I recently found an interesting illustration of how clever and dedicated modern blog spammers are. The spammer in question had (it appears) found a vulnerable Wordpress-based blog and compromised it, but not in the usual straightforward and obvious way; instead, they had opted to be much less obvious about it.

The website acted like this:

If you directly visited the site with Firefox (and likely Chrome, IE, Safari, Opera, or any other mainline browser) everything you saw was normal and just what you expected. I assume that the non-public portions (eg the WordPress admin interfaces) are also completely normal.

If you visited the website with something else, such as wget or lynx or, crucially, search engine crawlers, what you saw had typical pharmacy spam terms stuffed in as page titles, article titles, and HTML meta-keywords. The actual article text seemed unaffected. This substitution (and de-substitution for mainline browsers) was sufficiently thorough to also get the syndication feed; if you pulled it with wget it was pharmacy-ied, and if you looked at it in Firefox it wasn't. As a result of being visible to search engine crawlers, the pharmacy spam terms turned up in Google's and Bing's clip summary of the site and were visible in its cached pages.

or or, crucially, search engine crawlers, what you saw had typical pharmacy spam terms stuffed in as page titles, article titles, and HTML meta-keywords. The actual article text seemed unaffected. If you came to the site from a search engine and you were using Firefox (and probably any of the mainline browsers), you immediately got redirected to an online pharmacy site. I assume that sending visitors to this is the spammer's real, ultimate goal.

This seems clearly designed to avoid tipping off the blog's owner and its regular visitors and users to the compromise; they would see everything normally and it would all look like business as usual. Only people from search engines would be redirected, ie the people least likely to have regular contact with the blog and be in a position to report things (or even to have any interest in reporting things, as opposed to thinking that they'd been taken by a scam site that had fooled Google).

The only reason that I discovered this is that I was using Google to find the site again. Because of how I manage browser history I knew that Google had found the right site for me, so I was very disconcerted to find myself abruptly on a spam pharmacy site and knew that something had gone badly wrong somewhere. Without the positive knowledge that this was the right site, I'd have written this off as a spammer hijacking Google search terms or the like.

(Because of the specific circumstances, I'm sure that this is a legitimate site and almost completely sure that the blog's owner is not in on this. For obvious reasons I'm not linking to the site or giving you enough information to find it in search engines; the compromise is ongoing as I write this entry, and for all I know the pharmacy site is also loaded with malware.)

I find it both interesting and disturbing that spammers are doing compromises that are this sophisticated. Since this is a Wordpress blog, this is probably a canned exploit and payload, but still, someone had to develop it, fully weaponize it, and probably make it easy for people to use. (And I imagine that there is a marketplace involved, too, with people selling compromised blogs that are ready to host the content of your choice and so on.)