WP Concern over Coronavirus Leading to Global Spread of Fake Pharmacy Spam | Imperva

Concern over Coronavirus Leading to Global Spread of Fake Pharmacy Spam

Concern over Coronavirus Leading to Global Spread of Fake Pharmacy Spam

High levels of concern around the Coronavirus are currently being used to increase the online popularity of spam campaigns designed to spread fake news and drive unsuspecting users to dubious online drug stores.

Given the level of anxiety that currently exists globally around the spread of the potentially lethal Coronavirus, it’s perhaps unsurprising that opportunistic spammers are using the term in their campaigns. Indeed, the following two graphs show a very clear correlation between the term’s popularity on Google, and its appearance in bot traffic caught by Imperva over the same period.

Google Trend for the term “coronavirus”

Google Trend for the term “coronavirus”
[Source: https://trends.google.com/trends/explore?date=today%201-m&geo=US&q=coronavirus]

The term “coronavirus” used by bots caught by Imperva

For people searching for genuine information on Coronavirus, this is polluting their online search results with fake and meaningless results. Not only does the content of this spam do nothing to help people in their quest to educate themselves on this global health risk, but bot operators are using technology to exploit the public’s need for medical information in order to gain a few more clicks to their fake pharmacies.

A site allegedly containing real time Coronavirus information that leads to bogus pharmacies

A site allegedly containing real time Coronavirus information that leads to bogus pharmacies

Comment spamming in detail

We identified two different types of spam campaigns that relied on the hype around Coronavirus.

 

The most popular involves comment spamming – an automatic technique which uses either scripts or bots to inject specific content into comments on a site, and that will remain there indefinitely. A simple Google search revealed the following examples of where spammers had successfully posted comments.

Examples of spam comments containing the term “coronavirus”

Examples of spam comments containing the term “coronavirus”, found at random on the internet

On closer inspection, you can see that among the copy about the virus itself, the spammers have inserted URLs linking to dubious drug-selling businesses. The question, though, is why?

There are two possible reasons. The first is clickbait – campaigns designed to trick innocent users, anxious about Coronavirus, into clicking on their links and – hopefully – even ordering their products.

The second reason is for SEO purposes. As a highly searched-for term over the last few weeks, the addition of “Coronavirus” might have a positive effect on the site hosting the spam comments. By making it more visible, and ranked more highly in web searches, it might eventually generate more leads to the spammers’ sites. Backlinks from the spam comments will also benefit the drug sites’ SEO.

But what benefit do spammers stand to gain from posting comments like these? Typically, it comes in the form of a financial kickback. Campaigns such as this are sometimes run by third parties – companies that offer to “boost inbound traffic”, or Blackhat SEOs, a phenomenon explored by Imperva in some detail here. On other occasions, the campaigns may be run as part of an affiliate program to either directly sell third-party products, or link to a site from where they may be purchased. Either way, the spammers behind the campaigns will usually take a percentage of any sales made.

Spam gets sophisticated

The second type of campaign we discovered was far more sophisticated than the “spray-and-pray” technique used in many spam campaigns. From a comment placed on a random site, unsuspecting users were taken to a hijacked “neutral” site made to look like a Coronavirus information resource – including a (copied) real-time map of the virus’s progress – and then on to a notorious online drugstore.

Let’s look at it in more detail. Here’s an example HTTP request we caught in our system:

coronavirus code snippet

This is a POST request, sent to a random site, and is comprised of three distinct elements:

  1. A short sentence (marked in green) that appears to be a popular coronavirus-related search-engine query, useful to help the spam comments achieve a higher rank in Google searches related to Coronavirus.In this case it’s “que es coronavirus” (Spanish for “what is coronavirus”) , but we’ve also seen the use of “coronavirus pandemic simulation”, “wuhan city china wikipedia”, and “coronavirus infection precautions” amongst many other variations.
  2. Two chunks of random text (marked in blue), copied from existing – and entirely unrelated – websites , the purpose of which is to help make the comment appear legitimate in order for it not to be blocked. In this example, a simple Google search revealed the text might have been taken from here:
    coronavirus 7a
    And here:
    coronavirus 8
  3. The most important element of the request, marked in red, is the link which, in this example, points to http://www.[REDACTED].com/?wuhan-coronavirus-outbreak-singapore.

While www.[REDACTED].com, a uniform store in Bangladesh – seems legitimate, a quick Shodan search reveals that it resides on a highly vulnerable server.

Shodan search reveals that it resides on a highly vulnerable server

But the query string varies from comment to comment. And, regardless of the content of that query string – even something arbitrary like www.[REDACTED].com/?spamming-is-a-waste-of-time – they always redirect to the same bogus “Coronavirus information” site, when used as part of a full link.

Based on events we’ve inspected in the past, we could reasonably assume that the uniform site had been compromised, with a malicious change of code or configuration used to redirect any non-existing endpoint to the fake information site.

It took us a while to notice that the – generic but benign-looking – “Coronavirus information” site was fake, however. After all, it contained links to a number of different sites offering medical information, each of which was also generic but benign-looking.

A bogus Coronavirus information site luring people to see real-time information

A bogus Coronavirus information site luring people to see real-time information

The most striking element of the site was the link to a real-time interactive map – a map that was, in fact, copied from John Hopkins University dashboard on nCoV-2019 global cases and which, unlike the main page and its links to medical information, was far from benign. The “interactive map” site actually contained a number of links to the infamous “Canadian Pharmacy” – neither Canadian, nor a pharmacy, but in fact a spam operation thought to be linked to Russian cybercriminals.

Staying on top of spam

Spam is, at best, a nuisance. At worst, it can be used to deliver phishing messages, infectious malware, and more. Pharma spam is particularly nefarious – not only in terms of the volume of spam involved, but for the risks posed to public health by counterfeit drugs.

But, as long as spammers are able to make money from encouraging site traffic or sales, they’ll continue to do so. Sowing clickbait or SEO in comments relies on spammers staying on top of the hot topics. And right now, topics don’t get any hotter than Coronavirus.

As ever, awareness is key. Be sure that what you’re reading is what you think it is, and never click on a link you don’t recognize.