Tag Archives: spam

About Pinterest diet spam

If you are not familiar with the Twitter diet spam campaign, please read my earlier blog post first. Same campaign is ongoing also on Pinterest.  Most likely other social media sites are targeted as well. Just recently similar campaign was spotted on Instagram.

In this post I will explain how to search for “spam pins” on Pinterest by using a domain name. You can first locate compromised web-sites from Twitter by searching e.g. “dr oz helped me lose” – see the screen-shot below:

twitter search dr ozLets pick a domain from the first link: “ianharbaugh.com”. if you visit the site, you will notice it is powered by WordPress like many compromised sites. I believe hackers have scanned a big amount of WordPress-powered sites against known vulnerabilities. By using suitable tools, it is relatively easy to install a backdoor – or like in this case, a malicious redirect script – to the website. The websites may have nothing to do with the spam campaign and are most likely victims like many users.

Back to Pinterest: there is one easy way to search for possible spam pins by using a domain name e.g. http://pinterest.com/source/ianharbaugh.com/ – screen-shot is below:

pinterest source searchNaturally any pin could be real and non-malicious, originating from a normal website making further checks more difficult, but in this case all pins are spam. Screen-shot of the first pin (posted about four weeks ago):

pin-spam-example-editedIf you click on the image or website button, you will be redirected to a diet spam site – so don’t.

Spreading

Spreading spam pins happens easily via “repin” and “like” functions – similar to retweet and favorite on Twitter. After searching for spam pins for about two hours, I think it is safe to say that this spam campaign has been successful also on Pinterest. I have also found many new hacked (WordPress powered) websites.

As noted earlier, many normal Twitter accounts have been compromised for this campaign. It seems same applies to Pinterest. Naturally there are some obvious spam bots involved.

Currently it is not clear how the accounts have been hacked.

Instructions to Pinterest users

If you believe your account has been compromised, change your passwords immediately. Not just on Pinterest: change e-mail, Facebook, Tumblr, Twitter, Instagram etc. passwords. Do not use same password on all services. See also Pinterest Help Center instructions.

Notifying the affected websites

I have sent email two three hacked websites. No responses so far, one email bounced and nothing has been fixed. Some other approach is needed: emailing all admins would take too much time. Website admins might need some instructions, too. Perhaps it is easier to remove all files and re-install WordPress as opposed to deleting malicious files and upgrading all software? I hope some area experts will provide advice on this.

Updates

6:15 PM, GMT+2, new spam pins spotted: http://pinterest.com/source/barefootstudio.co.uk/

Tagged , , ,

How diet spammers hijacked Twitter accounts

One domain used in the Twitter diet spam campaign turned out to be interesting. Below you can see some tweets pointing to womenshealth.com-c.pw

womenshealth-com-pw-may13I used Google search cache:womenshealth.com-c.pw and the result was quite interesting. Page redirected to http://twitter.com-c.pw/ (currently the account is suspended) – a phishing site that may have been used to compromise user accounts.

twitter-com-c-pw-cache

Further reading: Gone Phishing (Twitter blog post from 2009) and related Twitter Help Center article. Phishing is not the only way to hijack accounts, but it can be very effective.

I also found one possible Facebook phishing site: fb-hn.es.vu.  Links to this and similar sites are being spread out on Twitter.

possible-fb-phishing

Did you visit a possible phishing site and got hacked? You can post a comment (anonymously) and tell your story. I believe it is important to share information about these phishing sites and possible other tricks used to hack your account.

Tagged , ,

About the Twitter diet spam

Quite many Twitter users have recently seen messages similar to this:

I lost my 15 pounds and my belly fat using free garcinia: http://womenshealth.com-ar1(.)info 🙂

This  diet spam campaign has been running for quite some time. If you are not familiar with the topic, please read this article  by Softpedia. Read also: Another day, another round of diet spam on Twitter by Graham Cluley.

This blog post contains some additional information.

Here is a list of domain names and links spammers have been using – note that the list is most likely not complete.

30-Jun update: it seems diet spammers are now also using hacked web-sites making it more difficult to spot and block the domains. Many hacked web-sites are using an old version WordPress. Most likely hackers have installed the malicious redirect-script by using a known vulnerability. List of spotted links can be found below (bold).

  • com-15.us, com-11.us, com-10.us, com-17.us, com-16.us, com-14.us
  • org-17.us, org-18.us, org-10.us, org-13.us, org-14.us
  • net-10.us, net-11.us, net-12.us, net-13.us, net-16.us, net-15.us
  • com-expo.in
  • com-mgc1.pw
  • com-wen.pw
  • com-ar1.info
  • com-ar2.info (28-Jun – including cnbc.com-ar2.info which is not diet related)
  • com-garcinia-diet.net
  • com-article-diet.net
  • com-articles-diet.net
  • com-gc.net
  • com-lifestyle-article.net
  • com-sat.pw
  • com-may.us, com-april.us, com-june.us
  • tumblrhealth.me
  • com-news-garcinia.net
  • com-c.pw (womenshealth.com-c.pw – reported as a web forgery)
  • com-0624.net (weightloss.com-0624.net)
  • com-06-24-12.net (loseweight.com-06-24-12.net)
  • net-2.us, net-18.us (28-Jun)
  • com-lot.pw (28-Jun)
  • com-indexrx.us (29-Jun)
  • com-mo.com (29-Jun – links appear to be broken)
  • toysoncam.com/pbdv.php (30-Jun – most likely a hacked site)
  • nameconnect.com/semk9.php (-,,-)
  • ericabodinepottery.com/7l2bv.php (-,,-)
  • tacticalgearmanufacturer.com/brlue.php (-,,-)
  • thoreast.com/gqhqc.php (-,,-)
  • tugbucket.net/qbgb.php (-,,-)
  • suttoncoldfieldconservativeclub.com/124e3.php (-,,-)
  • baliseawalker.com/c1g09.php (-,,-)
  • balirc.com/3d0f.php (-,,-)
  • bibliofreakblog.com/70nup.php (-,,-)
  • baliwatersport.com/3ojnp.php (-,,-)
  • obligationagent.com/9zkxe.php (-,,-)
  • primsydoodledesigns.net/8pk4l.php (-,,-)
  • annuaire4web.com/yuvdh.php (-,,-)
  • tolucabaseball.com/96pf6.php (-,,-)
  • barsoftball.com/hlf4w.php (-,,-)
  • mygoalfriend.com/v45z.php (-,,-)
  • stamfan.com/ip5mx.php (-,,-)
  • prestigeplus.rs/xtcdo.php (-,,-)
  • shetlandpeople.com/h2o9q.php (-,,-)
  • nexgen-capital.com/wosz5.php (-,,-)
  • psblog.org/ev8wh.php (-,,-)
  • radiointel.net/iav16.php (-,,-)
  • wp3theme.wpfeed.com/wp-content/plugins/zz53f.php (-,,-)
  • digisoft.nl/vijverbergers/z2kks.php (-,,-)

Spammers use sub-domains in order to fool users e.g. womenshealth (womenshealth.com-ar1.info), healthywomen (healthywomen.com-garcinia-diet.net), dieting.com-articles.net, loseweight.com-news-garcinia.net etc. Please note that womenshealth.com and healthywomen.com do not have anything to do with these spam domains. It is relatively easy to spot the spam if you pay attention to the full domain name.

(WOT) Web of Trust maintains a list of spam domain names. @JoshMeister has published a list of domains and links in his blog.

Other tricks

Spammers have also used other tricks such as open redirect vulnerabilities and Google search. More information in E hacking news. At least one open redirect vulnerability has not been fixed yet: wzus1.ask.com. In these cases the domain (e.g. http://ask.com/) is most likely not malicious. Spammers simply misuse a known vulnerability to get users to visit spam sites without realizing it – before it is too late. Example post:

open redirect Twitter spam example

The spam tweets or DMs may come from your followers, unknown persons or even from people you know. There are many “spam bot accounts” involved. But the most worrying part in this campaign is the hijacked user accounts. It is not clear how the accounts were compromised.

Twitter instructions for reporting spam: https://support.twitter.com/articles/64986-how-to-report-spam-on-twitter. Reporting account for spam could be difficult in case the tweet originates from a known person or a friend. It might be also ineffective: the account will not be suspended automatically.

On 26th of June CEO of Twitter, Mr. Dick Costolo (@dickc), reacted to user complaints on Twitter: “we are on it”. I have not yet seen any other public reactions or instructions from Twitter.

Similar spam campaigns

Facebook, Tumblr and Pinterest are also affected

Twitter is not alone with this problem. I have read about similar problems affecting Tumblr, Facebook and Pinterest. E.g. http://pinterest.com/kylef1337/wedding-photography/ – contains “wedding photography” with links to scam pages such as www(.)msnbc.msn.com-april.us (main domain name: com-april.us). This one: http://pinterest.com/source/sms.mojgrad.org/ uses another domain: sms.mojgrad.org which redirects users to http://www.womenshealthmag.com-may.us.

Here is an example spam post from Facebook:

diet spam - Facebook Example

Basic instructions

Affected users should change their passwords – yes, all of them – immediately. If that doesn’t stop the spamming, there could be some malicious 3rd party Twitter application involved. You can find instructions on how to revoke access or remove an application from here.

If your account was hacked and tweeted diet spam, it would be interesting to hear about your experiences.

Tagged , ,