If you have ever done a search on Google or Bing and seen some results with odd descriptions that brought you to a completely unexpected and unrelated page when you clicked on it, you may have seen what’s called a “pharma hack”. It’s named that because it is most commonly found redirecting traffic to scam sites selling pharmaceuticals – things such as fake viagra, weight loss pills, and “male enhancement” products.
Probably the biggest scammers out there currently using this hack are the “Shark Tank” ads. They have a landing page showing two brothers who allegedly appeared on the tv show Shark Tank and won a huge endorsement for some miracle pill, which they are now selling. The catch is, the screenshot they use, along with the quotes and story of the product are all fake. It never appeared on the tv show, the endorsements are fake and the product reviews are made up.
Most frequently, you’ll see the ads on versions of the domains bestpill.icu, maleperformance-news.com or sports.com-4daily.top. The products change almost daily, with names such as Vialis, Cialix, Via Pro Maxx, Rigorix, Sildaxin, KingSize, ViaraDaxx, and the list goes on.
The hack usually appears on WordPress sites which were left vulnerable by their owners not keeping them patched and up to date. Since the hack usually checks for the referring domain, it usually shows a blank page or 404 if you go directly to a hacked URL. This makes it tough for the web owner to see they have been hacked. Many sites we found were still showing the hack even after we reported it to the owners.
We found the hack on every kind of site imaginable, from flower shops to government sites and large universities. Many of the more recent versions show a copy of a web site called schwinnng.com, though the owner of that site has denied involvement. Still, the Schwinnng owner has apparently not filed DMCA requests to have his content removed and it remains up on several hacked sites.
As a site owner, the best bet for avoiding these kinds of scams is to keep all your themes, plugins and WordPress installations updated. For information on cleaning up a hacked WordPress site, try these tips. If you need more help, try contacting Sucuri.