It isn’t easy being a spammer. Faced with continual challenges, both legal and technical, they must constantly adapt their methods to try to reach their victims while avoiding intervention by law enforcement. Phony diet pills are a perennial favorite of certain spammers, often backed by fake celebrity endorsements, but the latest campaigns have moved on from using their old favorite Oprah Winfrey. What’s more, in an attempt to gain consumer confidence the ultimate landing page where the consumer is expected to part with their credit card details to obtain a “free” sample now has an HTTPS url rather than plain old HTTP. To understand why these changes have happened we first need to understand how the business of diet pill spam is structured.
Like many forms of cybercrime, there is not a single person or operation running things. In this case there are at least two types or criminal, the monetizers who are selling the diet pills, and the spammers who are driving traffic to the monetizers’ sites. The penalties associated with the two types of activity are quite different. Making fraudulent claims and selling the phony pills is consumer fraud, which falls under the jurisdiction of of the Federal Trade Commission (FTC). The penalties are purely financial, and are usually limited to refunding whatever of the fraudulently obtained money is still left and being placed under a retaining order not to repeat the same scam. However, sending spam falls under the CAN-SPAM legislation and can result in criminal penalties. Also, spammers often use hacked websites as landing pages, and that is an offense under the Computer Fraud and Abuse Act (CFAA) which could put you in prison for five years for every website you hack. Because the penalties for monetizers are small and because they have to take credit card payment and ship a physical product, they are often based in the US. The spammers driving traffic and facing jail time if prosecuted are most probably offshore, or at least have such good operations security that they are impossible to trace.
In April 2015, the FTC filed suit against a major monetizer Sale Slash, LLC of Glendale, California and its owners. The case settled in February 2016, with a partially suspended judgement of $43.4 million, equal to the money Sale Slash had fraudulently obtained from consumers. Only about $10 million of that could actually be recovered. The rest had either been spent by the owners or used to pay off the several different spammers who had been driving traffic to the site. In particular, according to Sale Slash’s bank records, about $10 million had been sent to a bank account in Curacao owned by “Performance Marketing”. Of course, nobody is going to give up on a spam business bringing in millions of dollars, so “Performance Marketing” and their fellow spammers have found a new monetizer.
Oprah Winfrey’s lawyers provided evidence in the Sale Slash case that Oprah had never used or endorsed any diet pills. They may also have been involved in the case at an earlier stage and have requested that the FTC take action against the spammers. In any event, the spammers have apparently decided that they do not want to arouse the ire of Oprah any more, and have moved on to other targets
The current campaign starts with a simple spam email. There is no real content except a link to a php script on a hacked web server. In an attempt to avoid detection there is blank space left after the “http://”. The link goes to a landing page featuring the logo of the celebrity gossip site TMZ and picture of Ellen DeGeneres with Gwen Stefani.
Fake TMZ Article
Other celebrities featured in the fake news article include Blake Shelton, Khloe Kardashian, and John Goodman. The fake TMZ landing pages have been around for a while, and are potentially damaging TMZ’s brand. In February 2016, TMZ published an article on TV personality Dr. Oz being sued for promoting miracle diet pills on his TV show.
Real TMZ Article
It appears there is very real confusion caused by the spammers judging by the comments of this article. One of the readers complained:
Work or not, the problem is the sales of the product. It appeared on TMZ, this web site, as a article about weight loss… TMZ has to be held responsible for scam sales, and that is what it is. AS for the pills, it didn’t help me and I was not contacted to start any deliveries or additional card charges for monthly shipments, which appears to be the scam. Dr OZ is quoted in the story on TMZ this comment is attached to, and his endorsement of the product.
This page contains a button to obtain a “free” sample of the product (where “free” means “as many monthly charges as we can get on your credit card before you cancel it”) which takes you to a website with an HTTPS URL.
As usual with these sites, the monetizer has added as many logos as possible to attempt to give the consumer confidence in their product. The HTTPS URL is also intended to give confidence, so let’s make this very clear: Criminals can set up HTTPS websites too. All the that little lock on the URL bar tells you is that your credit card information is going to the right criminal, and won’t be intercepted by some other criminal on the way.
It is clear that the monetizers are knowingly conspiring with the spammers who deliver the traffic to them. May we respectfully suggest to our friends at the FTC that the next time they file suit against a diet pill monetizer, they work with the Justice Department to charge them with conspiracy to violate the CFAA, and put them in prison. Cloudmark will be happy to provide a list of compromised websites.