Spammers hack PHP websites to make money from online pharmacies

March 29, 2007 Sophos Press Release

Sophos, a world leader in IT security and control, has warned internet users of the importance of properly securing their websites after it has uncovered evidence that spammers are hacking into sites in their attempt to sell goods.

Spam campaigns advertising internet pharmacies peddling drugs are directing users to webpages hosted on hacked innocent websites that then automatically redirect surfers to the online store. The hacked websites are all using PHP, a scripting language used by many internet sites, which has suffered from serious security vulnerabilities in the past.

Because the spam messages point to an innocent website rather than directly to the online pharmacy, there is a risk that sites unaware of the spam campaign may have their reputations tarnished. Anti-spam products often use information about the webpage pointed to by an email as an indicator of whether the message is spam or not.

The spam emails advertise an online drugs store.

"To the naked eye it looks like a regular spam message advertising Viagra and Cialis," said Graham Cluley, senior technology consultant for Sophos. "But it is actually pointing to a website that is owned by someone who is probably completely unaware that spammers have hacked into their site, and are redirecting visitors to an online pharmacy. Website owners have a duty to properly patch their sites against the latest vulnerabilities, or risk being exploited by spammers."

The HTML source code of the spam email reveals that it links to a page on a hacked website, and displays a graphic hidden on another exploited site.

"If people visit the webpage on the hacked website they will then be automatically redirected to the real destination: a site pushing drugs," continued Cluley. "Web surfers probably wouldn't even notice they are being hopped across the net. The intention of the spammers is not to confuse their potential purchasers but to try and slip past anti-spam products."

The spammers have hacked into websites which use PHP to plant redirection code that will take customers to their store. In this case the site is www.dickcheneyshotmetoo.com.

The websites running PHP that spammers are hacking into are legitimate sites that would not normally be blocked by anti-spam solutions or web filters.

"Normally, a joe job is a spam campaign forged to appear as though it came from an innocent party, with the intention of incriminating or pinning blame onto them," explained Cluley. "In this case, spammers are "joe jobbing" innocent websites by having their spam point (however briefly) to hacked webpages which then redirect to the spammers' preferred destination."

Customers defended by Sophos's anti-spam products are protected against the spam campaign using Genotype® technology.

Last week, Sophos warned computer users of the dangers of buying pills from online sites following the death of a 57-year old Canadian woman. Sophos's Security Threat Report 2007 revealed that almost 60 percent of all spam sent across the internet is related to drugs and medication.

Sophos recommends companies protect themselves with a consolidated solution which can defend against the threats of spam, spyware and viruses.