Category Archives: Spam

Google Translate used by spammers to bypass Anti-Spam filters

Google Translate is a free service created by Google that translates any web page, content or document from native language to a language specified by the user that is using the service. We have noticed that some spam messages contain links to websites that use the service Google Translate to translate their page content, but those links are used to promote fraudulent pharmaceutical products, and they seem to use Google Translate to masquerade the malicious website.

In short, when you translate an URL with Google Translate, it appends the URL of the web page in the HTTP query string, but the initial domain name remains translate.googleusercontent.com, so the anti-spam filters may be bypassed because the URL of Google Translate is classified as legitimate.

To get a better idea about what I am talking about, check this image:

translate-google-used-for-spam

We have extracted some URLs from the spam messages and they are all subdomains of yolasite(dot)com, they are used to promote selling of fake pharmaceutical products and subscriptions to fraudulent casino websites:

hxxp:// myonlinestore1. yolasite.com/shop
hxxp:// onlineshop63. yolasite.com/shop
hxxp:// onlinecasino27. yolasite.com/casino2

Never click on links that start with the domain “translate.googleusercontent.com”, because they may use Google Translate to translate a malicious website and exploit vulnerabilities in your web browser or other applications installed in your system (such as Adobe Flash, PDF Readers, Java) to infect your PC.

If you want to translate a website, you should visit directly with your browser the website of Google Translate and type the URL that you want to translate. Avoid clicking on links related to Google Translate, present in emails or in other unknown websites.

Spam: New Product to Lose up to 15 lbs.

We noted an increase amount of email messages that promote a new product that should help people to lose weight. All the email messages we have captured, redirect users to .RU websites used to promote some king of green tea product used to lose weight, that is of course a scam.

email-image

This is one of the malicious URLs extracted from the email message:

hxxp://nerabrop.ru/

A screenshot of the homepage:

green-tea-product-scam

The links present in the website redirect the user to:

hxxp://nerabrop.ru/get.html

The user is redirected to another malicious URL:

malicious-urlspam

hxxp://184.107.166.107/~greencof/

geen-coffee-scam-url2

As you can see, the website asks you to fill a web form with your name, surname, address and other sensitive information. The data that is submitted in the form, is then sent to a new malicious URL that use HTTPS:

hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor

The website seems to be created few days ago, the homepage looks like this:

green-tea-product-scam2-empty-site

Most probably, the website is used to steal the data that is sent through the web form.

A list of malicious URLs captured:

hxxp://suprepuse.ru/?467180f36c66a1=ec2a783969663172f963f3
hxxp://gurectert.ru/?072ee6cd259=39aed15d96aac07360448c56
hxxp://hecktorshep.ru/?c414440270f=0b7436226103fb43a93aee9dcb811
hxxp://hersperga.ru/?2732230b36ea=0a37d9834b494a999f85797
hxxp://harloro.ru/?81686e766dfe1b53004=d4a87cc187ec881fef42bacc
hxxp://ottertold.ru/?3b08cf59e59=b8d243ff2b21a8c3d402c069f83cfe
hxxp://nerabrop.ru/?1aae4387163d36f2=4ed971b43a917c86c285
hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor
hxxp://184.107.166.107/~greencof/
hxxp://nerabrop.ru/get.html

Scan reports generated by URLVoid:

http://www.urlvoid.com/scan/wbsoffers.com/
http://www.urlvoid.com/scan/suprepuse.ru/
http://www.urlvoid.com/scan/hecktorshep.ru/
http://www.urlvoid.com/scan/harloro.ru/
http://www.urlvoid.com/scan/ottertold.ru/
http://www.urlvoid.com/scan/nerabrop.ru/

There are more than 18 malicious websites hosted in:

193.106.28.144

193-106-28-144-ip-address

Source: http://www.urlvoid.com/ip/193.106.28.144/

There are more than 50 malicious websites hosted in:

111.121.193.200

111-121-193-200-ip-address

Source: http://www.urlvoid.com/ip/111.121.193.200/