Pharmacy spammer abusing small websites
Monday December 10, 2007 at 9:50 am CST
Posted by Kevin McGhee
I’m currently monitoring a high volume pharmacy spam campaign where the spammers have dropped a file onto many small legitimate country TLD websites. So far I’ve seen 150+ domains from all over the world being abused.
http://[legitimate domain].co.il/redir.html
http://[legitimate domain].de/redir.html
http://[legitimate domain].si/redir.html
http://[legitimate domain].es/redir.html
http://[legitimate domain].com.tw/redir.html
The file is called redir.html and simply redirects your browser to the spammers website.
Clicking on the link brings you to a Canadian Pharmacy website:
The majority are small business websites, personal websites and blogs. These are probably the least secure making it easier for the spammer to get the redirect file onto the site. Country tld domains are more likely to have a higher percentage of smaller local websites making it easier for the spammer to find ones that are not properly secured.
This is by no means a new technique but something I’d associate more with phishing. As a colleague just said, “the spammers are following the phishers for a change”. It highlights the need for properly secured websites no matter how big or small.
December 11th, 2007 at 6:10 am
Based on the Screenshot, I know the “Canadian Pharmacy” history has depended on fast flux networks for service. Since you have not provided the destination domain, Have you taken a look at DNS resolver results to determine whether this destination site is in flux?
W