TOKYO (MacHouse) – We’ve been covering the story of pharmacy exploitation at the website of St. Louis University Medical School for the past few days. The same spam terrorist (same name, same IP address) circulated another spam comment about 4 hours ago. (See Screenshot 01.), which has led us to find another location of pharmacy exploitation at the website of Seabury-Western Theological Seminary (See Screenshot 02). Are these exploitation cases related? They actually are. The common factor is moodle. If you see the top of Screenshot 02, there are two folders, ‘moodle’ and ‘user.’ And we have seen this combination of folders at the website of St. Louis University Medical School. I clicked on the tab that said Forum posts, another and another. Then I found a key phrase Online Moodle. (See Screenshot 03.) Eventually, we found a large chain of exploited websites.
 Screenshot 01 |
 Screenshot 02 |
 Screenshot 03 – Source: medschool.slu.edu |
So what is Moodle? According to moodle.org, it’s open-source course management system software that is distributed for free under the GNU Public License. (See Screenshot 04.) It sounds like a script package that colleges and universities can use for online education. In fact, there are many colleges and universities using this software. And sadly… That’s why many school websites are exploited in the same manner.
We don’t know how the spam terrorist group used this software to exploit the websites of St. Louis University Medical School and Seabury-Western Theological Seminary. We don’t know how they got a list of websites using this course management system software. What we know is that there are other dozen websites of academic institutions out there that have been exploited in the same manner. We also know that it’s easy to get a list of the websites installing this software though it may not be the same list that the spam terrorist group has. We simply asked Google what he thinks about /moodle/user/, and he passed us a list of 690,000 matches. (See Screenshot 05-6.) A short list of academic institutions using this software include
Screenshot 04 – Source: moodle.org |
 Screenshot 05 – Source: Google |
 Screenshot 06 – Source: Google |
Of course, there are more organizations and schools using this software. Some of the websites listed above are in fact exploited for pharmacy spam. We, therefore, strongly advise all users of Moodle to check urgently if there are traces of pharmacy exploitation at their own websites. One of the exploited websites we found contains an offensive message from the spam terrorist group. When I went to the exploited site of St. Thomas University (Miami Gardens. Florida), I saw a message that said
Below is a (modified) version of the ad posted on a University’s educational web space by a spammer. If you, like me, can’t stand these vermin, then email the administrators of their website at abuse@masterhost.ru and complain about the Website listed below.
So who is sponsoring this spam operation in this large scale? It’s a typical scenario of online pharmacy store websites behind affiliate spammers. Some of the sponsors include tabletsa.net, canadian-pharmacy-shop.com, pillbestellen.de, kaufmed.de and so forth.
 Screenshot 07 – Source: stu.edu |
 Screenshot 08 – Source: tabletsa.net |
 Screenshot 09 – Source: canadian-pharmacy-shop.com |
 Screenshot 10 – Source: caltech.edu |
 Screenshot 11 – Source: deoss.org |
 Screenshot 12 – Source: elvag.edu.ee |
 Screenshot 13 – Source: mscs.mu.edu |
 Screenshot 14 – Source: gonzo.edu.au |
 Screenshot 15 – Source: usbctg.edu.co |
Why are there so many websites of American academic institutions falling victims to pharmacy spam? Typically, they rarely patrol their websites. Arrogance is also a factor. We have attempted to contact dozens of academic institutions to notify them of affiliate spam exploitation at their websites. Only a few of them including Ohio State College of Education have written back band thanked us. Some of them are believed to ignore our kind notifications.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
