I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.
Here is one of the advertised domains, which is hosted on many different servers:
biggsetfatburningsecret.com. 1439 IN A 91.207.7.134
biggsetfatburningsecret.com. 1439 IN A 94.75.193.33
biggsetfatburningsecret.com. 1439 IN A 94.75.193.38
biggsetfatburningsecret.com. 1439 IN A 142.0.79.134
biggsetfatburningsecret.com. 1439 IN A 142.0.79.140
biggsetfatburningsecret.com. 1439 IN A 176.53.119.24
biggsetfatburningsecret.com. 1439 IN A 176.53.119.27
biggsetfatburningsecret.com. 1439 IN A 176.53.119.68
biggsetfatburningsecret.com. 1439 IN A 176.53.119.69
biggsetfatburningsecret.com. 1439 IN A 198.144.156.42
biggsetfatburningsecret.com. 1439 IN A 199.116.117.166
biggsetfatburningsecret.com. 1439 IN A 199.127.98.117
The domain is registered through Ukrainian registrar ukrnames.com using forged WHOIS contact details.
The buy link on that site redirects to authenticgreencoffee.com, a domain registered last July, with the owner hidden behind a WHOIS proxy.
Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:
bestfoodsforburningfat1.com
biggsetfatburningsecret.com
biggsetweightlosssecret.com
bigjim-foods.com
blogprogramflatstomach.com
blogquickprogramdiet.com
burnfatinfewdays.com
dietsforburningfat.com
eatingplansforweightloss.com
getflatstomachtoday.com
getweightlossandburnfat.com
icbs-news.com
icm-news.com
ircnn-news.com
losingweightrapidly.com
mnc-news.com
myscecretweightlosssolution.com
neverseeweightlossagain.com
plantipsflatstomach.com
plantodayflatstomach.com
rapidweightloss-blog.com
realmenshealthblog.com
revolutionarydiet2013.com
revolutionarydietformula.com
revolutionarydietloss2013.com
revolutionarydietsolution2013.com
revolutionarydietsolutions.com
revolutionarydietweightloss.com
revolutionarydietweightloss2013.com
revolutionarydietweightlosssolution.com
revolutionarydietweightlosssolution2013.com
revolutionaryfatburning.com
revolutionaryfatburningformula.com
revolutionaryfatburningmethod.com
revolutionaryflatstomachsystem.com
revolutionarynaturaldiet.com
revolutionarynaturalweightlosssystem.com
revolutionaryweightloss1.com
revolutionaryweightloss2013.com
revolutionaryweightlossdietplan.com
revolutionaryweightlossdietsolution.com
revolutionaryweightlossdietsolutions.com
revolutionaryweightlossplan.com
revolutionaryweightlosssolution.com
secretultrafastdiet.com
solutionflatstomachsecretsnow.com
solutionflatstomachtoday.com
solutionwithweightonline.com
thebigjim.com
tipsflatstomachquick.com
tipsflatstomachsystem.com
tipsprogramflatstomach.com
todayblogflatstomach.com
todayflatstomachblog.com
todayflatstomachquick.com
todayquickflatstomach.com
ultrafastsecretsdiet.com
weightlossgreatnews.com
weightlossthatworkisnotmagicpill.com
The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.
The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:
.androidMobile@web
.BPMail_high_noncarrier@web
.BPMail_high_carrier@web
.BPMail_low_noncarrier@web
.BPMail_low_carrier@web
Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.
The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.
“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.
The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.
I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.
Raspberry Ultra Drops scam also occurred through my msn cloud email account yesterday 1/31, sample with real msn email account obscured:
—————————————————-
From: xxxxxxx xxxxxx
Date: Thursday, January 31, 2013
Subject:
To: xxxxx, xxxxxx, xxxxx, [note: 10 email addresses]
http://www.bookandproch.com/components/com_content/fsearch.php?universe90.img
See you,
xxxxxxx@msn.com
1/31/2013 4:14:55 PM
Yes, I do see this type of spam with MSN/Hotmail accounts too, and AOL accounts too, but the volume for those is much, much lower.
For example, during one sample interval, one spam trap received one Hotmail spam and one AOL spam but 18 Yahoo spams. There must be something about Yahoo’s mail system that makes it particularly attractive/vulnerable to spammers.
April 2013
My girl friend, and some friends (contacts) and I, has also been victims of this kind of scams about/from “Garcinia Cambogia”.
They first usurp and/or theft the yahoo e-mail address of my girl friend, and use it to send spam e-mail to some contacts she have in her e-mail contacts of her android tablet.
Then, the e-mail contain a link ( of an hacked domain account ? ) that is redirect to the following :
“http://getfatburningsecret.com/diet/GarciniaCambogiaDiet/index.html” (* No longer available after march 31, 2013) but similar to “biggsetfatburningsecret.com” you have noted, that it seems nether no longer available.
Self question: Does they use Apps they deliver through Google Play (Android apps) to get e-mails address from android apps users for malicious use ?
If you wish to get more info, you can reply at my e-mail address by using [419] to the subject line. I have get the entire e-mail header of the spam.
Best regard,
Roch
twitter.com/_Personne
Quebec, Canada
–
More weight lose / fake job spam domains:
====
4dayweightlossdetoxdiet.com
7daysdietweightloss.com
abcd1aily.net
another-weightloss1.com
averageweightlossondiet.com
bestdietfoodstoloseweightfast.com
bestdiety1.com
besteasywaytoloseweightfast.com
bestwaystoloseweightthroughexercise.com
bestwaytoloseweightmenu.com
bestwaytoloseweightwithoutdietorexercise.com
bestweightlossdietmenu.com
bestweightlosshealthydiet.com
bodybuildingweightlossdietplanforwomen.com
breastfeedingdietweightlossplan.com
burnfat-and-loseweight1.com
burnfattip1.com
burnfatweightlossplan1.com
com-24newslive.net
com-abc-news.net
com-bbc-news.net
com-cnbcbreaking.net
com-cnbcweek.net
com-cnn.net
com-earnbiz.net
com-home-basedbusinessideas.net
com-homebasedbusinessideas.net
com-lifenewsmoney.net
com-milannews.net
com-nbc-news.net
com-obc24.net
com-onechannel.net
com-thetimes.net
customerserviceworkfromhomeemployment.com
customerserviceworkfromhomemaryland.com
dataentryworkfromhomejobs2013.com
diefatburndiet1.com
diet-breakthrough1.com
diet-burn1.com
diet-smarts1.com
dietformulaflatstomach1.com
dietplanforweightlossin3weeks.com
dietreviewsquickweightloss.com
dietsolutionpro4u1.com
dietsolutionsthatwork1.com
dietspecific1.com
diettotalblog1.com
dietweightlossrate.com
dodietdrinksimpedeweightloss.com
dreamdietweightlosscenter.com
dreamdietweightlosscentersreviews.com
dreamloseweightmethod1.com
easydietforweightlossfast.com
enaturaldiet1.com
exchangeworkfromhome.com
fastfatburningsolutions.com
fastwaystoloseweightindays.com
fatburningtips-dietplans.com
fatburnover1.com
fruitdietweightlosstips.com
funwaystoloseweightfast.com
getandslim1.com
googleworkathomejobsreview.com
greatworkfromhomeopportunities.com
healthcareworkathomeopportunities.com
healthydietplantoloseweightin2weeks.com
healthyrapidweightlossdiet.com
healthywayblog1.com
healthywaystoloseweightexercise.com
healthywaystoloseweightinamonth.com
healthyweightlossdailydiet.com
herbalifedietshakesweightloss.com
highproteindietweightloss.com
highproteindietweightlossfoods.com
highproteindietweightlossplan.com
home-basedbusinessidea.net
how2loseweighttips1.com
howtoloseweightathomewithoutexercise.com
howtoloseweightbestfoods.com
jobsthatyoucanworkfromhomeonline.com
kellyworkathomeopportunities.com
legitimateworkfromhomemomsjobs.com
legitworkfromhomewithgoogle.com
lifenewsmoney.net
loseweightindaysguaranteed.com
momsworkfromhomeparttime.com
naturaldietweightlosstips.com
nbcfinance.net
newsandmoney.net
perdredupoidsrapidementblog.com
plateauinweightlossdiet.com
quickandsafewaystoloseweightfast.com
quickwaystoloseweightindays.com
quickwaytoloseweightathome.com
rightfoodstoeattoloseweight.com
safestdiettoloseweightfast.com
secretrapidweightloss1.com
simpledietblog1.com
strictweightlossdietplanformen.com
theietaverageweightloss.com
topdietsreview1.com
topeasiestwaystoloseweight.com
topwaystoloseweightfastathome.com
ultradietformula1.com
waystoloseweightimmediately.com
weightlossoncelebrityslimdiet.com
weightlossonfruitdiet.com
weightlosssolutionwithoutexercise.com
weightlosssurgerypureeddiet.com
weightlosstipschris.com
weightlosstipsdiets.com
weightlosstipsgoogle.com
weightlosstipswithoutexercise.com
weightlossusingdiet.com
weightlosswatertherapydiet.com
welllosebellyfat1.com
whatisthebestdietforweightlossandmusclegain.com
workathomeagentpositions.com
workathomeagentwebsite.com
workathomebusinesscommunity.com
workathomebusinesslegitimate.com
workathomejobsingoogle.com
workathomejobsmoms.com
workathomeonline4students.com
workfromhomecustomerserviceforcatalogs.com
workfromhomeonline2013.com
workfromhomewithgoogleworks.com
workfromhomewithoutpayingmoney.com