Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Follow Up on Russian Scam

image
JULIEN SOBRIER
February 13, 2012 - 3 min read
Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers.

Often, vulnerable sites are hacked by many groups for various purposes including spam delivery, such as Blackhat SEO, other scams, etc. Many of the sites hosting the Russian scams are now used for other malicious purposes.

Blackhat SEO

One of the parameters that is used to determine the rank of a web site in the search results is the number of links to a given page. As such, spammers take advantage of vulnerable sites by adding links to site that the attackers want to promote and these links are often hidden from visitors to the page. The most common technique used involves adding a hidden DIV tag at the end of the page. This was done on http://goingonfive.com/ for example:
 
Image
Spam links
In this example, the DIV tag is moved out of the screen, to the left. The links for Viagra and other drugs point to other pages uploaded on the same site (in the /include folder), as well as to other hijacked websites (http://airtravel-services.com/js/index.html, etc.).

The spam pages claim to be a "Google Pharmacy":
 
Image
http://goingonfive.com/includes/

The pages then link to grand-pills.com where people can order the drugs:
 
Image
http://www.grand-pills.com/catalog/Erectile_Dysfunction/Cialis.htm
There is also a second groups of spam links hidden on http://goingonfive.com/. These links point directly to Canadian Pharmacy sites, rather than using hijacked sites for redirection. These links may have been added by a different group.
 
Image
Hidden spam links
One of the Canadian Pharmacy sites is http://viagra7online.com/:
 
Image
Canadian Pharmacy

American and other Russian scams

The Russian scam I reported on initially is using  http://goingonfive.com/modules/mod_wdbanners/resmmdnd.php. The directory /modules/mod_wdbanners/ contains many other pages redirecting to other scams.
 
Image
Pages uploaded on http://goingonfive.com/
 You can find the same list of files on other DreamHost sites: http://dev.orioncombat.com/wp-content/uploads/, http://chicagoexposedstrippers.info/wp-content/plugins/extended-comment-options/, etc.

Most of these pages redirect to another Russian scam at http://arhivi-familii.com/. I noticed this one about a month ago.
 
Image
http://arhivi-familii.com/
At this site, you are supposed to be able to lookup information on the family tree of anybody. The service looks free, but at the very bottom of the page the site mentions that the user will be charged 186 rubles every 10 days via SMS. Many people have complained about high charges for no actual service on Russian forums. Here are the cost details translated in English:
 
Image
the service is NOT free!

Two other pages redirect to a US scam that I detailed in an earlier post: get rich working from home, which abuses a Facebook Like widget to look legitimate.
 
Image
"Work from home" scam

These sites will probably host more and more spam and malicious content until they get added to popular denylists, at which point the hackers will move to new targets.
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.