Home » Security Bloggers Network » Spam That Fits Your Website

Spam That Fits Your Website

Most of the time when we talk about spam, we think about mindless machines that create posts or comments to advertise a business related to drugs, accessories, or essays.

But what if a hacker tried to convince your clients to click on malicious links based on the content of your website?

A Customized Spam Campaign Targeting Pizza Delivery

We recently found a very interesting case where bad actors used a website’s existing content to create personalized spam campaigns.

A pizza delivery website was compromised. The hacker wrote a single paragraph on the homepage to advertise their diet pills, while simultaneously reminding the reader that pizza is one of the products responsible for weight increase in young men and women.

Xenical Spam Masked as Legitimate Content

The text says:

“Pizza is delicious, satisfying, appetizing, but do not forget that the pizza is a lot of flour products. Increasingly, Americans are overweight, and fast food products, hamburgers, pizzas and a quick snack only worsens the situation and the weight of young men and women is becoming more and more. If you want to start losing weight, it’s worth reading about Xenical, which is sold in every us pharmacy. Before you start taking Xenical you should consult with your doctor, or read the information on DietxPills about the best drugs for weight loss and choose the most effective drug for yourself. Xenical works in an interesting way, the food that enters the body is not absorbed into the intestine, and Xenical as it creates a protective film in the intestine, thereby protecting against the absorption of food. We wish you to be healthy and happy and if you are not obese, we invite you to our cozy place.” 

The hacker even tries to impersonate the pizza company by making the content appear to be a legitimate post from the website, but ends it with an offensive line towards obese people.

Malicious Redirects Lead to Weight Loss Websites

Clicking the hyperlinks in the message redirects the visitor to hxxps://www[.]dietxpills[.]com/, a site which sells weight loss pills and diet products.

By searching for the IP, we discovered that the site shares a server with at least 46 other sites being used for the same purpose: selling drugs without a prescription.

The solution for the case was pretty simple.

The malicious paragraph was found in the themes file—specifically in the /inc/meta.inc.php file, which is located inside the WordPress theme directory. The content wasn’t even encoded, so all we needed to do was search for it.

During the investigation process, we also found a malicious WordPress user—websysadmin—that had to be removed.

Cause & Prevention of Spam

When we got our hands on the case, the website was using outdated software: WordPress version 4.9.6.

The most plausible explanation for how the hacker got into the site is that they leveraged the vulnerability to plant their spam content.

We encourage website owners to keep everything in the website up-to-date, be it plugins, themes, or CMS installations.

Placing the site behind a website firewall would have blocked the hacker from being able to create users and modify content.

Our website security platform protects your website from malware and attacks so you don’t have to worry about a malicious spam campaign disrupting your online business.