NOTE: All Links below were active & working as of 4/9/2017
Have seen a bunch of spammy looking emails with subject line similar to
Incredible Formula Is Now Available For Everybody
All from random sender emails such as
mlhernandez@bolivar.gov.co
py10024@dongshin.net
kd-dovitec@vnn.vn
With email bodies like this with a hyperlink on the last line
Tsss... Though this exclusive product is already out there for everybody on the web, the amount is very limited, so don't tell your friends about it until you get some first.
Advanced solution and redesigned formula has been created to help you get rid of excessive weight. Natural ingredients and secret components are exactly what you need to get back in a great shape and get your dream body.
Act now as next week it will already be too late. Get a beautiful and fit body like you deserve.
The hyperlink went to sites like this that appear to be probably outdated hacked wordpress sites with unpatched plugins
hxxp://klkgraphics[.]com/wordpress_d/wp-includes/SimplePie/lib.php?c2JyeWFuQG9zaGtvc2hjb3JwLmNvbQ==
hxxp://www.sandeepguptagmatclasses[.]com/wp-admin/css/dump/db.php?aGxvdWRlbkBkZWZlbnNlLm9zaGtvc2hjb3JwLmNvbQ==
hxxp://unlimitedsuccesscoaching[.]com/wp-includes/SimplePie/Decode/old.php?dG1vcnJpc0BqbGcuY29t
hxxp://covrefugee[.]org/wp-includes/SimplePie/Decode/lib.php?bGdhbGxhY2hlckBqbGcuY29t
hxxp://www.libertywebcreation[.]com/norfolk/wp-includes/fonts/ini.php?dGxiaWdoYW1AamxnLmNvbQ==
If the user clicks on any of those links the site simply redirects to this 1 single site, thus it's likely the attacker is the same for each site
hxxp://dietokdlikefut[.]com/us/emko/t11-cla?bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX
The Page title on that page is
Gwen Stefani Shares Blake Shelton's Secret To Rapid Weight Loss (Pics Below)
No matter where you click on that page All links go to this follow-up url
hxxp://dietokdlikefut[.]com/us/emko/go.php?CID=313491&bhu=CX2zrXTTggnGsfMQaDHNS2ZNVZWHVGZRYhPiX
If you decide you want to buy the product, clicking checkout goes to this page
hxxps://checkout-cla-extract[.]com/?click_id=04_29517092_5bcca100-2e0d-4262-a3d7-a225b73ac143&subid1=313491&netid=3&ver=old&ad=1kN9
Also found it interesting at any point on the fake sales pitch page if you remove the php file name it redirects you to a random sub-domain that contains the exact same content
hxxp://557-healthandbeauty.dietokdlikefut[.]com/us/xvoh/cla-safflower-oil/
hxxp://852-diet.dietokdlikefut[.]com/us/hefk/cla-safflower-oil/
hxxp://110-health.dietokdlikefut[.]com/us/lldl/cla-safflower-oil/
Looks to me similar to past Pharma Hacks that I've seen where attacker is simply going around hacking weak wordpress sites in order to both bump up their search engine rankings and also simply generate traffic to their website to make money.
Let me know if I'm missing anything else important.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
- Qualys Scantronitor 2.0
Copyright © 2017, this post cannot be reproduced or retransmitted in any form without reference to the original post.