9 May, 2018

WordPress Pharma Hacking: What Can You Do?

Because WordPress is so widely used, it's often a target for hackers. One in particular, known as the "pharma hack" has been affecting many users lately. Read on to learn more about WordPress pharma hacking, and what you can do to protect your website.
WordPress is a great website-building tool that's used by millions to make professional-looking blogs and websites quickly and easily. But because WordPress is so widely used, it's often a target for hackers. In fact, it always seems like you hear about new WordPress breaches. However, don't let that deter you from using WordPress, as it's still a great tool when used properly. If you manage a WordPress site for your company or business, it's always a smart idea to be knowledgeable about all the latest updates and any security breaches. One, in particular, known as the "pharma hack," has been affecting many users lately. Read on to learn more about WordPress pharma hacking, and what you can do to protect your website.
What is Pharma Hacking?
This hack seeks out vulnerable WordPress sites (i.e., ones that don't have the latest updates, security features, etc.). It uses black hat SEO techniques to exploit these vulnerabilities and hijack the search engine ranking of your highest ranking pages. These hacks can hide code in your site's CSS files, and from the front end of your website, you won't even notice it or see it in the HTML. But, on the back end, search engines will crawl your pages and see the malicious code. Black hat SEO techniques like this go against search engine guidelines, so search engines like Google will rank your pages lower because of this. In the long run, a search engine may even blacklist your website. This will deter users from accessing your site, which can hurt or potentially even halt traffic to your site.

Because the code can hide anywhere within your WordPress site (even in the theme or plugins), it can be difficult to detect. If, when searching for your site on a search engine, you see listings for pharmaceutical drugs as well, this is a sign you've been pharma hacked. You may think it will be easy to go into your code and fix it on your own. However, if you don't know exactly what you're looking for, it can be both pointless and time-consuming to search through every bit of code on your site, even if you're an expert.

As a business owner, your website is one of the most important ways you communicate with your clients and the public at large. You need to be vigilant to make sure that you are operating a website that's safe for users to visit, and not one that's been infected with malware, or compromised by hackers. If your site has been affected by a pharma hack, it can be detrimental to your search engine rankings and can turn off or confuse people who are looking for your site via search engines, so it's critical to get this issue resolved ASAP. However, now that you know what the pharma hack is, a little prevention can go a long way.
Pharma hack in WordPress | Malware Details
Let's have a look at the recent infections that we encounter during website malware cleanup process appear targeting WordPress core files. Like in the specific case we will investigate below, the attacker injects the obfuscated code link to wp-settings.php file.
To hide from manual and automated malware searching, it uses a CSS extension. Here is the obfuscated code of the CSS file.
Looking deeper inside the malicious code
Malware downloads the bot list that will be used to boost the traffic to the Pharma site. Here is the link to the active bot list: hxxp://ru.myip.ms/files/bots/live_webcrawlers.txt
It is also capable of getting the log-in credentials of WordPress and sending the details to attacker's email.
Here are the referrer search engines that will trigger the redirection. For you to test if Pharma hack infected your website, you must search your site using the following search engines:
  • google.com
  • bing.com
  • yahoo.com
  • ask.com
  • aol.com
Here is the list of possible Pharma redirections:
  • hxxp://www.blue-pharmacy.com/erectile-dysfunction/viagra.html
  • hxxp://www.blue-pharmacy.com/erectile-dysfunction/cialis.html
  • hxxp://www.blue-pharmacy.com/erectile-dysfunction/levitra.html
  • hxxp://blue-pharmacy.com/antibiotics/amoxil.html
  • hxxp://blue-pharmacy.com/bestsellers/straxxera.html
  • hxxp://blue-pharmacy.com/hormones/synthroid.html
  • hxxp://blue-pharmacy.com/search/?q=cipro
  • hxxp://blue-pharmacy.com/bestsellers/clomid.html
  • hxxp://blue-pharmacy.com/antifungals/diflucan.html
  • hxxp://blue-pharmacy.com/search/?q=doxycycline
  • hxxp://blue-pharmacy.com/erectile-dysfunction/eriacta.html
  • hxxp://blue-pharmacy.com/antibiotics/flagyl.html
  • hxxp://blue-pharmacy.com/search/?q=glucophage
  • hxxp://blue-pharmacy.com/bestsellers/kamagra.html
  • hxxp://blue-pharmacy.com/bestsellers/lasix.html
  • hxxp://blue-pharmacy.com/bestsellers/nolvadex.html
  • hxxp://blue-pharmacy.com/obesity/orlistat.html
  • hxxp://blue-pharmacy.com/bestsellers/priligy.html
  • hxxp://blue-pharmacy.com/bestsellers/propecia.html
  • hxxp://blue-pharmacy.com/men%27s-health/proscar.html
  • hxxp://blue-pharmacy.com/erectile-dysfunction/silagra.html
  • hxxp://blue-pharmacy.com/asthma/ventolin.html
  • hxxp://blue-pharmacy.com/weight-loss/orlip-%29.html
  • hxxp://blue-pharmacy.com/antibiotics/zithromax.html
  • hxxp://blue-pharmacy.com/antivirals/zovirax.html
How to Prevent Pharma Hacks
It's important to keep your WordPress site as secure as possible, to protect your data and the data of those who use your site and to make sure that your website is doing the job it was intended to do, without anything getting in the way. Pharma hacks have been around for years, but they're always adapting and getting smarter. Because of this, there are a few steps you can take to prevent and detect these hacks on your site.
The first, and arguably the most important thing you can do to prevent malware and hacks is always to keep your WordPress site updated. It's vital to update your website and all plugins as soon as an update is released. Many times, updates fix bugs or patch holes in security. So not updating puts you at risk for not only pharma hacks but other types of hacks as well. Pharma hackers seek out vulnerable sites without discretion, so don't let this slip past you. This step shouldn't be overlooked as it can prevent a large percentage of attacks.

Next, it's important to scan your site regularly for any inconsistencies or problems in your code. It's not effective to do this manually, especially if you have a large or complex site, but there are tools out there to help you. ThreatSign can help to detect any malicious code or malware on your site. If you use a tool like this regularly, you're doing yourself a favor in the long run, as you'll be able to catch anything out of the ordinary on your site before it becomes an issue for you or your users.
I've Been Pharma Hacked. Now What?
If you happen to search for your site on a search engine and notice something off (i.e., you're getting results for pharmaceuticals listed on your website), your first thought might be to panic. You probably had no idea that you were infected, and it could have been happening for weeks or months! What can you do to get to work on fixing this without feeling overwhelmed?
Malware and malicious code can infect users browsers, send spam to your users, and even steal logins and passwords. Thus, it's important to take steps immediately. Because this code is so good at hiding undetected in your site, it's best to call in the pros, who can locate and remedy the problem quickly and efficiently.

ThreatSign can pinpoint malware and suspicious activity without you having to worry about carefully picking through all your code. A daily ThreatSign scan can make sure that you avoid having your site blacklisted by a search engine and can help you protect your online reputation. Since WordPress is such a popular website-building platform, it's a favorite target for hackers. Keep your pages secure by regularly updating your site, and scanning it for potential threats. If your site has been compromised, it isn't the end of the world. Trust ThreatSign to take care of your malware problems and get your site running smoothly again.
Get your website scanned for threats for free today.
Is your website flagged for malware, blocked by the search engines or disabled by the host?
If you need professional assistance in removing this or any other malware, we can assign a malware analyst to check your system and harden your security settings to protect your website visitors and your business. Just head over to ThreatSign Website Antimalware plans page and check our products and services. If you’re not sure which plan to select, contact us and let us help you to choose the best cybersecurity protection for your business.