Pharmaceutical Hacks at Schools (May, 2016)

Introduction: Harvard

If you Google this string,
you see the expected results, finding pages at the college, as shown below.

However, if you google this, "canadian pharmacy"
you see very different results: pages selling illegal drugs.

If you click those links (which I don't recommend unless you are willing to risk being infected with malware), you see real pages put up by criminals selling drugs, like these:

Those pages are clearly not official Harvard pages, but they are being served from a Harvard web server. Someone has hacked into the server and altered the files on it to serve those pages.

Redirectors: Humboldt State University

The Harvard hack seems to have placed the entire drug-sales pages on Harvard servers, but a more common type of hack places a redirector on the site so viewers coming from a Google search are bounced to a different server.

To see that, Google this: viagra
The results look similar to the Harvard results.

But if you click on them (which is not a very safe thing to do), you are redirected to a different domain.

Rewriters: Cal State

Another type of hack adds text and links into existing pages. The result is very strange.

To see that, Google this: "canadian pharmacy"
The URLs look like real pages, but the text contains references to drug sales.

The pages have been defaced with added text, mixed into the original content. It's surprising no one noticed it.

Complete List & Responsible Disclosure

Here's the list of the 70 sites I notified. I found them with these Google dorks: "canadian pharmacy" viagra no prescription
college viagra no prescription
They aren't all colleges; some are just nonprofits and other organizations.

I notified all the sites between April 24, 2016 and April 26, 2016. I re-tested them on May 12, 2016. 26% of them fixed the problem, but the others, including the three shown above, did not. None of them let me help, or sent me samples of the malware, unfortunately. But, on the bright side, none of them accused me of being a criminal or threatened to prosecute me, and I appreciate that.

Conclusion: White-Hatting

I end up in the same place I was when I did a similar project in 2013. Notifying people about security problems has about a 20% chance of doing any good.

Posted 5-12-6 by Sam Bowne