Tag Archives: green coffee spam

Spam: New Product to Lose up to 15 lbs.

We noted an increase amount of email messages that promote a new product that should help people to lose weight. All the email messages we have captured, redirect users to .RU websites used to promote some king of green tea product used to lose weight, that is of course a scam.

email-image

This is one of the malicious URLs extracted from the email message:

hxxp://nerabrop.ru/

A screenshot of the homepage:

green-tea-product-scam

The links present in the website redirect the user to:

hxxp://nerabrop.ru/get.html

The user is redirected to another malicious URL:

malicious-urlspam

hxxp://184.107.166.107/~greencof/

geen-coffee-scam-url2

As you can see, the website asks you to fill a web form with your name, surname, address and other sensitive information. The data that is submitted in the form, is then sent to a new malicious URL that use HTTPS:

hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor

The website seems to be created few days ago, the homepage looks like this:

green-tea-product-scam2-empty-site

Most probably, the website is used to steal the data that is sent through the web form.

A list of malicious URLs captured:

hxxp://suprepuse.ru/?467180f36c66a1=ec2a783969663172f963f3
hxxp://gurectert.ru/?072ee6cd259=39aed15d96aac07360448c56
hxxp://hecktorshep.ru/?c414440270f=0b7436226103fb43a93aee9dcb811
hxxp://hersperga.ru/?2732230b36ea=0a37d9834b494a999f85797
hxxp://harloro.ru/?81686e766dfe1b53004=d4a87cc187ec881fef42bacc
hxxp://ottertold.ru/?3b08cf59e59=b8d243ff2b21a8c3d402c069f83cfe
hxxp://nerabrop.ru/?1aae4387163d36f2=4ed971b43a917c86c285
hxxps://www.wbsoffers.com/index.php?main_page=two_step_form_processor
hxxp://184.107.166.107/~greencof/
hxxp://nerabrop.ru/get.html

Scan reports generated by URLVoid:

http://www.urlvoid.com/scan/wbsoffers.com/
http://www.urlvoid.com/scan/suprepuse.ru/
http://www.urlvoid.com/scan/hecktorshep.ru/
http://www.urlvoid.com/scan/harloro.ru/
http://www.urlvoid.com/scan/ottertold.ru/
http://www.urlvoid.com/scan/nerabrop.ru/

There are more than 18 malicious websites hosted in:

193.106.28.144

193-106-28-144-ip-address

Source: http://www.urlvoid.com/ip/193.106.28.144/

There are more than 50 malicious websites hosted in:

111.121.193.200

111-121-193-200-ip-address

Source: http://www.urlvoid.com/ip/111.121.193.200/