I awoke the other day to a friend calling me and exclaiming into the phone: “My Yahoo email account was hacked !!!” He had been angrily accused by others in his contact list of sending spam messages and sharing inappropriate website links. Most of the questions he fielded had the same query: "Why did you send me to this site!?" He was pretty shocked about the ordeal and called me for help.
After checking my inbox, I too had received a message from my friend. We did a quick check of his account and learned that the password was apparently guessed or stolen and his email account was used to send over 20 emails with links to domains like “Canadian Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep:
Image 1 – View of spam messages in the Sent folder of compromised account
The catch with these messages here is that they originated from someone I knew, suggesting I could more likely trust the content. Below is an example of the email message as sent by a spammer using the stolen account credentials:
Image 2 – Example of spam email message
The following are other examples of spam messages sent in bulk by a spammer:
- Make your first step on the way to lose your weight!… malaysia*****.com/frie*ds_links.php?kogID=53at5
- Cool!!! You will be happy with the results!.. auxil*****.org/fri*nds_links.php?ipage=05wj4
- Move your ass at this site!… kds-l*****.de/fri*nds_links.php?ossiteid=97ho7
- Wow! Now I know where I can find everything I want to diversify my life!.. lausit*****.de/fri*nds_links.php?soSID=23oq3
- I hope you’ll enjoy after visiting this site…. comitemarnebi*****.com/fri*nds_links.php?hoqaolid=35ly8
Note the re-use of the PHP page “friends_links.php“. When a recipient of the email message clicks on the link in the message, it redirects them to the following fake Canadian Neighbor Pharmacy site:
Image 3 – Fake pharma site
With further research, I learned that the “Canadian Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “Bulker.biz“. This organization encourages spammers and hackers to target email recipients from domains like Yahoo.com, Aol.com, Hotmail.com, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive.
With the summer (or winter, depending on your hemisphere) among us, watch for seasonal or themed email messages too. Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself.
Special thanks to Patrick Nolan for contributing to this blog.
— Wei, MMPC
Leave a reply
