Pinterest was hit this week by a vast diet pill spam attack from a well established cyber criminal gang we call the Com Spammers. As well as attacks on social networking sites such as Pinterest, they have also been active for years in email and SMS spam. Their landing pages often contain video clips from the Dr. Oz Show, though the doctor has denied responsibility for the use of his name and image by spammers. Here are some more details on the structure and techniques used by the Com Spammers.
First of all the name. We call them the Com Spammers because many of the domain names they use in landing pages contain a “com” followed by a hyphen, so that they can appear to be a more authoritative web site. For example, one of the landing pages used in the Pinterest spam was http://womenshealth.com-june2014.us. At first glance this looks like the domain name is womenshealth.com, but in fact it is com-june2014.us, which is a lot less impressive looking.
The design of the landing page is copied from a genuine news or magazine web site. Here’s the Com Spammer’s current landing page and the genuine site at http://womenshealthmag.com/ that is is copied from.
“NO EXERCISE * NO DIET * NO EFFORT * NO EXCUSES” – It sounds great. But scroll down to the fine print off the screen, and you find: “It is recommended that users follow a strict diet and exercise regimen to achieve weight loss results.” Customers who have ordered report that they have been enrolled in a recurring subscription to purchase diet pills and will be billed about $100 every month for a worthless placebo.
We believe this operation has a three level structure. At the bottom are a number of different spammers who are sending out unsolicited advertising by email, SMS, and social media. They are using a number of different techniques for this. Several of them are using compromised web servers to provide a large number call to action URLs on domains with good reputation. Others are using URL shorteners such as bit.ly and t.co. Spam may be sent using botnets or mass produced webmail accounts. The fact that there are multiple affiliates provides the central organization with a more robust income stream – if one technique gets blocked the others may still be generating business. The recent take over of the Game Over Zeus botnet also took down the Cutwail spam sending tool which some of these affiliates were using. However, it’s clear the affiliate who hacked Pinterest was able to send them plenty of traffic.
In the middle is a single group that are producing the fake news site landing pages. However, they are then directing traffic to several different groups for monetization. Diet pills are not the only scam the Com Spammers are promoting. We also see them pushing phony work from home schemes, miracle anti-aging skin cream, and ‘free’ cruises. Once again, having multiple forms of monetization provides a robust income stream. In February the FTC shut down a Utah based gang alleged to be operating a pernicious work from home scam. As we shared in a recent PC magazine article, a few days after that happened, we saw the Com Spammers stop promoting WFH schemes, and links that had been going to WFH landing pages switched to diet pills. A few weeks later they were back in business with the WFH spam, though at a lower level. It looks like the Com Spammers have found someone else to monetize this scam.
The Com Spammers’ landing pages contain a video that starts playing as soon as the page loads. For the diet pill landing pages, it is usually a clip from the Dr. Oz Show. Dr. Mehmet Oz is a successful American television entertainer who in order to boost his ratings gives credence to the claims of diet pill promoters, however absurd. Though Dr. Oz claims not to benefit financially from these diet scams, by giving a platform to their promoters it has been suggested that he is causing his more impressionable viewers to be exposed to false hope and financial fraud. It was particularly nice to see him being put on the spot for this by a US Senate hearing this week. Senator Claire McCaskill asked him: “You’ve been trained in science-based medicine… I don’t get why you need to say this stuff when you know it’s not true. When you have this amazing megaphone, why would you cheapen your show?… With power comes a great deal of responsibility.” Exactly!
Two years ago I reported in this blog on a new black hat tool for spamming Pinterest. I wrote then, “It’s quite possible that the long term growth and survival of Pinterest will depend on how effectively they can respond to the script kiddies who are currently testing their defenses, and to the tier one operators who will follow once the profitability of spamming there has been demonstrated.” Clearly the tier one operators are there with a vengeance, and that statement remains as true as ever. If anyone from the Pinterest InfoSec or Abuse departments reads this, I am interested in collaborating with you in dealing with these attackers. Please use the comment form to get in touch with me. (Comments are moderated, so your contact information will not be published.) Let’s see what we can do to put these guys out of business.
If you are using Pinterest and you see spam, or anything else objectionable, you can report this by opening the post, clicking on the flag in the bottom right hand corner and then selecting the appropriate category from the pop up menu: