Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - When Rogue On-Line Pharmacies Take Over Forum Discussions InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When Rogue On-Line Pharmacies Take Over Forum Discussions

Published: 2010-01-20
Last Updated: 2010-01-27 14:21:27 UTC
by Lenny Zeltser (Version: 2)
3 comment(s)

Rogue on-line pharmacy sites, claiming to sell legitimate medicine to naive shoppers, continue to be a problem. This quick note is about one approach used to insert advertisements into forum discussions that completely cover up the legitimate discussion page.

My first look at this approach began with an ISC reader J. notifying us of an apparent defacement of a particular discussion thread on social.technet.microsoft.com:

The advertisement is for medical.deal-info.info (please don't go there).

The offending HTML code seems to have been added to the discussion thread as a forum posting. Here's the relevant HTML source code excerpt that sets the stage for the advertisement:

<div class="container"><div class="body"><div style="border:medium none;background:white none repeat scroll 0% 50%;position:fixed;left:0pt;top:0pt;text-decoration:none;width:1700px;height:7600px;z-index:2147483647">

The <div class="body"> tag part of the original website's code and is supposed to be followed by the user's forum posting, such as "I have a question about CAS servers..." Instead, we see HTML code creating a white DIV region that is at the top left corner of the browser's window and is 1700x7600 pixels in size to cover the forum's legitimate content. The "z-index" parameter is set to 2147483647, which is the largest possible value for many browsers; this is to make sure that the offending region is on top of any other elements on the page.

As the result, the whole website looks defaced. In reality, the discussion's page content is still in place--it was just covered up by the advertisement.

I'm unclear why the forum software did not filter out the HTML tags when they were submitted for posting; this may be attributed to an input-scrubbing bug.

I came across several other pharma-advertising websites that employed a similar discussion-covering technique:

This advertisement is for canadian-drugshop.com and supercapsulesrx.com (please don't go there).

Here's relevant HTML source code excerpt:

div style=&quot;border: medium none ; background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; position: fixed; left: 0pt; top: 0pt; text-decoration: none; width: 1700px; height: 7600px; z-index: 2147483647

And another example using similar code:

This advertisement is for top.pharma-search.biz and purchase.dnsdojo.com (please don't go there).

Update: Folks at StopTheHacker.com performed interesting analysis of forums that display pharmacy advertisements. If you find this note useful, you will probably enjoy reading reviewing their findings as well.

Have you analyzed such incidents? Have insights to offer? Please let us know.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Keywords:
3 comment(s)
Diary Archives