Pharma Spam-Virus

Pharma Spam-Virus is a type of SEO spam employed by Cyber-Criminals to improve the SEO rank of Web-sites selling pharmaceutical products like Viagra, Cialis, Xanax, Valium, and Celebrex. Compromised Website Report 2017 found that 44% of all Cyber-Invasion including the creation of SEO spam campaigns on the targeted Web-site. This kind of Cyber-Invasion involves the addition of new pages or alteration of existing pages to add links for SEO purposes. In addition to that, it is the form of Black Hat SEO called spamdexing. Spamdexing practices a variety of techniques to get links placed onto other people’s Web-sites. These links will point to other compromised Web-sites with more links or directly to the Cyber-Criminal’s money Web-sites. This is the Web-sites that they want to rank-up in search engines. It is an effective technique because a search engine employs a number of links coming into a Web-site to determine where it ranks of the Web-sites in search engine results. If Cyber-Criminals succeeds in employing exploits or spamming techniques to obtain links on thousands of Web-sites, their money Web-site will rank higher and make more money. Cyber-Criminals involved in this activity may also place entire pages of spam on other people’s Web-sites (as shown below). These pages are fully functional sales pages that send clients to payment gateways to purchase products.
In this article, we have tried to explain how Pharma Spam-Virus operates and how you can secure your Web-site from such Cyber-Invasion.

The Cyber-Criminals will Exercise a backdoor to gain remote access to your Web-site

The Cyber-Criminal must find a way to upload an infected file to your Web-site before they can run their spam scripts. They will usually start by looking for Web-sites that are running an outdated version of WordPress or which are running a plugin that can be exploited. Sometimes, Cyber-Criminals will target a specific hosting company that is known to have lax security on their servers.

Once the backdoor is installed, the Cyber-Criminalmay or may not practice it immediately. However, it totally depends on the status of their black hat SEO campaigns. The most common locations for this kind of backdoor script are inside wp-content/uploads/.*php (with a random PHP name file), wp-includes/images/smilies/icon_smile_old.php.xl, wp-includes/wp-db-class.php and wp-includes/images/wp-img.php.

The contents of this file usually include a long encoded string that employs the eval function to run. The string will look like a jumbled series of letters and numbers.

The Cyber-Criminals will run this file remotely to scrape your Data-Archives details from wp-config.php. The file will then act as a remote shell, giving Cyber-Criminals all kinds of information about the server. Once the Cyber-Criminalshas the Data-Archives and login credentials from wp-config.php, they can modify and add pages as they see fit.

Locating this backdoor file and removing it is usually the first step to perform when removing Pharma Spam-Virus from a Web-site.

The files installed during the backdoor entry will help the Cyber-Criminals to create and manage their Pharma Spam-Virus. In addition to that these files will usually be installed in a plugin directory. They will often be named in a way that resembles the plugin directory in which they are located. For example, if they have been installed in the Jetpack plugin directory, they might be named wp-jetpack.php, db-jetpack.php, ext-jetpack.php. In some cases, they might employ hidden files or image files to store some types of data and the easiest way to ensure that your plugin directory is cleansed of all infected folders is to reinstall them from a reputable source.

Finally, the Cyber-Criminals will make some changes to your Data-Archives so they can add their Pharma Spam-Virus. They will often make changes to the wp_options table, adding records to help their programs. This Pharma Spam-Virus includes rows in the wp-options table like “class_generic_support”, “widget_generic_support”, ”wp_check_hash”, “fwp”, and “ftp_credentials”. You should delete these records from your Data-Archives if they are present.The Cyber-Criminal’s backdoor may also make changes to the clients registered on your Web-site or will even add new client with administrator permissions. You will have to check the registered clients, their email addresses, and reset all passwords to address this risk.

Unfortunately, having Pharma Spam-Virus on your Web-site carries some negative consequences including:

Forcing your Web-site to rank lower. When Google sees that you have dozens of spammy outbound links on your Web-site’s pages, it may reduce your search engine rankings.
Your Web-site may be blacklisted. Because of spammy links that go to low-quality spam Web-sites are against search engine guidelines. If your Web-site accumulates enough of these links, it may be blacklisted from some search engines.
If your Web-site is compromised to Pharma Spam-Virus, then it might have other issues. For starters, it will attract other forms of the virus to your Web-site. This include infected redirects and forced downloads.

Pharma Spam-Virus is not always easy to detect. If the Cyber-Criminals have managed to create completely new pages on your domain, you may never see them because you don’t know the URLs. One might get a hint in initial stages about their presence if one gets a penalty from Google or someone informs them about the spam in their Web-site. Some techniques you can be employed to check if you have Pharma Spam-Virus:

The Cyber-Criminals are very effective at getting their spam pages indexed, so they should be easy to find using Google. Visit and search for “inurl:yoursite.comviagra or Cialis”. It might display all of the pages on your domain that contain the words similar words. Most Pharma Spam-Virus pages will contain one or both of those words. To make it easier you can try the Advanced Search by Google.

There are any third party scanners that will check your Web-site for pharmacy spam or Website status against several blacklists like Google Safe Browsing, PhishTank, Virus domain list. You can test your Web-site against several blacklists at once here with Threat Press Website Scan.

You can also navigate through the folders and files on your server to see if there are any new additions.

Pharma Spam-Virus is notoriously difficult to remove because Cyber-Criminals often try to exploit multiple backdoors and insert infected code in different locations. One should employ the following techniques to ensure the method employed by the Cyber-Criminals is permanently deleted:

Start by removing the entry point that the Cyber-Criminals employed to compromise your Web-site. As discussed earlier, one has to perform a search by the date to locate files such as wp-includes/images/smilies/icon_smile_old.php.xl, wp-includes/wp-db-class.php, wp-content/uploads/.*php and wp-includes/images/wp-img.php.  

Start by backing up your plugins and then move towards the data that these plugins saved to the Data-Archives. Later on, you can install the new plugin via a genuine source. This will ensure any infected files added to your plugins directories are gone.

In order to ensure the safety one can install a WordPress security plugin and scan their WordPress core files. This scanner will spot every infected code that has been added to your WordPress core files. They may help you locate the backdoor if you did not find it in step 1.

There are many third-party tools that will scan your Web-site to identify any spam pages or compromised files. The following services offer free scans for infected files.

Ensure the server has an up-to-date antivirus program. Applications like ClamAV, are very effective at locating potentially infected files.

You should assume that Cyber-Criminal has gained access to your Data-Archives and now you will have to generate new WordPress salt keys and change your passwords for your FTP accounts, Data-Archives (important), WordPress clients and hosting accounts. Check that there are no additional clients in the system and check all email addresses of clients.

Cyber-Invasion by Pharma Spam-Virus usually adds pages to your WordPress Data-Archives. Track down all of these pages and remove them, including the additional PHP files throughout your installation.

In order to ensure extreme safety, it is always a good idea to change your WordPress core files with the latest versions. Some Cyber-Invasion by Pharma Spam-Virus stores files in the active theme’s directory, so delete and replace your theme’s files also.

Check other Websites hosted on the same server (account)

If you have an account on the multiple Website hosting, we suggest you check out other Websites because all Websites on the same hosting account could be compromised as well.

If Google has detected the Pharma Spam-Virus on your Web-site, then your Web-site may already be penalized. Once you have repaired your Web-site then go to Google’s Search Engine Console and using the Remove URLs Feature to eliminate any references that Google has to the infected pages. You will then have to go to Search Traffic > Manual Actions and Request a Review of your Web-site.

Ensuring this kind of Cyber-Invasion does not happen again

Here are a few techniques you can follow to ensure you don’t get compromised with Pharma Spam-Virus again.

Improve your passwords
Install Word-Press security program
Install a Word-Press theme checking plugin
Always avoid installing plugins or themes from an untrusted source
Keep WordPress, your themes and your plugins updated
One must always ensure that their Word-Press installation is backed upregularly
One might move to a web host, as they have better WordPress security as compared to others