Possible reason for displaying two different websites on single domain?

Maggi Iggam 01/01/2018. 3 answers, 9.014 views
google domain

This is something interesting. Try going to http://www.circaventures.com/ You will get a venture capital company.

Now go to google and search "Circa Ventures". The first result you get is the exact same domain but the description is "medical website". Click it, you get to same domain but now a medical drug website is shown at exactly same domain!

One can of course see the previous website visited and accordingly force display of the other website but why? Is this SEO experiment? Or am I missing something? Other possible reasons?

3 Answers

Steffen Ullrich 01/01/2018.

This is obviously a spamming or scamming site, either setup on purpose or a hacked legitimate site. If visited without Referer header it will show some seemingly innocent site:

$ curl http://www.circaventures.com 
<title>Circa Ventures | helping you close the loop</title>

If visited with a Referer from a search engine it will show spam:

$ curl -H "Referer: https://www.google.com/" http://www.circaventures.com
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO">^M
                <frame src="http://mantrshopo.com/redirect.php?z=cialis" noresize="" scrolling="auto">^M

This seems to work for any Referer which contains Bing, Google, Yahoo or similar, i.e. even when using https://this-site-is-not-yahoo/ as Referer. Using a different Referer like https://this-site-is-not-stackoverflow/ instead will result in the seemingly innocent site.

Luke 01/01/2018.

As Steffen Ullrich has said, the reason for displaying different website is different Referer header; the underlying server was compromised and configured to show different content based on header (e.g. using mod_rewrite on Apache, similar to how you'd forbid image hotlinking). When Referer is www.google.com it uses the circaventures.com as a mask for mantrshopo.com (notice how all the links on the fake circaventures.com lead to mantrshopo.com).

The website probably most certainly sells fake medicine, as its About page is written in pretty bad English, domain is registered in Hong Kong to Clara Iglesias with address in Kamloops (a town in British Colombia, Canada), Albania, with a Hong Kong phone listed, and is served through a proxy in Netherlands. That name/email is listed as a registrar for two more domains, sechopo.com and itashopo.com, one served from Netherlands and other from Russia. All of them aren't working when accessed directly using IP, i.e. it just displays "This shop not installed" message. It seems that previously a different scam pharmacy was served through the itashopo.com's current IP address, septsahopo.com, this one registered to a Russian named Stepan Bandera (also a Ukrainian political activist/nationalist from WW2) which has a slew of other domains registered to him (search by email, by name).

So it seems you stumbled upon a chain of scamming websites. Stay away from it.

Mirsad 01/01/2018.

Possible infection with malicious code known as (SEO Spam). That's why it is serving with title:

<title>Cheap Cialis In Usa &#8212; Get Bonus Pills</title>

Maybe it was hacked due to outdated software (in this case Drupal):


Related questions

Hot questions


Popular Tags