An illustration of how careful and clever spammers are today
October 9, 2010
I recently found an interesting illustration of how clever and dedicated modern blog spammers are. The spammer in question had (it appears) found a vulnerable Wordpress-based blog and compromised it, but not in the usual straightforward and obvious way; instead, they had opted to be much less obvious about it.
The website acted like this:
This seems clearly designed to avoid tipping off the blog's owner and its regular visitors and users to the compromise; they would see everything normally and it would all look like business as usual. Only people from search engines would be redirected, ie the people least likely to have regular contact with the blog and be in a position to report things (or even to have any interest in reporting things, as opposed to thinking that they'd been taken by a scam site that had fooled Google).
The only reason that I discovered this is that I was using Google to find the site again. Because of how I manage browser history I knew that Google had found the right site for me, so I was very disconcerted to find myself abruptly on a spam pharmacy site and knew that something had gone badly wrong somewhere. Without the positive knowledge that this was the right site, I'd have written this off as a spammer hijacking Google search terms or the like.
(Because of the specific circumstances, I'm sure that this is a legitimate site and almost completely sure that the blog's owner is not in on this. For obvious reasons I'm not linking to the site or giving you enough information to find it in search engines; the compromise is ongoing as I write this entry, and for all I know the pharmacy site is also loaded with malware.)
I find it both interesting and disturbing that spammers are doing compromises that are this sophisticated. Since this is a Wordpress blog, this is probably a canned exploit and payload, but still, someone had to develop it, fully weaponize it, and probably make it easy for people to use. (And I imagine that there is a marketplace involved, too, with people selling compromised blogs that are ready to host the content of your choice and so on.)
Comments on this page:
* * *
Atom feeds are available; see the bottom of most pages.