Friday, July 13, 2012

Hacked E-mails and Web Sites Pushing Weight Loss Drug Spam

A recent hack/spam/fraud campaign has recently been flooding the Internet with weight loss spam. I began investigating this on Tuesday night when a close relative's e-mail account was hacked.

On Wednesday, Sophos' Fraser Howard wrote up lots of details about this campaign on Naked Security. The article has lots of screenshots so you can see exactly what the e-mails, hacked sites, and spam sites look like.

If your e-mail account or Web site has been compromised, please read that article.

One side note before I continue: if you're using AOL Mail for your personal e-mail and you ever want to check it via the Web when connected to a public Wi-Fi network, don't. The current mobile version of the AOL Mail site does offer any option for securing the connection, and the non-mobile version isn't completely secure either. If you must use AOL for some reason, set up an e-mail application to connect to AOL's IMAP and SMTP servers over SSL/TLS using these instructions (it's even easier for iPhone, iPad, and iPod touch users).

In my opinion, though, you're better off switching to Gmail, arguably the most security-conscious personal e-mail provider, and enable two-factor authentication (and preferably configure it to text you at a different phone number than that of the device you're using to check your mail).

And no matter which e-mail provider you use, never check your e-mail or type any passwords at a public kiosk (such as those you might find at a library or hotel).

Anyway, back to the hack/spam/fraud campaign...

I collected information from a few different e-mails sent from my relative's hacked e-mail account and used this to begin my search. Google searches were immensely helpful in finding hacked Web sites.

In total I discovered 366 hacked sites that are currently hosting pages that usually redirect to fake Fox News sites with "articles" advertising an "HCG Ultra Drops" weight loss drug. The hacked domains hosted various files with any of 76 file names, and these files linked to about 30 fake news domains.

Those numbers are just the tip of the iceberg.

Every time I searched Google for another of the file names, I found more file names and more fake news domains. I only did comprehensive searching of Google for 11 out of the 76 file names before I had to force myself to call it quits (I do have a life, you know).

To any budding security researchers who may want to continue my work, here are the 76 file names I'm aware of, with Google links for each one. I thoroughly searched the first 11 (the ones with an asterisk):

jjllrt.html*, rehrt.html*, oelas.html*, dofpla.html*, efkcnsd.html*, lkdndrb.html*, mdnnka.html*, golrua.html*, dfgseg.html*, nvlauty.html*, rumyn.html*, xxxxt.html, xxklfd.html, cnmasd.html, llkdr.html, ttfbm.html, ggtero.html, owgle.html, uibjrq.html, tstx.html, dfgqp.html, rtvea.html, weelk.html, gjrhbd.html, pagnrk.html, upmfks.html, polmtn.html, xntsb.html, ollsn.html, jtosag.html, olgrus.html, olgruss.html, ghehgs.html, klang.html, lgkssa.html, ptmase.html, nsdlls.html, tyusa.html, sorrbn.html, fhgre.html, tttt.html, therpo.html, wpxml.html, eadfs.html, toshy.html, csndra.html, dfpois.html, uimnf.html, ollfje.html, doremj.html, mlllka.html, wrehge.html, jhglpd.html, llxsa.html, ppuds.html, otldcv.html, pscda.html, chopa.html, hslkgs.html, kmbre.php, oosdn.php, pprds.php, phnll.html, ssddl.html, xclrp.html, etropk.html, resus.html, pgflls.html, rldka.html, trifr.html, vbepo.html, gmolad.html, lgkesa.html, tjgey.html, toepr.html, vvert.html

If you manage any Web servers, be sure to check your servers for any file names like the ones above. If you find any evidence that your server has been compromised, don't merely delete the files. Assume the worst. Restore your server from a clean backup if possible, scan for rootkits and other malware (and get a second opinion, for example from Windows Defender Offline or another antivirus boot disc), change all passwords on the server (and be sure to use good, strong, long, and unique passwords; if you need some advice, read the detailed explanations of what makes a password secure at GRC's perfect passwords and password haystacks pages), disable any services you don't use, and make sure all the software on the server is up-to-date and has all the latest security patches.

Many of these files have at most a 14 out of 42 detection rate on VirusTotal (see the scan results for chopa.html, csndra sample 2, dfgseg.html, nvlauty.html, resus.html, rumyn.html, trifr.html, tstx.html sample 1, tstx.html sample 2). Avast, BitDefender, F-Secure, GData, Kaspersky, Norman, nProtect, and Sophos seem to offer pretty consistent detection of most files, and Antiy-ATL, Avira AntiVir, Comodo, Emsisoft, Fortinet, Ikarus, TrendMicro-HouseCall, and ViRobot have hit-or-miss detection, for these files under the following malware names:

HTML:Refresher-A, HTML:Refresher-A [Trj], HTML.A.Redirector.174, HTML.A.Redirector.176.D, HTML.A.Redirector.176.E, HTML.Refresher, HTML.Refresher!IK, HTML/Redirect.EM, HTML/Redirector.AM!tr, Redirector.FL, TROJ_GEN.RCBH1GD, TROJ_GEN.RFFH1G4, TROJ_GEN.RFFH1G5, Troj/Redir-O, Trojan.HTML.Redirector, Trojan.HTML.Redirector!IK, Trojan.HTML.Redirector.AI,, Trojan/HTML.Redirector, UnclassifiedMalware, W32/Redir.O!tr

Note that many popular anti-virus vendors, including but not limited to AVG, ClamAV, Dr.WEB, McAfee, Microsoft (Security Essentials, Forefront), Symantec (Norton), and Panda (Cloud Antivirus), do not currently detect the redirection files as malicious.

If a victim browses to one of these pages, it will briefly display a message before redirecting, usually "You are here because one of your friends have invited you. Page loading, please wait...."

I came across one file (trifr.html) with a different message: "You are here because one of your friends have invited you to try our FREE TRIAL!!! Page loading, please wait...." This page redirected to a site advertising the weight loss drug, but this time it wasn't a fake Fox News site (see the last domain in the list below).

Following are the 30 fake news domains. The five with an asterisk are actually fake "7 Money News" sites with the headline "Work At Home Mum Makes $10,397/Month Part-Time" rather than fake Fox News sites with a headline of "HCG Ultra Drops to Help Your Weight Drop" like the first 25. The 31st domain listed below just advertises the weight loss drug without a fake news motif, but it was also linked from one of the files listed above. Note that these links lead to the Web of Trust reports, not the spamvertised domains themselves:,,,,,,,,,,,,,,,,,,,,,,,,,*,*,*,*,*,

Here are the 366 hacked domains that are currently hosting one or more of the files listed above. Again, these are links to Web of Trust reports, not the hacked domains themselves:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, (a Turkey government domain... whoops),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

It's clear looking through this list that very few locales and types of organizations have been spared from attacks by this hack-and-spam campaign. Churches, porn sites, government sites, and more have been compromised. You'll notice a surprising number of TLDs in there as well, representing a huge variety of countries and cultures (for example: .ar, .au, .ba, .bd, .be, .bg, .br, .ca, .cl, .cn, .cr, .cz, .de, .ec, .ee, .es, .eu, .fr, .gr, .hk, .hu, .il, .in, .it, .jm, .jp, .lt, .lv, .kg, .kw, .mc, .mx, .nl, .np, .pl, .ro, .rs, .sk, .th, .tr, .uk, .uy, .vn, .za, and even .cat).

Again, I recommend reading the Sophos article about this hack/spam/fraud campaign for additional tips on how to protect your e-mail accounts and Web servers.

UPDATE, 14 July 2012: I've added anti-virus detection information for some of the redirect files. I also added details about the messages displayed momentarily before a page redirection occurs.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)