14 DAY TRIAL // Security researchers warn that Canadian Pharmacy spammers are abusing legit websites in their latest campaigns. The junk emails link to simple HTML redirect scripts hosted in the root directory of sites that have been compromised.
"We’re currently seeing a wave of fake pharma spam emails which do not directly advertise the URL of the fake pharma website in the spam email. Instead, the spam emails advertise URLs which points to HTML pages that are hosted in compromised sites," threat researchers from antivirus vendor Trend Micro, warn.
These rogue pages hosted on legit websites have the purpose of redirecting victims to the final spam landing sites. Two different type of redirectors have been observed so far. One is a META refresh and the other a JavaScript-based redirect.
It seems the attackers also upload JPEG images advertising various pills in the root directory of the compromised websites. These images are included and displayed in the junk emails sent to users.
The Trend Micro experts point out that as much as 1,000 new hosts are abused by this new spam campaign on a daily basis. However, since the affected sites don't appear to be using the same type of software, there is probably no common vulnerability being exploited.
The most likely explanation for the compromises are stolen FTP credentials, especially since these are not in short supply on the black market. There are various information stealing trojans that particularly target FTP accounts and Trend Micro reports that such credentials are sold in bulk on underground forums for relatively cheap prices. For example, a set of 300,000 stolen FTP logins can be acquired for as little as $250.
Of course, the same credentials are sold to more than one hackers and that is why the compromised websites usually show signs of multiple infections. In this latest case, the campaign has been tracked back to the notorious Rustock spam botnet.
Webmasters who find this kind of rogue HTML redirect scripts or JPEG images on their webhosting accounts should immediately deleted them and change the password to their FTP accounts. Performing a full system scan with a capable and up-to-date antivirus program on the computers they use regularly, is also strongly encouraged.
You can follow the editor on Twitter @lconstantin
