Hacks that use re-ed-shop.com as a destination



There are two basic ways to create a pharma hack. One way is to simply redirect the user’s browser directly to the pharmacy site when they click on the hack created search results. They other way is to create a pharmacy page that comes from the hacked site but has links to the pharmacy page. Of these two basic ways the second way, a pharmacy page with links, is the most common.

There are two common ways for a hacker to add a pharmacy page to a site. One way is to create a jpeg or png file of a pharmacy page and upload it to the hacked site and the other is to use HTML and JavaScript to create the page and then pull the images and it needs JavaScript for the pharmacy page from the actual pharmacy site or another support site dedicated to supporting hacks.

Using HTML and setting the pages base to a second site with <base href= seems to be the most common way to create a pharmacy page on a hacked site. The HTML is coded in base64 or some other encoding and stored in the MySQL database to make it hard to find.

Screenshot 2015-05-11 at 12.08.26 PM

This hidden page is all about googlebots. The hack designer only allows it to be seen when the user agent is a googlebot or other search site bot.

Screenshot 2015-05-11 at 12.06.59 PM

The search results are an essential part of the hack. They are not on the hacked site and they were created by Google not the hacker but the hack is worthless without them.

Screenshot 2015-05-10 at 9.03.12 PM

This is the pharmacy page for the hack. In the bottom half screen is Chrome’s developer tools looking at the pharmacy page HTML.

Screenshot 2015-05-11 at 12.15.42 PM

The hidden page plays an additional role. It contains links to hidden pages on other hacked sites and links other hidden pages on this hacked sites. I cannot believe Google cannot build a smarter googlebot. 




Hacks that use safe-online-pharmacy.com as a destination


, ,

Another <base href= style hack. Please read Hacks that use <base href= for more information.

Screenshot 2015-05-10 at 12.59.33 PM

This is one of the hidden pages the hack created. Google creates search listings for just like they actually think they were intended for human eyes.

Screenshot 2015-05-10 at 1.05.32 PM

When this site was first hacked it was using secure-canadian-pharmacy.com as a destination. After it was suspended the hack was updated with a new pharmacy site. They don’t bother updating the hidden page. It does the job either way.

Screenshot 2015-05-10 at 12.58.59 PM

Here are some of the search listings Google created after visiting the hidden pages.

Screenshot 2015-05-10 at 12.57.44 PM

This is the pharmacy page for the site. It gets its images from the real pharmacy site. The bottom half the screen is Chrome’s diagnostic tools looking at the pharmacy page’s source code.


Hacks that use family-pharmacyonline.com as a destination


, , ,

The pharmacy site, family-pharmacyonline.com, is three days old. When I looked at this hacked site nine months ago the domain name of the pharmacy site it was using was family-pharmacyonline.net. That domain name has been suspended. This is another <base href= style hack rather than a redirect style hack.

Screenshot 2015-05-09 at 10.06.13 PM

This is the source code for one of the hack’s hidden pages. It shows remnants of the past. Notice that it still has its base set for family-pharmacy-online.net and also has the domain name of another suspended domain name in the code.

Screenshot 2015-05-09 at 10.00.55 PM

This is the hack’s hidden page. If the base were changed to match the base for the hack’s pharmacy page they would look the same but he hacker didn’t bother. It still works. Google doesn’t know the difference.

Screenshot 2015-05-09 at 9.48.07 PM

These are the search listing that Google created based on the hidden pages that only the googlebot sees.

Screenshot 2015-05-09 at 9.40.46 PM

This is the source code for the hack’s pharmacy page. You can see the code that sets its base to the real pharmacy site so it can use its images.

Screenshot 2015-05-09 at 9.40.17 PM

Using Chrome’s developer tool allows me to see how the hack works and where the images for hack’s pharmacy page are coming from. 


Hacks that are using canadaok-pharmacy.net as a destination



This is a <base href= type hack. The site, canadaok-pharmacy.net is two days old. It replaced p-pharmacy.com in this hacked site. Replacing suspended pharmacy sites used in hacked sites is an expected cost of doing business for the hacker.

Screenshot 2015-05-08 at 11.12.46 AM

This is one of the hidden pages recorded by Google cache.They are created to get Google to create search listings.

Screenshot 2015-05-08 at 11.12.14 AM

Some of the search listings Google creates after looking at the hidden pages.

Screenshot 2015-05-08 at 11.11.48 AM

The source code for the pharmacy page the hack created on the hacked site.

Screenshot 2015-05-08 at 11.11.24 AM

The pharmacy page the hack created. It has links to the real pharmacy site. The HTTP headers at the bottom of the page show where the pages gets its graphics.


Another hacked site using canadaok-pharmacy.net:

Screenshot 2015-05-10 at 8.06.03 AM



Hacks that are using www.medscheaponl.com as a destination


, , ,

This hack looks at the referrer in the HTTP headers and only redirects if it is referred from a search site like Google.

Screenshot 2015-04-27 at 8.09.06 PM

The hack’s hidden page was created bu duplicating the pharmacy site HTML in the hacked site and then pulling all the images for it from the pharmacy site.

Screenshot 2015-04-27 at 8.08.56 PM

It looks like the hack only has one Google listing. That is unusual for a SEO hack.

Screenshot 2015-05-02 at 5.31.04 AM

The hack does a server side redirect to the pharmacy site.

Screenshot 2015-05-02 at 8.55.06 PM

This is the source code for the hacks hidden page as found in Google cache. Notice the base href in the HTML telling the page where to find the images.


Here are some other sites that uses www.medscheaponl.com:



Hacks that are using mens-sexual-health.net as a destination




Actually there aren’t any hacks using mens-sexual-health.net as a destination. The mens-sexual-health.net website has been shut down. There are, however, a few hacked sites that are attempting to redirect to this pharmacy site. This is a server-side redirect hack. It is redirecting directly to the pharmacy site URL.

The site owners must have done something that removed the backdoors but either didn’t realize he left redirects or couldn’t figure out how to remove them.

Screenshot 2015-05-02 at 8.04.42 AM

As you can see here, the hack attempts to redirect to the pharmacy site but it is no longer there.

Screenshot 2015-05-02 at 7.59.24 AM

This is one of many hidden pages the hack created in order to get Google to generate search listings for the hack.

Screenshot 2015-05-02 at 7.58.58 AM

Here are some of the search listings generated as the results of hidden pages on the hacked site.


Hacks that use canadian-breeze.net as a destination



This hack sends the browser HTML from the hacked site but images all come from the pharmacy site and all the links go to the pharmacy site. Apparently people don’t find this suspicious.

Screenshot 2015-04-26 at 8.39.47 PM

The hack uses fake pages hidden like this one to get Google to create search listing because they know Google won’t bother to create an algorithm that would ignore them.

Screenshot 2015-04-26 at 8.38.51 PM

Here are some of the search listings Google created for pages humans will never see or want to see. 

hScreenshot 2015-04-26 at 8.38.42 PM

In addition to the hidden page the hack creates a pharmacy page. it pulls everything but the HTML from the real pharmacy site.

Screenshot 2015-04-26 at 8.41.30 PM

This hack uses the full URL for each of the resources it pulls from the pharmacy site. A more common technique is to set the base to the pharmacy site and then use relative links.


Hacks that are using topcure.me as a destination



This is a “base href” type of hack. Please read Hacks that use base href for more information. The domain, topcure.me, is five days old. The server it is on has many pharmacy domain names that are just different names for the same one. Seeing sites that are connected to the military being hacked really bothers me. There isn’t much I can do about it but let them know.

Screenshot 2015-04-22 at 11.35.45 AM

This is one of the hidden pages the hack uses to generate search listing. They are hidden from everything but googlebots. Google could ignore them if they wanted to. They would have a perfect right but for some reason they don’t.

Screenshot 2015-04-22 at 11.35.17 AM

Here are some of the search listing Google couldn’t resist making for the hidden pages.

Screenshot 2015-04-22 at 11.31.50 AM

The HTML base href allows the hack to use images and files from the pharmacy site while making it look like they are coming from the the hacked site.

Screenshot 2015-04-22 at 11.31.39 AM

Using Chrome’s developer tools can tell you a great deal about a hack.

Screenshot 2015-04-22 at 11.34.24 AM


Hacks that are using gurucanadian.com as a destination


, ,

This is another hack please read “Hacks that use <base href=” to understand this hack. Another pharmacy site that uses the same graphic layout sometimes is mypillmarket.com this can be seen by looking at sn0hq.org.pl – Screenshots.

Screenshot 2015-04-21 at 8.34.10 PM

THis is one of the hidden pages the hack uses to get Google to create search listings. To see these hidden pages you can view Google cache or you can use a browser extension that allows you to imitate a googlebot.

Screenshot 2015-04-21 at 8.33.55 PM

Here are some of the search listings Google created for this hacker.

Screenshot 2015-04-21 at 8.31.30 PM

I use Chrome’s developer tools learn more about the hack. I am looking at the HTTP headers in this screenshot.

Screenshot 2015-04-21 at 8.31.16 PM

You can use Chrome’s developer tool to look at other parts of the hack too.


Get every new post delivered to your Inbox.