Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

High Profile Websites Hijacked To Lead To Fake Stores

January 12, 2011 - 2 min read

Recently, a lot of high profile .EDU and .GOV were hijacked to redirect users to fake online stores. Google searches related to buying software ("buy windows 7 key", where to buy microsoft, "purchase microsoft word", "buy microsoft office", etc.) contain a long list of websites running on non-standard ports: www.kidsforkidsfestival.org:8080, en.jurispedia.org:4444, >www.notiuno.com:4577, etc. These links redirect users to online stores which claim to sell software at a discounted price.



Spam results for buying Windows

Major websites hijacked

The list of hijacked sites include:




  • Harvard (Alexa rank in US: 875, cxc.harvard.edu)
  • MIT (Alexa rank in US: 963, petar.blog.lcs.mit.edu, fig.scripts.mit.edu, hlt.media.mit.edu)
  • Stanford (rank 782, mentalhealth.stanford.edu, yuba.stanford.edu, assu.stanford.edu)
  • Fandango (rank 236, www.summermovies.fandango.com)

There are also governmental sites in the list, from US, China and other countries:



  • openworld.gov
  • paceflorida.gov
  • fpa.tas.gov.au
  • ezhouinvest.gov.cn
  • perak.gov.my
  • misiones.gov.ar
  • etc.

Fake stores

The fake stores use multiple domain names, and each site looks slightly different: softsupreme.com, softsupreme.net, buysupreme.net, software-supreme.com, softbuy-download.net, softbuy-download.com, sacon.org, topoemdownloads.net, etc. I've seen more than 75 different domains so far.




Fake store

Multiple languages and other spams

Unlike the usual Blackhat spam SEO coming from the Google Hot Trends, this type of spam is targeted at multiple languages: English, French ("achat windows"), German ("Microsoft kaufen"), etc.

Hijacked sites on non-standard ports are also used for other types of spam: US student visa, Viagra, etc.

Once again spammers have managed to poison search results for popular searches. This specific spam was reported a month ago, but it still shows up in the first page of results for multiple searches.

-- Julien



Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.