An attack directed at Yahoo! Mail users is now being utilized to drive traffic to scam and phishing sites. In the middle of it all are innocent and legitimate businesses whose websites have been hacked. The hacked websites serve no malware, do not appear on blacklists, and pass McAfee and Symantec security scanners. Sites built on WordPress and Joomla have been discovered as hosts.
Whether the Yahoo! Mail users were compromised via the XSS (cross site scripting) vulnerability announced on Jan 7, 2013, or via something more sinister, such as a server compromise, the end result is the same: Yahoo! mail accounts are being used to send email to their address books, which greatly increases the likelihood of deliverability. Recipients of the emails click on the links, since they are from a trusted source. If the recipient is a Yahoo! Mail user, there is a good chance that the website they click on, once rendered, will compromise their account and send emails to their contacts. The recipient, in addition to serving as a distribution vector, is also a target.
The scam: weight-loss products that fly underneath the radar of the FDA, only occasionally getting attention, because, to paraphrase the FDA, since these scams do not represent severe health threats (aka bubonic plague), with the limited time & resources of the FDA, they have more important things to do. How does the scam work?
Step 1: Email from a friend, pure SPAM, or Google Ad
The email shown below is what it would look like after your email service provider had received enough complaints to give you more information. This email was delivered to my inbox because it came from a trusted sender. Gmail is one of the best email providers, and prevents more spam than the leading competitors. This warning did not initially appear when the message arrived, however; it took time for Gmail to gather information and then start reporting the message as potentially harmful.
Another way the exploit could be initiated is that you search for Dr Oz within Google. Three ads pop up, and all appear innocuous. One even says “www.womensdigest.org” – that looks safe, right?
Whether you received an email or you conducted a Google search, the outcome is the same, you end up clicking on something that takes you to a landing page.
Step 2: Fake Health Article Landing Page
You search for the latest Dr. Oz promoted snake oil in google and click on a promoted ad, or click on a link in an email – either from a friend or pure spam. Almost certainly, you are taken to a landing page that appears to be a consumer health or women’s health publication. On this fake landing page resides an article about the latest diet drops or pills, with a video of Dr. Oz. He has promoted the following over the last five years: Acai Berry, Raspberry Ketones, Green Coffee Bean, HCG drops, and most recently, Garcinia Cambogia.
Giveaways: Look at the URL. In the example below, it is actually “http://womenshealthmag.com-most-popular-deal.com/womens_healthgarcinia-a/garcinia1-index.php”. A quick glance at the logo would lead one to believe it is the Women’s Health site. And a quick glance at the URL would reinforce this. This is a subdomain of “com-most-popular-deal.com”. Tricky, huh!
Step 3: Link to e-Commerce Diet Pill site
There will be multiple links on the fake landing page to a webpage where you can place your order for whichever fake product was promoted on the landing page. These days, the rage is Garcinia Cambogia. While the links will have different titles, and seem to reference different articles or sources, they will all go to the same place, the e-Commerce site. Celebrity endorsements are common on these landing pages as well.
Step 4: Buy now at e-Commerce site
The last part of the chain is a website, likely to be laden with fake “trustmarks” (McAfee Secure, BBB Accredited, etc), and fake testimonials, that will collect your credit card information in short order. The landing pages are simple, with a limited form to collect your name, address, phone, and email. On the next page, you will be prompted for credit card information. Either on the first or second page trust marks will appear, and if you right click on them you will see that they are a single image, not a verified trust mark.
Be careful and don’t trust diet products on the web
These scams abound, and the legitimacy of Dr. Oz is a key piece to the scams identified thus far. Fake trust marks from Symantec, McAfee, and GoDaddy are common. Whether you have interest in the weight-loss product or not, if you are referred to a site that resembles a consumer health site, with an article about a new breakthrough product, accompanied by a video of Dr. Oz, the site is a fake intermediary, set up with the goal of directing you to purchase the product. There will always be a link on this page that takes you to a separate site on which you can purchase the product.
Just because you got an email from a friend, or clicked on a Google ad, does not mean the end destination is safe. Even if the product looks appealing, do not enter any personal information, log out of your facebook/email/twitter accounts, and if anything suspicious occurs (if you are a Yahoo! Mail user, reset your password).
What about Yahoo! and CodeGuard?
We came across these scams because websites and webservers are being compromised to make this process work. Sitting inbetween Yahoo! mail recipients and the landing pages are redirecting webpages – with legitimate reputations. These redirecting pages are used so that as the landing pages and e-Commerce sites are reported and disabled, the ruse can continue with new landing pages receiving traffic.
The key question is: when will the FTC and FDA step in? With limited research, it is blatantly apparent that a multi-level marketing scheme based around products marketed through Dr. Oz’s television show, is being used to defraud consumers.
Compromised Websites: WordPress & Joomla
The subject line of the email was “Breaking news”, so the landing page seemed to be appropriate. A break through weight-loss product. If that is real, it is definitely breaking news. One big problem – the URL we input was www.iolcus.gr, not mxxfox.com. Iolcus.gr’s website looks like this:
This is a WordPress site, and from this screenshot, you cannot tell the site has been compromised. The only way that the redirect could have functioned is if someone had access to the folders on the webserver. There are countless ways for someone to get access, so we won’t spend time on that part now. The important part is that I highly doubt Iolcus had any idea they were a part of a diet-product scam. Another site that we observed to have been compromised was a Joomla! site.
This site was used to redirect to similar landing pages as we have seen already. Some cleverness exists in the process of the redirects that makes it difficult to follow everything that is happening.
Summary: When there’s smoke . . .
The processes used to market and sell these break-through diet products are complicated. Different companies seem to be involved in various aspects, with some sending SPAM emails, others using vulnerabilities to compromise webservers or commandeer user’s accounts without their knowing, and even others using Google Adwords. Customers are driven to landing pages that mislead and deceive. And then customers click and pursue their weight-loss dreams.
At this point, while there is a mountain of evidence that signals something nefarious about not just the marketing techniques used, but the underlying products themselves, we won’t comment more than to offer this one unique tidbit. Raspberry ketones were non-existent before Dr. Oz referenced them on February 6th, 2012. Since then, things seem to have progressed. You can research yourself to see how green coffee beans, garcinia cambogia, hcg drops, african mango, and other miracle products have found their way to the market.