New email scam spoofing Foursquare leads to Russian fake pharmacy
6/10/2012
I just received a spam email in my Junk folder, which claimed to come from Foursquare ([email protected]). The Subject is: "Ailsa Hill is now your friend." The body text said: "Hey there - Just a heads up that Ailsa Hill has approved your friend request on foursquare." If get one of these, no matter what the name is, be suspicious. Here's why...
I opened the "Properties" of this email so I could read the actual headers and found the following details.
The From: foursquare <[email protected]> line is fake, spoofed. here's why:
The final "Received from" line is not from foursquare.com, nor from Amazon, their web host. Rather, the sending server was: serveur.maven2-20.com ([46.105.104.199]). Running a Whois on that domain reveals that it is hosted in France, on OVH Systems, a web hosting provider. There is no website configured at that IP, or domain, just a few files.
Also, the following line was inserted by the mail server that delivered the message to my account: X-AUTH-Result: FAIL
So, the email definitely did not come from Foursquare. It is spam or a scam. Who did send this message and why?
Let's look at the links hidden in the message source to find out where they lead.
The message body is loaded with images stolen from the actual Foursquare website, to make it look authentic to the casual recipient. But the links spoof foursquare.com, while leading to a different domain. Look at this source code for the first action link presented to the victim:
View their profile: <a href="http://shabdayoga.com/supplement.html">https://foursquare.com/user/28519394</a>
You can see that the link claims to go to: https://foursquare.com/user/28519394
If you hovered your pointer over the above link, in the original message, the actual URL: shabdayoga.com/supplement.html would be displayed in your status bar.
What do we find if we investigate the source code for shabdayoga.com/supplement.html? Nothing but JavaScript to redirect visitors to another website, named "drugstorewichi.com" and, should you have JavaScript disabled, a manual link with the word "Enter" and nothing else.
What is http://drugstorewichi.com? A fake pharmacy! The images and copyright claim that you've landed on Toronto Pharmacy, supposedly selling Canadian prescription drugs. If that were so, the website would be registered and hosted in Canada.
So, Whois drugstorewichi.com? The website belongs to someone named Georgij Kiosov - who claims to reside at: Orekhovy proyezd d.37 korpus 1 kv.168, Moscow,115573, RUSSIA.
The domain is not hosted in Canada, but in Poland, at: 194-28-50-114.arpa.teredo.pl (Site Stats tab).
So, we have a spam email spoofing Foursquare, with a link that redirects to a fake Canadian pharmacy registered to a Russian citizen, living in Russia, with his web hosting in Poland. This is part of a fake pharmacy affiliate program based in Russia.
All of the claims made on these websites are fraudulent. The drugs, should one even receive them, are counterfeit. The payments are made to payment processors who are friendly to cyber criminal gangs in Russia. If anybody is foolish enough to actually purchase anything from scammers like this, your credit or debit card details, along with your mailing address and phone number are now in the hands of hardened fraudsters in Russia.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.