A long established porn spammer who uses compromised web servers to host his landing pages has modified his pitch to include copies of the recently released stolen photographs of naked celebrities, including a picture of McKayla Maroney which according to her lawyers was taken before she was eighteen years old, and so could be illegal under US law.
The attack dates back to September 2nd, just two days after the stolen photos started to be posted on 4Chan. Initially a static JPEG banner was added to the landing pages, containing nude pictures of Jennifer Lawrence, Kate Upton, and McKayla Maroney. On September 11th, the spammer started using a different banner. The new one, still in use, is an animated GIF. It adds a picture of Miley Cyrus to the original images, and alternates these pictures with images of hardcore pornography, using models who resemble the original celebrities. The first image is captioned “JUST IN: HACKED CELEBRITY PHOTOS AND VIDEOS FROM APPLE’S ICLOUD LEAK! HOTTEST NUDE CELEBS EXCLUSIVELY AT [redacted].COM” and the second one is captioned “JUST IN: HACKED CELEBRITY PHOTOS AND VIDEOS FROM APPLE’S ICLOUD LEAK! BIGGEST NUDE CELEBS ARCHIVE ON THE INTERNET FOR JUST $1”.
The spam that is promoting these pages is being sent from a worldwide botnet of hacked PCs. The spam itself is very simple. The subject line is blank, and the body contains nothing but a URL.
As with all spam, if you get a copy of one of these in your email box, either in your inbox or your spam folder, you should not click on the links. In general you should be alert to any email that contains only a link, without any reasonable explanation, even if it appears to come from someone you know. There is a high probability that the link leads to spam content or that clicking on the link could cause your computer to download a virus.
In this case, the URL leads to a file placed on a compromised web server. A limited number of files names are currently being used, and the files are all placed in the top directory of the web server. Files names observed by our systems recently are inf.htm, copy_this_link_to_your_browser.htm, hidden_vids.htm, video.htm, movie.htm, movies.htm, and juicy_vids.htm.
Our automated scanning has counted several hundred compromised servers used for this spam over the past three weeks, including schools and church groups. A disproportionate number of them have characteristics of WordPress sites, so it’s probable that this spammer is exploiting vulnerabilities in WordPress or its plugins. While the HTML for the landing page is hosted on the compromised server, the images are not. Both the old and new banners described above, and the other pornographic images on the landing page, are all on the same server which is in the .ru domain and is hosted in Russia. However, if you were to click on the banner to make a purchase you would be taken to a website that is hosted in Massachusetts. This contains thumbnails of a large number stolen celebrity photos and videos, including those described above.
Since the photograph of McKayla Maroney may constitute an illegal explicit photo of a child under US law, Cloudmark has reported the details of this content to the National Center for Missing and Exploited Children, and followed all the appropriate steps for handling of such content. Should any of the lawyers working on behalf of the celebrities whose photos were stolen require additional data on the web sites hosting and selling these photographs, please get in touch with the Cloudmark legal department.
Anyone running WordPress on their website should ensure that they are running the most up-to-date versions of the software, and be on the lookout for files that may have been added by a hacked. Cloudmark can also provide a web hosting provider with a list of compromised domains that our systems have detected which are hosted on their systems.