Garcinia Cambogia weight loss spam from hacked Yahoo accounts

I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.

Here is one of the advertised domains, which is hosted on many different servers:

biggsetfatburningsecret.com. 1439 IN A 91.207.7.134
biggsetfatburningsecret.com. 1439 IN A 94.75.193.33
biggsetfatburningsecret.com. 1439 IN A 94.75.193.38
biggsetfatburningsecret.com. 1439 IN A 142.0.79.134
biggsetfatburningsecret.com. 1439 IN A 142.0.79.140
biggsetfatburningsecret.com. 1439 IN A 176.53.119.24
biggsetfatburningsecret.com. 1439 IN A 176.53.119.27
biggsetfatburningsecret.com. 1439 IN A 176.53.119.68
biggsetfatburningsecret.com. 1439 IN A 176.53.119.69
biggsetfatburningsecret.com. 1439 IN A 198.144.156.42
biggsetfatburningsecret.com. 1439 IN A 199.116.117.166
biggsetfatburningsecret.com. 1439 IN A 199.127.98.117

The domain is registered through Ukrainian registrar ukrnames.com using forged WHOIS contact details.

The buy link on that site redirects to authenticgreencoffee.com, a domain registered last July, with the owner hidden behind a WHOIS proxy.

Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:

bestfoodsforburningfat1.com
biggsetfatburningsecret.com
biggsetweightlosssecret.com
bigjim-foods.com
blogprogramflatstomach.com
blogquickprogramdiet.com
burnfatinfewdays.com
dietsforburningfat.com
eatingplansforweightloss.com
getflatstomachtoday.com
getweightlossandburnfat.com
icbs-news.com
icm-news.com
ircnn-news.com
losingweightrapidly.com
mnc-news.com
myscecretweightlosssolution.com
neverseeweightlossagain.com
plantipsflatstomach.com
plantodayflatstomach.com
rapidweightloss-blog.com
realmenshealthblog.com
revolutionarydiet2013.com
revolutionarydietformula.com
revolutionarydietloss2013.com
revolutionarydietsolution2013.com
revolutionarydietsolutions.com
revolutionarydietweightloss.com
revolutionarydietweightloss2013.com
revolutionarydietweightlosssolution.com
revolutionarydietweightlosssolution2013.com
revolutionaryfatburning.com
revolutionaryfatburningformula.com
revolutionaryfatburningmethod.com
revolutionaryflatstomachsystem.com
revolutionarynaturaldiet.com
revolutionarynaturalweightlosssystem.com
revolutionaryweightloss1.com
revolutionaryweightloss2013.com
revolutionaryweightlossdietplan.com
revolutionaryweightlossdietsolution.com
revolutionaryweightlossdietsolutions.com
revolutionaryweightlossplan.com
revolutionaryweightlosssolution.com
secretultrafastdiet.com
solutionflatstomachsecretsnow.com
solutionflatstomachtoday.com
solutionwithweightonline.com
thebigjim.com
tipsflatstomachquick.com
tipsflatstomachsystem.com
tipsprogramflatstomach.com
todayblogflatstomach.com
todayflatstomachblog.com
todayflatstomachquick.com
todayquickflatstomach.com
ultrafastsecretsdiet.com
weightlossgreatnews.com
weightlossthatworkisnotmagicpill.com

The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.

The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:

.androidMobile@web
.BPMail_high_noncarrier@web
.BPMail_high_carrier@web
.BPMail_low_noncarrier@web
.BPMail_low_carrier@web

Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.

The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.

“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.

The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.

I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.

Vir7remover_2009_b2.exe / defend6-pc.com scareware

While researching some information, I came across a Google hit that looked like what I was looking for, but when I opened the page, none of the text in the preview paragraph was there. Somebody must have fed bogus contents to GoogleBot to attract searches.

Instead of the expected information I found myself on a scareware site called defend6-pc.com that was then trying to coerce me into downloading and installing their fake security software. A pop-up dialog asked me whether I wanted to scan my computer with their software. It didn’t matter if I clicked OK or Cancel, a download would always start. Only by closing the browser Window could I get rid of their nasty popup dialogs.

I’m using Mozilla FireFox, which does not offer to run downloaded EXEs directly. I did not click on the downloaded “Vir7remover_2009_b2.exe”, instead I ran it through the VirusTotal.com online malware scanner (highly recommended!) and products by four companies diagnosed it as malicious or suspicious:

  • Microsoft (1.5605) says it’s a “Trojan:Win32/FakeXPA”
  • Sophos (4.52.0) says it’s “Mal/FakeAV-CX”
  • VBA32 (3.12.12.4) says it’s “BScope.Trojan.MTA.0157”
  • Panda (10.0.2.2) calls it a “”Suspicious file”

“Mal/FakeAV-CX” indicates “scareware“, software that pretends to be an anti-virus / malware scanner that scares you with bogus alerts of malware on your harddisk into installing and or purchasing the software. Such software can include Trojans (as you would suspect from “Trojan:Win32/FakeXPA” and “BScope.Trojan.MTA.0157”) that take over your machine and can give someone else full control over your machine for malicious activities.

The following domains are all hosted on the same server as defend6-pc.com (IP address 93.174.95.154) and this list probably is not complete. I definitely would not recommend installing any software from any of these sites:

  • 10scanantispyware.com
  • 20scanantispyware.com
  • 2scanantispyware.com
  • 30scanantispyware.com
  • 3scanantispyware.com
  • 50virus-scanner.com
  • 5scanantispyware.com
  • 60scanantispyware.com
  • 7scanantispyware.com
  • 80scanantispyware.com
  • 8scanantispyware.com
  • 90virus-scanner.com
  • antispy-scan200.com
  • antispy-scan400.com
  • antispy-scan600.com
  • antispy-scan700.com
  • antispy-scan800.com
  • antispywarehelp002.com
  • antispywarehelp004.com
  • antispywarehelp008.com
  • antispywarehelp010.com
  • antispywarehelp022.com
  • antispywarehelpk0.com
  • antispywarehelpk2.com
  • antispywarehelpk4.com
  • antispywarehelpk6.com
  • antispywarehelpk8.com
  • antivirus-inet01.com
  • antivirus-inet31.com
  • antivirus-inet41.com
  • antivirus-inet51.com
  • antivirus-scan200.com
  • antivirus-scan400.com
  • antivirus-scan600.com
  • antivirus-scan700.com
  • antivirus-scan900.com
  • antivirus-test88.com
  • antivirus10scanner.com
  • antivirus900scanner.com
  • av-scanner200.com
  • av-scanner300.com
  • av-scanner400.com
  • av-scanner500.com
  • av-scanner700.com
  • defend-computer10.com
  • defend-computer30.com
  • defend-computer50.com
  • defend-computer70.com
  • defend-computer82.com
  • defend-computer83.com
  • defend-computer84.com
  • defend-computer85.com
  • defend-computer86.com
  • defend-computer88.com
  • defend-computer90.com
  • defend-pc100.com
  • defend-pc130.com
  • defend-pc150.com
  • defend-pc170.com
  • defend2-pc.com
  • defend5-pc.com
  • defend6-pc.com
  • inetproscan001.com
  • inetproscan031.com
  • inetproscan061.com
  • inetproscan081.com
  • inetproscan091.com
  • insight-scan20.com
  • insight-scan40.com
  • insight-scan60.com
  • insight-scan80.com
  • insight-scan90.com
  • insight-scanner2.com
  • insight-scanner5.com
  • insight-scanner7.com
  • insight-scanner8.com
  • insight-scanner9.com
  • internet-scan020.com
  • internet-scan040.com
  • internet-scan050.com
  • internet-scan070.com
  • internet-scan090.com
  • internet-scanner020.com
  • internet-scanner030.com
  • internet-scanner050.com
  • internet-scanner070.com
  • internet-scanner090.com
  • net-02antivirus.com
  • net-04antivirus.com
  • net-05antivirus.com
  • net-07antivirus.com
  • net001antivirus.com
  • net011antivirus.com
  • net021antivirus.com
  • net111antivirus.com
  • net222antivirus.com
  • novirus-scan00.com
  • novirus-scan01.com
  • novirus-scan22.com
  • novirus-scan31.com
  • novirus-scan33.com
  • novirus-scan41.com
  • novirus-scan55.com
  • novirus-scan61.com
  • novirus-scan81.com
  • novirus-scan88.com
  • spyware-stop01.com
  • spyware-stopb1.com
  • spyware-stopm1.com
  • spyware-stopn1.com
  • spyware-stopz1.com
  • spyware200scan.com
  • spyware500scan.com
  • spyware800scan.com
  • spyware880scan.com
  • spywarescan010.com
  • spywarescan013.com
  • spywarescan015.com
  • spywarescan017.com
  • spywarescan018.com
  • stop-all-virus1.com
  • stop-all-virus3.com
  • stop-all-virus6.com
  • stop-all-virus9.com
  • stop-virus-01a.com
  • stop-virus-01b.com
  • stop-virus-01d.com
  • stop-virus-01e.com
  • stop-virus-01f.com
  • stop-virus-03b.com
  • stop-virus-03u.com
  • stop-virus-03y.com
  • stop-virus-03z.com
  • stop-virus-040.com
  • stop-virus-070.com
  • stop-virus-090.com
  • stop-virus-091.com
  • stop-virus-099.com
  • stopvirus-scan11.com
  • stopvirus-scan13.com
  • stopvirus-scan16.com
  • stopvirus-scan18.com
  • stopvirus-scan33.com
  • stopvirus-scan66.com
  • stopvirus-scan88.com
  • stopvirus-scan99.com
  • virus77scanner.com
  • virus88scanner.com

Dial +44 70 (UK number) for international online fraud

A few years ago I created the Scam-O-Matic (www.scamomatic.com), a website that every month has helped thousands of people worldwide by automatically diagnosing online fraud emails that people have submitted to it. Scamomatic.com recognizes fake lotteries, “dead customer” scams, “dying widow” scams and many other common formats from scammers from Nigeria that you may have seen in your inbox before. Even when it can’t pinpoint the exact type of scam, it often recognizes it as a generic scam format, largely thanks to the presence in the email of UK phone numbers that start with +44 70. These numbers are everywhere in Nigerian online scams, regardless of the precise scam format. The +44 70 prefix might as well be called the country code of Nigerian scammers.

If you receive any email that mentions any +4470 phone number, do not reply to it! You can submit the body of any suspicious email message to www.scamomatic.com for instant feedback about what kind of scam it might be.

These +4470 numbers are a gift to online scammers by British phone regulators. They are primarily owned by obscure British phone companies offering an anonymous call forwarding service. The economic model of these services is simple: The caller dials a rather expensive UK number and the UK service provider forwards the incoming call to a somewhat less expensive to call international number (for example a Nigerian mobile phone, which remains hidden from the caller), pocketing the difference between the call rates. For example, the caller might pay 50 cents per minute to call a +44 70 number and the call will then be forwarded to a Nigerian mobile phone that costs 25 cents per minute, leaving 25 cents per minute as a net margin for the service operator. The more successful the scammers are, the more money the phone company makes. Who ever said crime doesn’t pay?

These UK phone numbers are very attractive to scammers: When people can be made to believe that they are dealing with a bank, lawyer or government official in London, UK when they’re actually talking to a scammer on his cell phone in an Internet cafe in Lagos, Nigeria then they are much more easily defrauded by criminals.

As far as I can tell these numbers aren’t really being used for any other purpose than to enable international online crimes to be committed. In some nine years of tracking Nigerian scam emails, I have yet to come across a single legitimate user of a +44 70 number. I really don’t understand why the British government has allowed those services to continue to operate.

Now, of course the service operators can claim that they don’t know that their services are being used for criminal purposes unless someone tells them about it. On the other hand, they are not exactly making it easy to report abuse and the high prices of these services means that it’s unlikely that they’ll get much legitimate use, if any.

There are several ways to curb abuse, other than suspending +44 70 numbers altogether and I would encourage the UK government to seriously consider them:

  • The UK regulators could make it a requirement that calls via this service either originate in the UK or terminate in the UK, i.e. to prevent unrestricted global relaying, with say calls from India or the US being forwarded to Nigeria or Côte d’Ivoire.
  • The UK regulators could require service providers to announce the country name of the phone number to which the call is being forwarded if the destination number is not a UK number.
  • The UK regulators could require service providers to block forwarding to mobile phone numbers in certain countries, e.g. Nigeria

Below is a sample list of +44 70 numbers that appeared in Nigerian scams reported to Scam-O-Matic over the course of the last seven days. These roughly 60 phone numbers per day are only the tip of the iceberg:

+447005801505
+447005802020
+447005810692
+447005934945
+447005942459
+447005963237
+447005977097
+447006001100
+447006002121
+447006002413
+447006029116
+447006062478
+447010023307
+447010027439
+447010027978
+447010027983
+447010028455
+447010030769
+447010285923
+447010306559
+447010476294
+447010786457
+447011120379
+447011120510
+447011120524
+447011121450
+447011121596
+447011128170
+447011129280
+447011129286
+447011129446
+447011130062
+447011130670
+447011130769
+447011131077
+447011131152
+447011133259
+447011140499
+447011140945
+447011140989
+447011146747
+447011146830
+447011147295
+447011149054
+447011152991
+447011153129
+447011162749
+447011163186
+447011163846
+447011164243
+447011182522
+447011183455
+447011184113
+447011196412
+447011197245
+447011197787
+447014225697
+447014232391
+447014232411
+447014232442
+447014236733
+447014244984
+447014275175
+447014275728
+447017026507
+447017430128
+447017769494
+447017848035
+447023011587
+447023056559
+447023058575
+447023069806
+447023086665
+447023087509
+447023092593
+447024010876
+447024010915
+447024011554
+447024012660
+447024013770
+447024014859
+447024016712
+447024017968
+447024018504
+447024018707
+447024018725
+447024018963
+447024019584
+447024019588
+447024021204
+447024021389
+447024023138
+447024023643
+447024024530
+447024024914
+447024024938
+447024025942
+447024028606
+447024029852
+447024032255
+447024033542
+447024034362
+447024034768
+447024035958
+447024036606
+447024037907
+447024038051
+447024038950
+447024041571
+447024041989
+447024042397
+447024043571
+447024045842
+447024046548
+447024047607
+447024047708
+447024051081
+447024051604
+447024053655
+447024054764
+447024056650
+447024056684
+447024057656
+447024057695
+447024059725
+447024061362
+447024061659
+447024061805
+447024062162
+447024063633
+447024063645
+447024064180
+447024065549
+447024066713
+447024066858
+447024067752
+447024068617
+447024069933
+447024070671
+447024071597
+447024071804
+447024071867
+447024072603
+447024072995
+447024073988
+447024074220
+447024074568
+447024074742
+447024075722
+447024075954
+447024077025
+447024078351
+447024079530
+447024079908
+447024080526
+447024080571
+447024080634
+447024082668
+447024082680
+447024082728
+447024083093
+447024083705
+447024084762
+447024084918
+447024084994
+447024086967
+447024087401
+447024087599
+447024087905
+447024091678
+447024091701
+447024091706
+447024092775
+447024092795
+447024092863
+447024095774
+447024095778
+447024095878
+447024096802
+447024096869
+447024097854
+447024098802
+447024098874
+447024099606
+447031740924
+447031742574
+447031744227
+447031744980
+447031744994
+447031745967
+447031746067
+447031746887
+447031747046
+447031747509
+447031749721
+447031801246
+447031801866
+447031803498
+447031803820
+447031808512
+447031809778
+447031814575
+447031814720
+447031815436
+447031816735
+447031818230
+447031821851
+447031822608
+447031823431
+447031824330
+447031825003
+447031826670
+447031830878
+447031833248
+447031833760
+447031834660
+447031835615
+447031835762
+447031837227
+447031843396
+447031844360
+447031845639
+447031846542
+447031850801
+447031851126
+447031855107
+447031855527
+447031858919
+447031859268
+447031859327
+447031859972
+447031861174
+447031861534
+447031865718
+447031877392
+447031877975
+447031880502
+447031885537
+447031890014
+447031891762
+447031894541
+447031898197
+447031903871
+447031906765
+447031908701
+447031909751
+447031911974
+447031913322
+447031915331
+447031918554
+447031918592
+447031918698
+447031918840
+447031920863
+447031928723
+447031930960
+447031931805
+447031934581
+447031938867
+447031940670
+4470319419882
+447031943771
+447031954666
+447031956661
+447031958680
+447031960513
+447031964131
+447031971731
+447031971766
+447031972833
+447031972850
+447031973785
+447031974969
+447031978795
+447031979858
+447031982694
+447031983660
+447031983882
+447031984862
+447031988864
+447031993596
+447031993967
+447031996818
+447032334576
+447035900183
+447035900344
+447035900914
+447035901588
+447035902188
+447035902683
+447035910276
+447035911140
+447035912873
+447035913994
+447035915768
+447035922616
+447035923742
+447035924448
+447035927916
+447035928180
+447035931142
+447035937446
+447035939194
+447035939320
+447035940617
+447035944729
+447035944779
+447035947431
+447035950853
+447035951254
+447035951405
+447035954295
+447035955376
+447035956312
+447035959966
+447035960942
+447035965038
+447035966176
+447035966188
+447035966289
+447035966480
+447035968588
+447035969249
+447035969496
+447035969754
+447035969801
+447035969823
+447035972572
+447035973164
+447035973821
+447035977317
+447035978042
+447035978343
+447035978550
+447035983963
+447035988651
+447035988847
+447035989086
+447035992118
+447035996148
+447035997215
+447035997533
+447035998886
+447035999080
+447040110515
+447041743214
+447045702581
+447045704323
+447045704570
+447045705126
+447045705374
+447045706975
+447045707234
+447045707660
+447045708253
+447045709129
+447045709292
+447045710531
+447045710917
+447045711325
+447045712243
+447045712434
+447045712662
+447045712816
+447045712993
+447045713815
+447045714219
+447045719541
+447045720546
+447045721125
+447045721617
+447045722125
+447045724094
+447045725176
+447045727388
+447045729804
+447045733035
+447045733518
+447045736862
+447045742669
+447045743467
+447045747569
+447045748609
+447045754338
+447045759317
+447045767521
+447045768060
+447045770961
+447045776356
+447045780693
+447045782120
+447045783777
+447045785147
+447045785239
+447045790181
+447045791709
+447045795051
+447045798638
+447045799030
+447053491702
+447053492393
+447075158182
+447092849621
+447092861761
+447092864823
+447092980578
+447092981646
+447092981769
+447092982175

Jim Lanton rides a Trojan horse

A recent malware spam takes a new approach to hijacking your computer.

From: Internal Revenue Service [mailto:jim.lanton@irs.com]
Sent: Thursday, July 03, 2008 10:25 AM
To: User@CompanyName.com
Subject: Re: Company report for CompanyName

To : Firstname Lastname

The report is attached.

You need to complete the fields about CompanyName income.

Jim Lanton
IRS Fraud Department

© 2008 Internal Revenue Service All Rights Reserved.

At attachment named “notice_248-849.doc” included an embedded object called “notce.pdf” which was identified as a Trojan downloader by several scanners, including:

  • AntiVir (7.8.0.64, 2008.07.03): TR/Crypt.XDR.Gen
  • F-Prot (4.4.4.56, 2008.07.03): W32/Heuristic-217!Eldorado
  • Microsoft (1.3704, 2008.07.03): TrojanDownloader:Win32/Small.gen!N

While there have been phishing spams before that masquerade as emails from the IRS in the USA or the UK Inland Revenue, this one strikes a raw nerve for the attention to detail.

The email was sent to a friend of mine and addressed him by his full name, not the short form that virtually everyone commonly uses around him, even in business. The name of the company and his email address were capitalized exactly as he normally does it. That is, the company name had capital letter at the beginning of both the first and second words that it’s composed from. The email address was not all lower case, instead both his initials were capitalized on the left hand side of the ‘@’ in the email address and the domain name was capitalized like the company name.

While it’s possible the malware took the name from an address book of an infected machine, I think it’s somewhat unlikely, as I don’t have a single copy of an email from my friend’s address in which he writes is name in the full version used here. Another possibility is that the malware author purchased a commercial address list of businesses. That would be very unusual, though not unheard of.

Specifically targetting companies and their executives could net the scammers high-yield targets, as they are likely to have sensitive information stored on their computers, which Trojan horse software would open up to these criminals.

P.S.: My apologies to Jim Lanton at the IRS. If he really exists, he has nothing to do with this scam. I am just mentioning him in the headline because people might search Google for the name and I want them to find out that what they received was a malware spam.

CNN reports about online scams

A recent CNN article described various online scams, including fake lotteries and other 419 scams:

As one scam-watch site pointed out, lottery companies do not organize “promotional” lotteries, they advertise. A free “promotional” lottery that you only hear about if you win would only promote the lottery to a handful of customers. That doesn’t make any sense.

If you answer the e-mail, after one or two e-mail exchanges with the so-called lottery officials or claims agent, perhaps accompanied by some official looking but fake documents, you’ll be asked to pay fees for taxes or handling or some other reason. This is the scam — you pay the fees and never see any winnings, mainly because there are none to see.

Currently fake lotteries are the most prominent of online scams. We get far more queries about fake lotteries than about all other types of scams taken together. More people fall for them than for any other scam, maybe because so many people play lotteries in “real life”, so the idea of a sudden lucky strike is not alien to them.

In case you wondered, the unnamed scam-watch site quoted by CNN is the one you’re looking at right now. It was a quote from our 419 fraud FAQ about fake lotteries. The article also prominently mentioned Fraudwatchers.org of which we’re a member and listed it as the first of several fraud-information websites.

Education is the most effective weapon against scams. People who know about scams are not easily tricked any more. If more newspaper and TV and radio stations were to talk about scams, fewer people would fall victim to them.