Lara Bergman of Sword & Shield presents a case study of a site hacked to sell pharmaceuticals outside the website’s normal product line:
Sword & Shield recently received a call for help from a medical center when someone informed them that their website was being used to sell Viagra online. Director of Forensics and Incident Response Bill Dean and Senior Security Analyst Matt Smith began their investigation into the allegations and soon uncovered an amazingly covert way hackers caused a high traffic website to be redirected to an online pharmacy selling the drug without a prescription.
A hacker had infiltrated the website and embedded nefarious code into the source code containing the word, “Viagra.” Thereafter, when a web user searched on the keyword, “Viagra,” or even searched for the medical center online, the repeated use of popular keywords would cause either search to appear high on the first page of the search engine’s “organic” (non-advertising) results. Research has shown that most web users opt to choose one of the first four or five URLs presented in their search, so it is important to spammers to get top placement.
Does your website have change auditing, which notifies you when any change has been made to a live website? This is required by the PCI DSS, but is a good idea for any website.