Threat Intelligence Blog

Posted December 3, 2009

Tactic Used to Spread Malware Now Observed Hijacking Users, Pushing Them to Illegal Online Pharmacies

Less than three weeks ago, Cyveillance shared its discovery of Google search results that lead users directly to malware. In that exploit, cyber criminals infected websites and placed blog software on them that automatically posted pages that Google would later find, index, and include in its search results. Users that clicked the links in Google’s search results were redirected to other sites that attempted to install malware on users’ computers.

Cyveillance has now observed the same tactic being used to drive traffic to illegal online pharmacies. Similar to before, cyber criminals have inserted blogging software on compromised pre-existing websites. The blog software automatically generates content like that found in the following image.

The rogue blog posts content laden with references to the erectile dysfunction drug Cialis.

The rogue blog software notifies Google that new content is available, and Google’s crawlers visit the new content for inclusion in the search results it presents to users.

Sites that are unknowingly hosting this version of the rogue blog software can be found with the Google search

If a user were to click on any of the results shown above or any other search results from the directory where the rogue blog is found on the compromised sites, they would be redirected to a site like, which in turn would redirect them to an online pharmacy like the one below.

Those who click on the poisoned results will be ultimately delivered to

Enter Glavmed, the Notorious Illegal Pharmacy Ring

The site where these search results lead,, is part of the long-standing illegal online pharmacy network called Glavmed. Believed to be related to the Russian Business Network (RBN), Glavmed is a long-standing Russia-based organization that relies on affiliates to market counterfeit pharmaceuticals.


While Glavmed is perhaps best known for spam related to erectile dysfunction drugs like Viagra, Cialis, and Levitra, their sites sell medications for body-building and heavy duty painkillers.

What’s New This Time?

In our earlier report a user could avoid being redirected to the malware drop site by not clicking on the link in the Google search results and simply typing in the address of the link into their browser’s navigation bar. This time, typing in the link will still result in the user being redirected to the online pharmacy. This makes it harder for users to avoid being hijacked by the cyber criminals.

Further, last time it appeared that the middleman site that would perform the initial redirect to the malware drop site would change on a regular basis, almost daily. Since discovering the Google search results that lead to the online pharmacy, Cyveillance has observed the same redirector middleman site ( and the same final destination ( Overall, this is a simpler scheme than before and should be easier to remove for the safety of internet users.

Closing Thoughts

The number of websites found that are unknowingly hosting these rogue blogs is relatively low at the moment. However, as described in our original post a few weeks ago, it would be naive to believe that those presented here are the only sites where this tactic is used by cyber criminals. Internet users should remember to exercise extreme caution when ordering medications online. The US Food and Drug Administration lists steps consumers should take when considering purchasing drugs online. Additionally, never order medications online from Glavmed.

Additional Posts

Hosting Companies Targeted in Recent Phishing Attacks

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As ...

Spike in Phishing Attacks on First Day of Thanksgiving Weekend

Cyveillance saw a significant spike in phishing threats on Thanksgiving Day, representing more than ...