Does the title of this diary not make much sense? Well, it shouldn't, but it appears as though the folks that run Hillaryis44.org (a vile but popular site, for those who don't know) are not only embedding javascript to direct traffic to illegal online pharmacies, but are also using hacked webservers to go one step further.
Details after the jump.
For those who want the executive summary: hillaryis44.org, a popular rabidly pro-Clinton and anti-Obama site, whose operator was anonymous until recently, has been directing traffic to illegal online pharmacies and is intentionally using hacked servers (hacking that they may be culprits of). I have notified the sysadmins at UCSD (one of the sites hacked by/being used by hillaryis44) and they have confirmed that the UCSD server is hacked and are looking into right now.
Thanks to for this insightful investigation:
For those of you that follow the United States democratic primary, or are interested in internet technology, this should be of interest to you. This story has potential corruption, and legal liability, and therefore demands investigation and attention.
The hillaryis44.org website is based on Wordpress 2.1.3, a php web forum application. It is dedicated to discussion of Hillary Clinton's campaign for the Democratic nominee to the position of President of the United States. It is not formally associated with Senator Clinton, and is purportedly managed by Alex Rodriguez, who is characterized as a "a freelance political guy," by Cliff Arnebeck, an Ohio lawyer. (Source) The forum posts on hillaryis44 range from reasoned debate of policy to vicious personal attacks on other presidential candidates.
None of this is really all that interesting. And honestly, I'm certain that there are dozens of similar sites out there that appeal to specific political demographics and ideologies. Where this story gets interesting is at the site code level. Hillaryis44.org prefaces itself as a legitimate site for Hillary supporters to receive news updates regarding the election, and to discuss election results and to debate the finer points of democracy.
From the 'About' page.
We started this website because we believe Senator Hillary Clinton will be an excellent 44th President of the United States. Senator Hillary Clinton will be the Democratic Party’s nominee for President because she is not only the best candidate running, but she is also the one candidate that will without doubt beat the Republicans and restore sanity to the White House.
Ok, so that's the warmup.
Now on to the technical details, and why you should not visit hillaryis44.org from a normal webbrowser:
In discussing this site one would wonder why I do not suggest that you go there and look at it, let alone actually provide a hyperlink to it. Here is where I will explain what is interesting about this.
In each and every html page on 'hillaryis44.org' there lies hidden links to html redirects that inevitably lead to an online pharmaceutical company based in Canada. Now, if these links were simply there, hidden, that wouldn't be much of a story. These links are hidden using a style method that does not display them to the person loading the site with their browser. Which means that you will not see them display, and do not have the opportunity to click on them.
Typically, the only reason to host links to sites selling anything would be to generate advertising revenue based on 'onclick' hit tracking. So, if that's the intent, to get money by generating clicks to an online pharmacy in order to pump them for money, then why hide them? This is where it gets a little more complicated.
Each time a page is loaded at hillaryis44.org, the entire html page is loaded in your browser. At the end of each page, in the 'footer' area, is a java based script. This script specifically generates 'onclick' events for each and every link in the 'u' document where the html redirect links are located before anyone clicks on them. (Source)
Below is an excerpt of the .js file that contains the script in question.
"function st_go(a){var
i,u=document.location.protocol+'//stats.wordpress.com/g.gif?host='+escape(document.location.host)+'
&
amp;rand='+Math.random();for(i in
a){u=u+'&'+i+'='+escape(a[i]);}u=u+'&ref='+escape(document.referrer);document.open();docume
n
t.write("");document.close();}
/* The following Javascript includes code from
*
http://verens.com/archives/2005/03/21/tracking-external-links-with-ajax/
* and
*
http://www.xml.com/pub/a/2005/02/09/xml-http-request.html
* and
*
http://andy.wordpress.com/
*/
function wpcomAddEvent(el,ev,fn){
var
isIE=window.attachEvent?true:false;
if(isIE)el.attachEvent('on'+ev,fn);
else
if(el.addEventListener)el.addEventListener(ev,fn,false);
}
function linkclick(event) {
var isIE=window.attachEvent?true:false;
event=event?event:(window.event?window.event:"");
linktracker_record(event);
}
function linktracker_init(b,p){
_blog = b;
_post =
p;
if ( typeof document.location.host != 'undefined' )
var
localserver=document.location.host;
else
var
localserver=document.location.toString().replace(/^[^\/]*\/+([^\/]*)(\/.*)?/,'$1');
var
els=document.getElementsByTagName('a');
for(var i=0;i"<els.length;i++){ var=""
href="els%5Bi%5D.href;" mousedown="" mouseout="" mouseup="" click=""
title="els[i].title"></els.length;i++){>
In the above script we see that it determines that it is bulding an http referral string in order to send a message to the 'onlick' tracker that the links in the 'u' document have been clicked.
So, in short, hillaryis44.org appears to be a site dedicated to scamming Hillary Clinton supporters into generating advertising revenue for the domain owners by clandestinely counting hits to links that no one ever clicks. They make this appear legitimate to whomever is paying for advertising by having a significant and consistent amount of traffic to their site.
At this point we need to go even deeper to show how convoluted this is. Here is an example of one of the websites that is being hidden as a link.
http://neurograd.ucsd.edu/faculty/files/online/acomplia/acomplia-buy.html
Here we can see where this link is pointing. If you were to actually go to that site, however, you would be redirected to here, http://rxnice.com/... the Canadian based online pharmaceutical retailer. The question is, why go to the trouble of having a link to a redirect instead of linking directly to the intended receiver of the 'traffic'. Why, for that matter, host the html redirects on a domain for a graduate program in Neuroscience at a public University?
Neurograd.ucsd.edu is a legitimate website hosted by the University of California San Diego for students and faculty members associated with the Neuroscience graduate program. It is also a domain that is being cynically used to host redirect pages to an online pharmaceutical company that is marketing drugs such as, to take from the list of items in the list of sites from hillaryis44.org; accutane, acomplia, amoxil, propecia, wellbutrin, zithromax, lasix, cialis, levitra, and viagra.
Anyone have any more information on this? I hope we can get enough of an investigation going to get hillaryis44.org shut down.