
Spam campaigns that advertise internet pharmacies are directing users to web pages hosted on hacked websites, said Sophos.
These pages automatically redirect surfers to a fake online store using the PHP scripting language.
"To the naked eye it looks like a bog standard spam message advertising medications," said Graham Cluley, senior technology consultant at Sophos.
"But it is actually pointing to a website owned by someone who is probably completely unaware that spammers have hacked into their site, and are using it to redirect visitors to an online pharmacy.
"Website owners have a duty to properly patch their sites against the latest vulnerabilities, or face being exploited by spammers."
Cluley added that more people are tricked into clicking on the link in the spam email because the web address is genuine.
And since most anti-spam products use information about a webpage to indicate whether the message is spam or not, emails linking to these hacked legitimate sites are less likely to be blocked by spam filters.
"Web surfers probably would not even notice they are being hopped across the net, because the intention of the spammers is not to confuse their potential purchasers but to try and slip past anti-spam filters," said Cluley.
A Canadian woman died earlier this year after buying pills from a bogus online pharmacy.