PCBugSquad

As said last night, if GrandCentral was still hacked in the morning, I was going to contact the hacked sites myself and give instructions on what they should do to rectify the situation.

Below is the email I am sending to hacked sites:

Web site Owner,

It appears that your blog has been hacked to display content about pharmaceutical drugs and online pharmacies.  These links are then spammed on various sites, including Google’s GrandCentral blog.

An example link on your site is where you can see the hacked content is:

http://example.com/?id=1

I suggest you disable your site, look over your code, and determine where they have hacked your files.  From what I can tell, it appears that your index.php has been compromised, but I suggest removing the entire blogging software and installing the latest one to be safe as you may never know if other files were modified.

As your URL has been compromised to be used in spamming other sites, I also suggest you contact Google and the other search engines so they do not penalize your site.  You can do this on Google by logging into the WebMaster console and submitting a reinclusion request.  In the request explain what happened and how your site was actually being spammed on the GrandCentral blog.  Only file this request when your site has been fixed.  For more info you may want to read this article:

http://www.mattcutts.com/blog/helping-hacked-sites/

For more information on how we discovered this hack, you can read this blog article:

http://www.pcbugsquad.com/2008/07/googles-grandcentral-blog-has-been-hacked/

Hope this helps and please feel free to contact me if you need help.

–
John
http://www.PCBugSquad.com

I will keep everyone updated as we go.

It has been over 24 hours since we blogged about how the blog for GrandCentral.com was hacked and since we reported it to Google security, but the spam links are still in the blog’s style.  What’s going on Google?  You have made such a huge stance on search engine spam, yet you allow it to continue being propagated by sites under your own control.

If the site is still showing the links tomorrow, I will take it upon myself to try and contact the site owners that were hacked and see if we can get those links taken down.  I would prefer Google do it, as they have more clout, but if it’s not going to get done, I will do it.

GrandCentral is a company, purchased by Google in 2007, that assigns a phone number that allows you to be reached wherever you are by redirecting your calls to other phones of your choice.  Yesterday, when browsing their blog I noticed a large swathe of empty space at the bottom and found this to be a bit strange.  You can see this empty space in the image below.  Notice the vertical slider and you will see that there is a ton more space underneath that I could not show in the image.

GrandCentral Blog with CSS
Notice the large white space at the bottom.

I pulled up the HTML source of the page and scrolled to the bottom, and lo and behold, I saw 3400+ links to what appear to be other hacked sites advertising drugs and online pharmacies. Below is a small snippet of the code with the URLs.  Notice, I have obfuscated the actual URL to use the example.com domain.

<div style=”left: -2227px; position: absolute; top: -3337px”>
<a href=”http://www.example.com/buy.php?id=1″ title=”adipex”>adipex</a><br>
<a href=”http://www.example.com/buy.php?id=2″ title=”order adipex”>order adipex</a><br>
<a href=”http://www.example.com/buy.php?id=3″ title=”cheap adipex”>cheap adipex</a><br>
<a href=”http://www.example.com/buy.php?id=4″ title=”no prescription adipex”>no prescription adipex</a><br>
<a href=”http://www.example.com/buy.php?id=5″ title=”adipex p how it works”>adipex p how it works</a><br>
<a href=”http://www.example.com/buy.php?id=6″ title=”adipex harmful side effects”>adipex harmful side effects</a><br>
<a href=”http://www.example.com/buy.php?id=7″ title=”how long does it take adipex to work”>how long does it take adipex to work</a><br>

</div>

The way they are hiding these URLs is through the use of a div with a style applied to it.  This CSS style says to display the html  -2227 pixels to the left of the left edge of the window and 3337 pixel above the top edge of the window.  This essentially makes it so the HTML is rendered off the screen and therefore invisible to a visitor.  On the other hand, a search engine, like Google, will still see the URLs and as the links are coming from an authoritative site like GrandCentral, give them a nice SEO boost.

If we want to see the actual urls, we could disable the CSS using a tool like Firefox’s Web Developer extension.  This would then disable the style in the <DIV> attribute and we can then see the URLs easily as shown below.

GrandCentral blog with CSS Disabled
Notice we can now see the previously hidden URLs

As you can see with CSS disabled the URLs are readily apparent.  I have already notified Google Security about this breach and I hope they have it rectified soon.