Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Follow Up on Russian Scam

February 13, 2012 - 3 min read
Last week, I described how many websites hosted on DreamHost had been hijacked.Since then, I found the same scams on websites hosted with different providers.

Often, vulnerable sites are hacked by many groups for various purposes including spam delivery, such as Blackhat SEO, other scams, etc. Many of the sites hosting the Russian scams are now used for other malicious purposes.

Blackhat SEO

One of the parameters that is used to determine the rank of a web site in the search results is the number of links to a given page. As such, spammers take advantage of vulnerable sites by adding links to site that the attackers want to promote and these links are often hidden from visitors to the page. The most common technique used involves adding a hidden DIV tag at the end of the page. This was done on for example:
Spam links
In this example, the DIV tag is moved out of the screen, to the left. The links for Viagra and other drugs point to other pages uploaded on the same site (in the /include folder), as well as to other hijacked websites (, etc.).

The spam pages claim to be a "Google Pharmacy":

The pages then link to where people can order the drugs:
There is also a second groups of spam links hidden on These links point directly to Canadian Pharmacy sites, rather than using hijacked sites for redirection. These links may have been added by a different group.
Hidden spam links
One of the Canadian Pharmacy sites is
Canadian Pharmacy

American and other Russian scams

The Russian scam I reported on initially is using The directory /modules/mod_wdbanners/ contains many other pages redirecting to other scams.
Pages uploaded on
 You can find the same list of files on other DreamHost sites:,, etc.

Most of these pages redirect to another Russian scam at I noticed this one about a month ago.
At this site, you are supposed to be able to lookup information on the family tree of anybody. The service looks free, but at the very bottom of the page the site mentions that the user will be charged 186 rubles every 10 days via SMS. Many people have complained about high charges for no actual service on Russian forums. Here are the cost details translated in English:
the service is NOT free!

Two other pages redirect to a US scam that I detailed in an earlier post: get rich working from home, which abuses a Facebook Like widget to look legitimate.
"Work from home" scam

These sites will probably host more and more spam and malicious content until they get added to popular denylists, at which point the hackers will move to new targets.
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.