let me know and I will give you the URLs of some of them so you can take a looks. I really could use help if anyone cares.


Append them here and everyone can take a look and comment.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Pharma Hack

Postby David166 » Wed Mar 26, 2014 10:15 pm

I'm not sure how I should be doing this:

<div id="popularlinks">
<ul>
<li><a href="http://backstageentertainment.net/discountstore/home/flexseal/flex-seal-liquid-rubber.html">Flex Seal Liquid Rubber</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/rockinbody/reviews-on-rockin-body-with-shaun-t.html">Reviews On Rockin Body With Shaun T</a></li>
<li><a href="http://backstageentertainment.net/discountstore/kitchen/popchef/pop-chef-in-stores.html">Pop Chef In Stores</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/invinceable/invinceable.html">Invinceable</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/pockethose/buy-pocket-hose-usa.html">Buy Pocket Hose Usa</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/butterflyabs/does-butterfly-abs-really-work.html">Does Butterfly Abs Really Work</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/lesmillspump/les-mills-body-pump-workout.html">Les Mills Body Pump Workout</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/insanity/insanity-fitness.html">Insanity Fitness</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/flexbelt/flex-belt-for-sale.html">Flex Belt For Sale</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/irongym/the-iron-gym.html">The Iron Gym</a></li>
<li><a href="http://backstageentertainment.net/discountstore/diet/lipog3garcinia/lipo-g3-garcinia-cambogia.html">Lipo G3 Garcinia Cambogia</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/turbojam/turbo-jam-schedule-and-calendar.html">Turbo Jam Schedule And Calendar</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/garciniacambogia/order-garcinia-cambogia-extract-online.html">Order Garcinia Cambogia Extract Online</a></li>
<li><a href="http://backstageentertainment.net/discountstore/kitchen/stonewave/stone-wave-in-stores.html">Stone Wave In Stores</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/pockethose/buy-pocket-hose-cheap-price.html">Buy Pocket Hose Cheap Price</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/flexbelt/ab-flex-belt-reviews.html">Ab Flex Belt Reviews</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/turbofire/turbo-fire-workout-review.html">Turbo Fire Workout Review</a></li>
<li><a href="http://backstageentertainment.net/discountstore/diet/lipog3garcinia/lipo-g3-garcinia.html">Lipo G3 Garcinia</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/quicklawn/buy-quicklawn-discount-price.html">Buy Quicklawn Discount Price</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/invinceable/invinceable-as-seen-on-tv.html">Invinceable As Seen On Tv</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/flexarms/flex-arms-workout.html">Flex Arms Workout</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/swivelsweeperg2/swivel-sweeper.html">Swivel Sweeper</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/bodybeast/sagi-kalev-body-beast.html">Sagi Kalev Body Beast</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/quicklawn/quicklawn.html">Quicklawn</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/flexablehose/flexable-hose-where-to-buy.html">Flexable Hose Where To Buy</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/p90xworkout/p90x-reviews.html">P90x Reviews</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/solaramerica/solar-america-power-station.html">Solar America Power Station</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/solaramerica/solar-america-solutions.html">Solar America Solutions</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/bedbugdefense/spray-for-bed-bugs.html">Spray For Bed Bugs</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/miraclegarciniagambogia/miracle-garcinia-cambogia-price.html">Miracle Garcinia Cambogia Price</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/pockethose/pocket-hose-where-to-buy.html">Pocket Hose Where To Buy</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/flexbelt/flex-belt-discount-price.html">Flex Belt Discount Price</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/flexablehose/flexible-water-hose-review.html">Flexible Water Hose Review</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/riddexplus/riddex-sonic-plus-pest-repeller.html">Riddex Sonic Plus Pest Repeller</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/abrockettwister/rocket-twister.html">Rocket Twister</a></li>
<li><a href="http://backstageentertainment.net/discountstore/exercise/brazilbuttlift/brazilian-workout.html">Brazilian Workout</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/freshsticks/fresh-sticks-reviews.html">Fresh Sticks Reviews</a></li>
<li><a href="http://backstageentertainment.net/discountstore/home/pockethose/pocket-hose-10-year-warranty.html">Pocket Hose 10 Year Warranty</a></li>
</ul>
</div>


http://www.swems.org/viagra.html


The pages themselves borrow elements from another site. If this is not what you expected let me know. I fumble a lot.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby Red Dwarf » Wed Mar 26, 2014 11:02 pm

backstageentertainment.net looks a legit site. Presumably an account on it has an easy password.
Someone has added a folder called "discountstore" and added html pages in subfolders for the advertising of stuff not related to the original site.

Where is the connection to
Code: Select all
http://www.swems.org/viagra.html
?
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Pharma Hack

Postby David166 » Thu Mar 27, 2014 9:12 am

backstageentertainment.net looks a legit site. Presumably an account on it has an easy password.
Someone has added a folder called "discountstore" and added html pages in subfolders for the advertising of stuff not related to the original site.

Where is the connection to
Code:
http://www.swems.org/viagra.html


backstageentertainment.net is almost for sure a legit site. The company is owned by Paul Loggins, a cousin of Kenny Loggins of http://en.wikipedia.org/wiki/Loggins_and_Messina but there dosn't seem to be anyone that cares that they are hacked. Emails, tweets, facebook messages, don't seem to wake anyone up. It is a good example of how difficult it is to contact a site owner.

I didn't copy it but at the bottom of the page are about 15 hidden links to pharma hacked sites. backstageentertainment.net also has the pharma hack. They seem to be getting all the mileage they can out of this site.

The pages in "discountstore" are what puzzle me. They are designed to fool a Google Bot but not a real person. The real destination is probably reached by clicking the Google Listing they create. They borrow stuff from another site or sites. I am assuming that must be a proven way to fool a Google algorithm.

http://www.swems.org/viagra.html

Is another example of a mixed content site meant to fool a Google Bot. The text is garbage and the links don't seem to go anywhere. I'm guessing that there must be a way of tricking the Google Bot into using an active link. The site they picked is comical in a sad way and proves how hackers can mess with even a secure site.

http://back2africa.com/ is another example of a webmaster being hard to contact. It is monitored by Sucuri.net. They didn't know in was hacked until I pointed out to them. Sucuri has blacked listed it but seem to be unable to contact their customer.

mcgrewgroup.com <---- Pharma Hack

https://www.facebook.com/pages/The-McGr ... 4550200427

The Facebook page is clearly related. Phone numbers on the site are fake. The information on the pages are meaningless. There is a page in the site that says it is an RSS feed that cycles the same links that are on the Facebook page. It makes me wonder if even Facebook is safe.

Google says the address they are using is on the campus of the Georgia State University.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby NotBuyingIt » Thu Mar 27, 2014 11:58 am

No I'm wrong. I attempted to delete this comment several minutes after I posted it, but the delete didn't work. Sorry.
Red Dwarf wrote:
Code: Select all
http://www.swems.org/viagra.html
?


swems.org is the (hacked) website for an "Iowa Mennonite School". :(

The school will be looking into the problem soon, I expect.
Last edited by NotBuyingIt on Thu Mar 27, 2014 12:47 pm, edited 1 time in total.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Pharma Hack

Postby David166 » Thu Mar 27, 2014 12:40 pm

Are you for real?

http://www.iowamennonite.org/ is Mennonite school site.


Domain Name:SWEMS.ORG
Domain ID: D6634555-LROR
Creation Date: 1999-05-19T21:09:27Z
Updated Date: 2008-04-18T19:48:03Z
Registry Expiry Date: 2014-05-19T21:10:03Z
Sponsoring Registrar:Catalog.com, Inc (R98-LROR)
Sponsoring Registrar IANA ID: 112
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:28253983-NSI
Registrant Name:Southwest EMS & Trauma System
Registrant Organization:Southwest EMS & Trauma System
Registrant Street: 212 NE 83rd St
Registrant City:Vancouver
Registrant State/Province:WA
Registrant Postal Code:98665
Registrant Country:US
Registrant Phone:+1.36057681
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Admin ID:42012886-NSI
Admin Name:Zita Wiltgen
Admin Organization:
Admin Street: PO Box 65158
Admin City:Vancouver
Admin State/Province:WA
Admin Postal Code:98665
Admin Country:US
Admin Phone:+1.360576819
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Tech ID:42012886-NSI
Tech Name:Zita Wiltgen
Tech Organization:
Tech Street: PO Box 65158
Tech City:Vancouver
Tech State/Province:WA
Tech Postal Code:98665
Tech Country:US
Tech Phone:+1.360576819
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server:NS1.CATALOG.COM
Name Server:NS3.CATALOG.COM
Name Server:NS2.CATALOG.COM
Name Server:


David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby NotBuyingIt » Thu Mar 27, 2014 12:54 pm

David166 wrote:Are you for real?

http://www.iowamennonite.org/ is Mennonite school site.



I was wrong. I conflated the URLs to iowamennonite.org that occured within the webpage with the webpage host SWEMS.ORG. (I've been on the phone with both organizations.)

I attempted to delete this comment several minutes after I posted it, but the delete didn't work. Sorry.
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Pharma Hack

Postby David166 » Thu Mar 27, 2014 1:03 pm

I'll ask about that when they return my call.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby NotBuyingIt » Thu Mar 27, 2014 1:06 pm

David166 wrote:I'll ask about that when they return my call.


About what?
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Pharma Hack

Postby David166 » Thu Mar 27, 2014 1:29 pm

From the seeds I have planted here you should be able to uncover hundreds of hacked sites very easily. Most of them are on Catalog.com/Webhero.com servers. Show me what you can do. Meanwhile I sending my resume to Googles spam fighter's team. :D
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Re: Pharma Hack

Postby Red Dwarf » Thu Mar 27, 2014 3:36 pm

Google search is one way of detecting hacked legit sites that have had pharma-related materials added. Taking one phrase, "Buying Cheap Lipitor (atorvastatin)" which is found at http://www.swems.org/lipitor.html we can do this Google search

https://www.google.com/search?q=%22Buying+Cheap+Lipitor+(atorvastatin)+%22

This shows the hacked sites and also forum spam. Examples of hacked sites found from the above search
sharkfriendly.com
hollywooddesignpro.com
mgpweddings.com
justgamerz.com
mauriciolopez.info
books-about-california.com

Contacting the administrator of defunct web sites is not always fruitful, and there is a challenge in scaling up the process to automate it.

Take the first,
sharkfriendly.com.

1. From the site you can locate the owner's email address - marty@sharkfriendly.com in the About Me page.

2. From the domain name's WHOIS page, Joseph Train on +1.9124374974 and eze311@gmail.com

3. The hosting IP address is at 65.75.141.200 for which the WHOIS reveals Hanna, Douglass, on +1-404-865-1095 and noc@softwareworksgroup.com

- - - - -

The second one is
hollywooddesignpro.com
1. Contact Us page is hollywooddesignpro.com/contact-us giving
info@hollywooddesignpro.com
holly@hollywooddesignpro.com = Holly Jonas, Owner / Designer
anna@hollywooddesignpro.com = Anna Jonas, Designer

2. WHOIS - Holly Jonas email:info@hollywooddesignpro.com ph:16028183322

3. WHOIS on IP address 209.217.39.154 gives arinadmin@catalog.com and abuse@catalog.com +1-405-753-9300

- - - - -

Retrieving the information from steps 2 and 3 can be automated, so that by feeding in the domain name the email addresses can be retrieved and a template message sent
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Pharma Hack

Postby David166 » Thu Mar 27, 2014 4:32 pm

This hack is dead! I can smell the blood. It doesn't know it yet but it is dead. It's dead because it can't hide and I think I have finally found a group of people who understand that. Did I ever mention my web site pharma-hack.com?


I contacted this site 2 weeks ago. It has hidden links to pharma hacked sites on 3 pages.

http://cherokeerafting.com/ocoee.html
http://cherokeerafting.com/site_map.html
http://cherokeerafting.com/trip.html

They promised me they would remove them. Many of the sites in the links have been cleaned but there are still some I couldn't contact. I talked to the sales manager of cherokee rafting and he told me that the hired a new consultant because they were not getting muchtraffic to their site. Google is punishing them I think.

I have found that siteexplorer.info is very helpful and http://www.whoishostingthis.com/ is useful to find the sites host. I'm building stats about who is hosting hacked sites.
David166
Getting started
 
Posts: 19
Joined: Sun Mar 23, 2014 5:06 pm

Next

Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron