WordPress sites redirecting to Weight Loss Product Site, Pharma Hack

NOTE: All Links below were active & working as of 4/9/2017

Have seen a bunch of spammy looking emails with subject line similar to

Incredible Formula Is Now Available For Everybody

All from random sender emails such as

mlhernandez@bolivar.gov.co
py10024@dongshin.net
kd-dovitec@vnn.vn


With email bodies like this with a hyperlink on the last line

Tsss... Though this exclusive product is already out there for everybody on the web, the amount is very limited, so don't tell your friends about it until you get some first.
Advanced solution and redesigned formula has been created to help you get rid of excessive weight. Natural ingredients and secret components are exactly what you need to get back in a great shape and get your dream body.
Act now as next week it will already be too late. Get a beautiful and fit body like you deserve.

The hyperlink went to sites like this that appear to be probably outdated hacked wordpress sites with unpatched plugins

hxxp://klkgraphics[.]com/wordpress_d/wp-includes/SimplePie/lib.php?c2JyeWFuQG9zaGtvc2hjb3JwLmNvbQ==
hxxp://www.sandeepguptagmatclasses[.]com/wp-admin/css/dump/db.php?aGxvdWRlbkBkZWZlbnNlLm9zaGtvc2hjb3JwLmNvbQ==
hxxp://unlimitedsuccesscoaching[.]com/wp-includes/SimplePie/Decode/old.php?dG1vcnJpc0BqbGcuY29t
hxxp://covrefugee[.]org/wp-includes/SimplePie/Decode/lib.php?bGdhbGxhY2hlckBqbGcuY29t
hxxp://www.libertywebcreation[.]com/norfolk/wp-includes/fonts/ini.php?dGxiaWdoYW1AamxnLmNvbQ==


If the user clicks on any of those links the site simply redirects to this 1 single site, thus it's likely the attacker is the same for each site

hxxp://dietokdlikefut[.]com/us/emko/t11-cla?bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX


The Page title on that page is

Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)

No matter where you click on that page All links go to this follow-up url

hxxp://dietokdlikefut[.]com/us/emko/go.php?CID=313491&bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX


If you decide you want to buy the product, clicking checkout goes to this page

hxxps://checkout-cla-extract[.]com/?click_id=04_29517092_5bcca100-2e0d-4262-a3d7-a225b73ac143&subid1=313491&netid=3&ver=old&ad=1kN9


Also found it interesting at any point on the fake sales pitch page if you remove the php file name it redirects you to a random sub-domain that contains the exact same content

hxxp://557-healthandbeauty.dietokdlikefut[.]com/us/xvoh/cla-safflower-oil/
hxxp://852-diet.dietokdlikefut[.]com/us/hefk/cla-safflower-oil/
hxxp://110-health.dietokdlikefut[.]com/us/lldl/cla-safflower-oil/


Looks to me similar to past Pharma Hacks that I've seen where attacker is simply going around hacking weak wordpress sites in order to both bump up their search engine rankings and also simply generate traffic to their website to make money.

Let me know if I'm missing anything else important.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.