We noted an increase amount of email messages that promote a new product that should help people to lose weight. All the email messages we have captured, redirect users to .RU websites used to promote some king of green tea product used to lose weight, that is of course a scam.
This is one of the malicious URLs extracted from the email message:
A screenshot of the homepage:
The links present in the website redirect the user to:
The user is redirected to another malicious URL:
As you can see, the website asks you to fill a web form with your name, surname, address and other sensitive information. The data that is submitted in the form, is then sent to a new malicious URL that use HTTPS:
The website seems to be created few days ago, the homepage looks like this:
Most probably, the website is used to steal the data that is sent through the web form.
A list of malicious URLs captured:
hxxp://suprepuse.ru/?467180f36c66a1=ec2a783969663172f963f3 hxxp://gurectert.ru/?072ee6cd259=39aed15d96aac07360448c56 hxxp://hecktorshep.ru/?c414440270f=0b7436226103fb43a93aee9dcb811 hxxp://hersperga.ru/?2732230b36ea=0a37d9834b494a999f85797 hxxp://harloro.ru/?81686e766dfe1b53004=d4a87cc187ec881fef42bacc hxxp://ottertold.ru/?3b08cf59e59=b8d243ff2b21a8c3d402c069f83cfe hxxp://nerabrop.ru/?1aae4387163d36f2=4ed971b43a917c86c285 hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor hxxp://126.96.36.199/~greencof/ hxxp://nerabrop.ru/get.html
Scan reports generated by URLVoid:
There are more than 18 malicious websites hosted in:
There are more than 50 malicious websites hosted in: