Today while searching in Google, a strange URL caught my attention: http://www.vwadviseurs.nl/joke/rizatriptan-10mg/. The Dutch domain sounds like a name for a legitimate advice company, but why would they have a page about a drug? Out of curiosity I clicked the link and saw an online pharmacy in English on the Dutch domain vwadviseurs.nl. Each link on this page points to a page on surfaid.me. This is all very suspicious, especially since https://www.vwadviseurs.nl looks like a sincere website for a financial company. So I decided to investigate this and found an entire web of malicious landing pages to surfaid.me.
More than one landing page to surfaid.me
I suspected the website was hacked and a landing page for surfaid.me was added. The first thing I did was to contact the owner of vwadviseurs.nl to notify them about it. Then I asked myself how Google could index this page. So I searched for “http://www.vwadviseurs.nl/joke” and found more landing pages to surfaid.me on http://www.vwadviseurs.nl/joke/*.
Web of landing pages to surfaid.me
But more importantly I found two websites linking to these landing pages: day4rx.com and box4rx.com. They contain a few pages with long ugly lists of links to pharmacy products on other websites, which vwadviseurs.nl is one of. I opened some of the other links and saw similar landing pages to surfaid.me. I realized I found an entire web of landing pages!
How it works
The higher the organic position of a website in Google, the more visitors it gets. For a web shop this means more revenue. More links pointing to a websites generally means a higher organic position (Link building). In this case landing pages where added to vulnerable websites to increase the organic position of surfaid.me. The homepages were not altered to prevent the webmaster from noticing it, so the landing pages would not be removed.
But the hidden malicious landing pages must be indexed by Google. An easy way to do this is to link to them from websites that already have been indexed. Surfaid.me does not link to them itself as reciprocal links have little or no value for a higher organic position. So day4rx.com and box4rx.com are used for this.
Hacker safe?
I browsed around surfaid.me and got to the Checkout page. According to the bar below it should be safe to order here, but somehow it doesn’t feel so…