81

This is something interesting. Try going to http://www.circaventures.com/ You will get a venture capital company.

Now go to google and search "Circa Ventures". The first result you get is the exact same domain but the description is "medical website". Click it, you get to same domain but now a medical drug website is shown at exactly same domain!

One can of course see the previous website visited and accordingly force display of the other website but why? Is this SEO experiment? Or am I missing something? Other possible reasons?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Maggi Iggam
  • 791
  • 5
  • 5
  • 12
    The venture capital site is non-functional. Even the social media links do not work. I have contacted the owner. – schroeder Jan 01 '18 at 10:20
  • 2
    Lots of people are saying the site was hacked. Could someone that understands it explain a little more thoroughly what is going on? – user1717828 Jan 01 '18 at 14:06
  • 5
    Relevant: [Cloaking](https://en.wikipedia.org/wiki/Cloaking) – unor Jan 01 '18 at 15:14
  • @user1717828 the answers below explain it – schroeder Jan 01 '18 at 19:06
  • 1
    Not the answer in this case as others pointed out, but there's been many times where I've have multiple websites on a single domain because it was acting as a sort of sandbox where I gave up on one project and rather than signing up for a new host/domain I created another site under a different directory or under a conditional. Sometimes I'd have 4-5 abandoned sites all under one domain with different query strings. – DasBeasto Jan 02 '18 at 18:11

3 Answers3

103

This is obviously a spamming or scamming site, either setup on purpose or a hacked legitimate site. If visited without Referer header it will show some seemingly innocent site:

$ curl http://www.circaventures.com 
...
<title>Circa Ventures | helping you close the loop</title>

If visited with a Referer from a search engine it will show spam:

$ curl -H "Referer: https://www.google.com/" http://www.circaventures.com
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO">^M
                <frame src="http://mantrshopo.com/redirect.php?z=cialis" noresize="" scrolling="auto">^M
                </frameset>

This seems to work for any Referer which contains Bing, Google, Yahoo or similar, i.e. even when using https://this-site-is-not-yahoo/ as Referer. Using a different Referer like https://this-site-is-not-stackoverflow/ instead will result in the seemingly innocent site.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Your intro suggests that somebody might do this on their own domain, deliberately. What benefit could that possibly have over just having the spammy site? To me, this is entirely indicative of a hacked site. Maybe that's the point (false flag, domain owner gets away with it)... Even so, that seems a bit tenuous to be a first-line explanation. – Oli Jan 02 '18 at 13:19
  • 19
    @Oli The first benefit I could think about is that crawlers and security scanners will visit without Referer set, so they will see the innocent page so it will not be put last in search results for being a spam site. While visitors coming from a search result will get the spam site. – rypskar Jan 02 '18 at 13:29
  • 1
    @Oli: The intro suggests that someone might setup a domain like this on purpose. But it should not suggest that this must be the case here. But there are domains explicitly setup to show different content for different visitors, i.e. innocent content when visited from some IP and malware from others or malware only when logged into Facebook or similar. This is for example done to make the automatic detection of malicious sites harder and thus make sure that these sites don't get blocked to quickly by security solutions. – Steffen Ullrich Jan 02 '18 at 13:57
  • 7
    The same principle was used in hacked websites spreading malware before. The idea is that domain owner will not got to their own site via search, so they will not notice the page is different for almost everyone else, – Edheldil Jan 03 '18 at 13:03
26

As Steffen Ullrich has said, the reason for displaying different website is different Referer header; the underlying server was compromised and configured to show different content based on header (e.g. using mod_rewrite on Apache, similar to how you'd forbid image hotlinking). When Referer is www.google.com it uses the circaventures.com as a mask for mantrshopo.com (notice how all the links on the fake circaventures.com lead to mantrshopo.com).

The website probably most certainly sells fake medicine, as its About page is written in pretty bad English, domain is registered in Hong Kong to Clara Iglesias with address in Kamloops (a town in British Colombia, Canada), Albania, with a Hong Kong phone listed, and is served through a proxy in Netherlands. That name/email is listed as a registrar for two more domains, sechopo.com and itashopo.com, one served from Netherlands and other from Russia. All of them aren't working when accessed directly using IP, i.e. it just displays "This shop not installed" message. It seems that previously a different scam pharmacy was served through the itashopo.com's current IP address, septsahopo.com, this one registered to a Russian named Stepan Bandera (also a Ukrainian political activist/nationalist from WW2) which has a slew of other domains registered to him (search by email, by name).

So it seems you stumbled upon a chain of scamming websites. Stay away from it.

Luke
  • 385
  • 2
  • 6
  • 7
    Your first paragraph is a copy of other answers. The rest is not relevant to the question. Interesting research, but ultimately off-topic. – schroeder Jan 01 '18 at 19:09
  • 5
    I'm not trying to be rude. I'm trying to say that this is not an answer and is at risk of being deleted. I'm giving you the opportunity to save it. – schroeder Jan 01 '18 at 20:20
17

Possible infection with malicious code known as (SEO Spam). That's why it is serving with title:

<title>Cheap Cialis In Usa &#8212; Get Bonus Pills</title>

Maybe it was hacked due to outdated software (in this case Drupal):

http://www.circaventures.com/CHANGELOG.txt

Mirsad
  • 10,005
  • 8
  • 33
  • 53
  • 9
    Last update in 2014. The horror! – David Foerster Jan 01 '18 at 20:18
  • 4
    I know obscurity isn't security but Drupal really isn't helping their users with a public facing version ident/fingerprint like this. – Oli Jan 02 '18 at 13:22
  • 1
    @Oli can you really prevent the version from being known with software as popular as Drupal? Most versions will presumably have *something* that makes it obvious that it's in at least a range of versions (which is usually what matters -- you want either something older than version X or perhaps newer than version Y). You just have to find a public facing change, feature, bug, etc to hint at the version being in the desired range. – Kat Jan 02 '18 at 20:10
  • 2
    You should do everything within reason not to give away what server or framework you are using. Disable reporting the server name in your HTTP headers. You definitely don't want to be serving files like this. – kagronick Jan 03 '18 at 17:42