Hacked websites part of Yahoo! Mail exploit

An attack directed at Yahoo! Mail users is now being utilized to drive traffic to scam and phishing sites. In the middle of it all are innocent and legitimate businesses whose websites have been hacked. The hacked websites serve no malware, do not appear on blacklists, and pass McAfee and Symantec security scanners. Sites built on WordPress and Joomla have been discovered as hosts.

Whether the Yahoo! Mail users were compromised via the XSS (cross site scripting) vulnerability announced on Jan 7, 2013, or via something more sinister, such as a server compromise, the end result is the same: Yahoo! mail accounts are being used to send email to their address books, which greatly increases the likelihood of deliverability. Recipients of the emails click on the links, since they are from a trusted source.  If the recipient is a Yahoo! Mail user, there is a good chance that the website they click on, once rendered, will compromise their account and send emails to their contacts. The recipient, in addition to serving as a distribution vector, is also a target.

The scam: weight-loss products that fly underneath the radar of the FDA, only occasionally getting attention, because, to paraphrase the FDA, since these scams do not represent severe health threats (aka bubonic plague), with the limited time & resources of the FDA, they have more important things to do. How does the scam work?

Step 1: Email from a friend, pure SPAM, or Google Ad

The email shown below is what it would look like after your email service provider had received enough complaints to give you more information. This email was delivered to my inbox because it came from a trusted sender. Gmail is one of the best email providers, and prevents more spam than the leading competitors. This warning did not initially appear when the message arrived, however; it took time for Gmail to gather information and then start reporting the message as potentially harmful.

Yahoo! Mail Compromise

Another way the exploit could be initiated is that you search for Dr Oz within Google. Three ads pop up, and all appear innocuous. One even says “www.womensdigest.org” – that looks safe, right?

Dr Oz Google Search

Whether you received an email or you conducted a Google search, the outcome is the same, you end up clicking on something that takes you to a landing page.

Step 2: Fake Health Article Landing Page

You search for the latest Dr. Oz promoted snake oil in google and click on a promoted ad, or click on a link in an email – either from a friend or pure spam. Almost certainly, you are taken to a landing page that appears to be a consumer health or women’s health publication. On this fake landing page resides an article about the latest diet drops or pills, with a video of Dr. Oz. He has promoted the following over the last five years: Acai Berry, Raspberry Ketones, Green Coffee Bean, HCG drops, and most recently, Garcinia Cambogia.

Giveaways: Look at the URL. In the example below, it is actually “http://womenshealthmag.com-most-popular-deal.com/womens_healthgarcinia-a/garcinia1-index.php”. A quick glance at the logo would lead one to believe it is the Women’s Health site. And a quick glance at the URL would reinforce this. This is a subdomain of “com-most-popular-deal.com”. Tricky, huh!

Fake Women's Health Landing Page

Step 3: Link to e-Commerce Diet Pill site

There will be multiple links on the fake landing page to a webpage where you can place your order for whichever fake product was promoted on the landing page. These days, the rage is Garcinia Cambogia. While the links will have different titles, and seem to reference different articles or sources, they will all go to the same place, the e-Commerce site. Celebrity endorsements are common on these landing pages as well.

Step 4: Buy now at e-Commerce site

The last part of the chain is a website, likely to be laden with fake “trustmarks” (McAfee Secure, BBB Accredited, etc), and fake testimonials, that will collect your credit card information in short order. The landing pages are simple, with a limited form to collect your name, address, phone, and email. On the next page, you will be prompted for credit card information. Either on the first or second page trust marks will appear, and if you right click on them you will see that they are a single image, not a verified trust mark.

Garcinia Cambogia e-CommerceGarcinia Cambogia 2

Be careful and don’t trust diet products on the web

These scams abound, and the legitimacy of Dr. Oz is a key piece to the scams identified thus far. Fake trust marks from Symantec, McAfee, and GoDaddy are common. Whether you have interest in the weight-loss product or not, if you are referred to a site that resembles a consumer health site, with an article about a new breakthrough product, accompanied by a video of Dr. Oz, the site is a fake intermediary, set up with the goal of directing you to purchase the product. There will always be a link on this page that takes you to a separate site on which you can purchase the product.

Just because you got an email from a friend, or clicked on a Google ad, does not mean the end destination is safe. Even if the product looks appealing, do not enter any personal information, log out of your facebook/email/twitter accounts, and if anything suspicious occurs (if you are a Yahoo! Mail user, reset your password).

What about Yahoo! and CodeGuard?

We came across these scams because websites and webservers are being compromised to make this process work. Sitting inbetween Yahoo! mail recipients and the landing pages are redirecting webpages – with legitimate reputations. These redirecting pages are used so that as the landing pages and e-Commerce sites are reported and disabled, the ruse can continue with new landing pages receiving traffic.

The key question is: when will the FTC and FDA step in? With limited research, it is blatantly apparent that a multi-level marketing scheme based around products marketed through Dr. Oz’s television show, is being used to defraud consumers.

Compromised Websites: WordPress & Joomla

We will explore how the compromised websites are being used. A member of our team received an odd email from a friend, and after firing up a virtual machine and turning off javascript within the browser, pasted the link: http://www.iolcus.gr/kfaiyjg/ddswjet. A rapid redirect occurred, and this is the website that was displayed.Fraudulent Landing Page

The subject line of the email was “Breaking news”, so the landing page seemed to be appropriate. A break through weight-loss product. If that is real, it is definitely breaking news. One big problem – the URL we input was www.iolcus.gr, not mxxfox.com.  Iolcus.gr’s website looks like this:

Hacked website: Iolcus.gr

This is a WordPress site, and from this screenshot, you cannot tell the site has been compromised. The only way that the redirect could have functioned is if someone had access to the folders on the webserver. There are countless ways for someone to get access, so we won’t spend time on that part now. The important part is that I highly doubt Iolcus had any idea they were a part of a diet-product scam. Another site that we observed to have been compromised was a Joomla! site.

Hacked website: Joomla!

This site was used to redirect to similar landing pages as we have seen already. Some cleverness exists in the process of the redirects that makes it difficult to follow everything that is happening.

Summary: When there’s smoke . . .

The processes used to market and sell these break-through diet products are complicated. Different companies seem to be involved in various aspects, with some sending SPAM emails, others using vulnerabilities to compromise webservers or commandeer user’s accounts without their knowing, and even others using Google Adwords. Customers are driven to landing pages that mislead and deceive. And then customers click and pursue their weight-loss dreams.

At this point, while there is a mountain of evidence that signals something nefarious about not just the marketing techniques used, but the underlying products themselves, we won’t comment more than to offer this one unique tidbit. Raspberry ketones were non-existent before Dr. Oz referenced them on February 6th, 2012. Since then, things seem to have progressed. You can research yourself to see how green coffee beans, garcinia cambogia, hcg drops, african mango, and other miracle products have found their way to the market.

Dr. Oz, Raspberry Ketones, and Garcinia Cambogia

Comments

  1. This is exploding. My computer, wife’s, son’s. Friends of friends. And NOT A WORD from Yahoo. Nothing. No warnings, no info, and you can’t get a hold of anyone at Yahoo to discuss. “Not their problem….must be a virus on YOUR computer” Bull! It’s a yahoo problem because how else does a single company of hackers get into SO MANY yahoo accounts?

  2. Does Yahoo care at all? I had the same experience as Allard. First all of my Yahoo contacts received a SPAM email, supposedly from me. It contains a link to a Garcina Cambogia product promoted by Dr. Oz. After hours of research and discussions with HP, Norton and my ISP, all I could do was scan my computer for viruses with multiple tools, and not find anything related to this issue.
    Norton claims it cannot access the web based email accounts such as Yahoo to notify me of suspicious content because Yahoo indicates to Norton that the email is “trustworthy”. As with Allard, Yahoo cannot be contacted in any way about this, all they provided was a link that indicated to change my Yahoo password and scan all of my contacts to find and delete a suspicious one. I changed my password and found no suspicious contacts, but I did delete all unnecessary ones.
    Two weeks later, another round of this SPAM was sent out to all of my contacts, including contacts that I had already deleted!! It leads me to the fact that all of my contacts were COPIED and STOLEN from me, so the SPAMMERS can continue to send them out and I cannot do a thing about it!!
    EXCEPT, that I can recommend to everyone that they do NOT use Yahoo as their email provider because they DO NOT CARE about you and your impression to all of your contacts. I believe that my contacts were accessed through the Yahoo email server, not my computer.

  3. I am with TalkTalk, not Yahoo, but I am getting about 8 emails a day (minimum) from different senders, all leading back to the Women’s Health “lose belly fat like Oprah” via Garcina Cambogia. Does ANYONE know how to stop them????

  4. I learned a long time ago about yahoo, I only use their email for garbage like Facebook login and Instagram., etc. I have zero important info with Yahoo.

Leave a comment

Your email address will not be published. Required fields are marked *