pushing pharma and internet pharmacy.

Fake pharma sites are getting even more obnoxious

Recently, we have noticed that fake pharma sites seem to have discovered the use of JavaScript to change the “Stay or Leave” messages that you see when you try to close or leave their sites.

Fake pharma

In cybersecurity, fake pharma is the term we use to describe the peddling of drugs and medication, whether they are legal or not, in a pushy, obtrusive way. This branch of internet trade is often associated with false advertising, spam, dubious vendors, and the Dark web.

Scripts to deliver a goodbye message

To demonstrate how obtrusive they can be, we would like to present you with some examples where they are using JavaScript to deliver a last message when the user decides he has seen enough and wants to close the window or tab of the pharma site. To accomplish this, the website creators are abusing a feature meant to alert users who are about to close a site, while adding content to that site, which can be useful if you were filling out a form, posting on a site or social media, or carefully constructing a comment.

One method of using JavaScript to trigger the code is by using the “onunload” event of the site. For example—

—will trigger the function called “confirmation”. But the “onunload” event allows the closing of the browser tab or window—something the fake pharma site creators don’t want—so they use the alternative event called “beforeunload”, which can be specified in this way:

window.onbeforeunload = function()

This site defines what “beforeunload” is about:

The beforeunload event is fired when the window, the document and its resources are about to be unloaded. When a string is assigned to the return Value Event property, a dialog box appears, asking the users for confirmation to leave the page (see example below). When no value is provided, the event is processed silently.


Short and simplified: When users click the “X” in the browser tab to close it, they cause an event called “beforeunload”, which in turn checks if there is a task that needs to be done first before closing the tab. In this case, the task in the function defined for “onbeforeunload”.

Another method is to use built-in features or plugins of content management systems (CMS) like WordPress (example below), Joomla, and Drupal.



From what we’ve seen, Internet Explorer and Edge are the most susceptible browsers when it comes to popping up these “extra messages”. Opera, Firefox, and Chrome show the user the “Stay or Leave” prompt but without the extra text.

Opera “Stay or Leave” prompt
Edge’s prompt on the same site


Disabling JavaScript in your browser (check the links section of this article if you need help with that) prevents this from happening, but you should realize that it does that in cases where you might have found it useful as well. It comes highly recommended though, especially for the browser that you generally use for surfing the Web.

Fake pharma link distribution

Some of the links to these pharma sites are sent out by Skype messages, where they are camouflaged in Baidu search results. We wrote about this method last year, but it is still current.

I received this link to a pharma site on Skype

Another very popular method to spread fake pharma links is done by forum spammers, who get paid mere pennies for registering and posting on popular forums, like ours for example.


And let’s not forget the time when our mailboxes were flooded with “Viagra” offers.


This post went into some of the background information concerning the advertising of fake pharma sites, how they spread their links, and how they try to retain your attention.

Other related post(s):

External links:

Pieter Arntz


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.