Spam and scam roundup for week ending Sept 15, 2013
September 15, 2013
For the past few weeks, email spam categories have remained fairly constant, with a steady flow of spam promoting weight loss pills, pump and dump scams and several malware threats, in attachments, or via links.
Changes over the past week or two include a shift in the domain names used to promote illicit weight loss drugs. Originally, this type of diet spam had domain names that included the words green coffee in the prefix and .PL (Poland) as the TLD extension. After a while, the domain extensions were changed to other country codes, such as .NL (Netherlands), .EU, and finally, .RU (Russia). The scams are all part of an underground pharmacy program run out of Russia, with unscrupulous affiliates who rent the use of botnets to spam out their affiliate encoded links to unsuspecting recipients around the World. It is no surprise to me that all of the domains now being used in email spam links for weight loss soultions are in fact .RU; Russian domain names.
While the spam templates and wording may change from week to week, to landing pages do not change. All are the exact same affiliate landing page for green coffee bean extract; a potentially harmful substance that causes a lot of people a lot of misery (not to mention that they are out the money to Russian mobsters).
How to spot a typical Russian domain link in a spam message
Here is a sample of the spoofed sender, subject, and links currently being used to promote illicit green coffee beans:
From: "OzMagazine Daily"
Subject: You Can Do It! Start Today!
Try it today! h**p://6c3f.REMOVED.ru/?5EEA2761DC
I deactivated the http part and removed the actual domain name (which changes daily), but left the sub-domain in place. This is the new structure the spammers are employing. They present a link in plain text or html code, with a sub-domain, a domain, then a .RU extension, a forward slash, then their affiliate code as a "query string." This earns them commissions whenever they trick a recipient into purchasing this worthless product.
It is worth noting that .RU domain extensions are only assigned to Russian registrants, who have physical addresses and identities in Russia. I can't buy and register a Russian domain, unless I get someone who lives in Russia to put it in his or her name. The cybercrime and fake pharmacy underground is alive and well in Russia!
WordPress Attacks
While this is not part of the email spam topic above, it is very important to know if you operate a website that has a WordPress Blog. There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer.
Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself. The IP addresses are all over the map and represent personal home and business computers, as well as compromised websites. The purpose of the attacks is to find a website that is running a vulnerable version of WordPress and exploit that vulnerability, or crack the password, to place malicious scripts on the index pages. The scripts may lead to exploit kits that download botnet remote control programs onto victims' PCs. Or, they may load a banking Trojan, or fake anti-virus, or even a fake Police notification that locks the user out of the computer unless they pay a "fine."
Since the attacks are coming from more personal computers than web servers, I urge my readers to scan their computers with an up to date anti-malware program, or legitimate online virus scanner.
Website owners and webmasters are responsible for updating any software they install into their hosting accounts. Your web host probably isn't going to do this for you! So, you need to know that WordPress has just released a security update: WordPress version 3.6.1, to plug the most recently revealed vulnerability being exploited via the aforementioned web server attacks. Nobody else is going to upgrade your blog software if you installed it yourself, unless you pay them for this extra service.
This means that your shared hosting account, with 400 customers or more on each server, which offers you one-click installation of a WordPress Blog, is NOT going to update it for you. You gotta do it, Bubba!
Webmasters/website owners who install exploitable scripts, but fail to keep them updated when patches are issued for vulnerabilities, are causing a lot of damage to their visitors' computers, by allowing malware scripts to be installed and persist, despite patches being available from the software maker.
Finally, to fend off password crackers, choose an advanced password, with mixed case characters, including symbols. Don't make it easy for malicious scripts to hack your WordPress installation!
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.