We often get requests like this one: "We're experiencing a massive spam URL injection issue on our site. Almost every page on our site has unauthorized pharmaceutical ads with links to seller sites. Please help!" What has hit them is the "pharma hack." Website owners too often don't realize that their site is under constant attack. If they don't have enough protection, then sooner or later its pages will get infected. This attack is just one of the many unpleasant possibilities.
The pharma hack is especially sneaky. You see the spam pages in your search results yet not when you look at your own site. It doesn't mean you're going crazy. It's something that hits a lot of sites, and there are ways to prevent or remove it. Quttera's comprehensive website protection will greatly improve your site's safety against pharma hacks and other attacks. Here’s what you should know about pharma hacks and increasing your website security.
What the pharma hack looks like
This type of website infection comes in several variants. Most often, your site looks clean when viewed normally. There's no effect on its performance, and nothing terrible or unusual happens to visitors. But when people find your website with a Web search, it looks very different in the search results. The title may be changed to something like "Cheap Viagra." You see hints of links to sites that offer pharmaceuticals at low prices without a prescription. The offers are usually illegal in most countries. Yet when you open the page, it looks clean and innocent.
Those phantom links point at sites that are dubious at best. They may grab unsuspecting buyers' credit card information and not deliver anything. Perhaps worse, they could ship counterfeit or poor-quality drugs. The sales sites might infect visitors' computers with malware.
In some cases, the ads will be visible on the page, but only when visited through a search engine. Administrators and regular visitors won't encounter any problems. Just the ones who come in through a search will get spammy ads.
It's generally the most visited pages on a site that become affected. The attackers want the best return for their effort.
If this happens to your site, it's very damaging for your search engine performance. Links to shady sites will make your search rank go down, or your pages may not show up at all. Even after you remove the problem, it could take days for your search engine rank to recover.
If the search result doesn't scare them off, visitors to infected pages may get browser warnings that your site is unsafe. Even regular visitors will get warned, not just the ones doing searches, once your site is on a blacklist. The harm to your reputation can be severe.
How the pharma hack works
The difference between what the search engines see and what you see may seem like some sinister magic at work. The "magic," though, is just a matter of dynamic content and request headers.
A server can examine the request's headers, such as User-Agent, to tell where it's coming from. A request from Google's crawler looks different from a request from a browser.
Malware can use that information to send different information to a crawler. The pharma hack changes the title, the content, and possibly other tags when it detects a crawler request.
What it's doing is called "Black Hat SEO." It's trying to improve the search rank of the pharma dealer's pages at the expense of yours. People don't have to see or click on the ads; they boost the target's search rank just by being there. Eventually, Google and other search engines spot the trick and blacklist the page, but by then, the dealers have moved on to another domain.
Pharma hacks often hit WordPress sites. They add PHP code to infected pages, making them change their content for search engines. Also, they store the malware in the database. Fixing the pages without cleaning up the database provides only temporary relief.
Where does pharma hack come from?
We have found that about 2% of all the Web traffic filtered by ThreatSign cybersecurity platform targets pharma hack links. In most cases, the attackers take advantage of unpatched vulnerabilities in the host software. They may also come in through malicious plugins.
The intruders aim for the pages that have the highest search rank. The success of their campaign depends on your pages being seen on Google and other search sites.
The domains that they link to, constantly change. They expect to be shut down and blocked frequently, and they just move on. The rest of the link is more consistent. You'll see links to pages like these:
How to detect pharma hacks
Because they don't show themselves to regular users, a pharma hack is hard to spot. They may remain on the server for weeks before someone catches on to the problem. When reports come in, admins may dismiss them because they can't replicate the issue.
If you get reports of this type, take them seriously. Googlebot simulators are available which show how your site looks to Google. A more straightforward approach is to run a search on your website. You can add "site:myownwebsite.com" to narrow the search to your site. If it's infected with a pharma hack, that kind of search should make it visible.
How to protect against pharma hacks
Pharma hacks, especially the ones targeting WordPress sites, are difficult to remove altogether. The database is compromised along with the pages. You need to clean up both to keep the problem from coming back. Also, you should harden your site, installing any necessary security patches.
Preventing a successful pharma hack attack is easier than curing the problem. Several steps are necessary to bring website security up to snuff.
An external website scan which can imitate search engine behaviors as well as common variants of visitor behavior. It will try various combinations of User-Agent, Referer, and other headers.
An internal scan to find corrupted files and databases and fix them.
Anti-malware protection, including a web application firewall (WAF), to keep out malicious traffic and prevent infection.
Quttera provides all these services as part of its ThreatSign website protection. Don't wait until your site is compromised. Sign up with ThreatSign today.