We logged a new massive spam campaign using Yahoo Groups’s users accounts to display clickable images of pharmaceutical products and to redirect users in the fraudolent website. This kind of technique is most probably used to bypass security filters of anti-spam software.
Few links extracted:
hxxp://groups.yahoo .com/group/alandpenberthygy/message
hxxp://groups.yahoo .com/group/yehoshuacobazw/message
hxxp://groups.yahoo .com/group/mcculloughabeitao/message
hxxp://groups.yahoo .com/group/boddusteptoesm/message
hxxp://groups.yahoo .com/group/seennlovelykn/message
hxxp://groups.yahoo .com/group/zevmacconnelldl/message
hxxp://groups.yahoo .com/group/joulouncapperm/message
hxxp://groups.yahoo .com/group/rajeshrelphb/message
hxxp://groups.yahoo .com/group/ilantrevathanny/message
hxxp://groups.yahoo .com/group/dorrelltrinklea/message
hxxp://groups.yahoo .com/group/tebibmatopebj/message
hxxp://groups.yahoo .com/group/danlanaganu/message
hxxp://groups.yahoo .com/group/xenetotsimpkinsqe/message
hxxp://groups.yahoo .com/group/kerncogero/message
hxxp://groups.yahoo .com/group/exrsrlsr/message
All these links contain the same image:
And the malicious pharmaceutical sites promoted are:
hxxp://medicaltopatom .com:8080/
hxxp://superdrugsudden .com:8080/
hxxp://perfectpillcool .com:8080/
Medicaltopatom.com WHOIS:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibitedExpiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-05Name Servers:
ns1.medicaltopatom.com
ns2.medicaltopatom.com
ns3.medicaltopatom.com
ns4.medicaltopatom.comOrganisation Name…. hong zhongzhen
Organisation Address. shichengdadao29
Organisation Address.
Organisation Address. hangzhou
Organisation Address. 315029
Organisation Address. ZJ
Organisation Address. CNAdmin Name……….. hongzhongzhen
Admin Address…….. shichengdadao29
Admin Address……..
Admin Address…….. hangzhou
Admin Address…….. 315029
Admin Address…….. ZJ
Admin Address…….. CN
Admin Email………. juiajl@yeah.net
Admin Phone………. +86.57158905471
Admin Fax………… +86.57158905471
Superdrugsudden.com WHOIS:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibitedExpiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-04Name Servers:
ns1.superdrugsudden.com
ns2.superdrugsudden.com
ns3.superdrugsudden.com
ns4.superdrugsudden.comOrganisation Name…. lin xinhao
Organisation Address. xuchangshiliuyilu15hao
Organisation Address.
Organisation Address. xuchang
Organisation Address. 461691
Organisation Address. HA
Organisation Address. CNAdmin Name……….. linxinhao
Admin Address…….. xuchangshiliuyilu15hao
Admin Address……..
Admin Address…….. xuchang
Admin Address…….. 461691
Admin Address…….. HA
Admin Address…….. CN
Admin Email………. dvbdsbebvdb@126.com
Admin Phone………. +86.3742661510
Admin Fax………… +86.3742661510
Perfectpillcool.com WHOIS:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Status: clientTransferProhibitedExpiration Date: 2011-07-21
Creation Date: 2010-07-21
Last Update Date: 2010-08-06Name Servers:
ns1.perfectpillcool.com
ns2.perfectpillcool.com
ns3.perfectpillcool.com
ns4.perfectpillcool.comOrganisation Name…. wang jitai
Organisation Address. jiningshichangqinglu7hao
Organisation Address.
Organisation Address. jining
Organisation Address. 273500
Organisation Address. SD
Organisation Address. CNAdmin Name……….. wangjitai
Admin Address…….. jiningshichangqinglu7hao
Admin Address……..
Admin Address…….. jining
Admin Address…….. 273500
Admin Address…….. SD
Admin Address…….. CN
Admin Email………. betty999_cool@yeah.net
Admin Phone………. +86.5372226919
Admin Fax………… +86.5372226919