We recently received a URL through Skype that caught our attention. It was a link belonging to LinkedIn, with our Skype ID as a parameter at the end of the URL.
Usually, people would be wary when they receive links that look somewhat suspicious. But this link is from LinkedIn, the world’s largest networking site, so it would easy for anyone receiving this to quickly dismiss any thought of it being harmful. And the convincing personalized Skype ID at the end of the link only increases one’s confidence and curiosity to just click on that link!
So what happens next?
Well, once you click on it you are redirected to hxxp://www.baidu.com/link? url=6kdJhiuGhlv0r4EfUsqBKW9t86Werul6GdqAieiiPyC, and then redirected to one of these scam sites selling fat loss or brain improvement products:
(Note: the above 3 websites are already blocked by FortiGuard Anti Spam)
And while all these redirections take place (obviously an attempt by the scammers to cover/hide their tracks), the victim’s account is used to spam all the contacts in their Skype account the same way it started in the first place. And the process repeats itself.
Here’s the redirection path reflected on urlquery.net’s report:
(Image source: http://urlquery.net/report.php?id=1477360225655)
Further investigation into the domains “izatex(.)ru” and “adnanbostan(.)ru” are provided below:
We investigated the domains further and found 32 additional related domains and IPs.
The graphs below shows some interesting traffic, such as the number of hits, sudden spikes, and recent start dates of the traffic – all typical characteristics of websites with questionable intent.
Here is another example, with a similar modus operandi:
This leads another very convincing looking website with the baidu.com domain and also ending with the Skype User’s ID. Baidu is the largest web services (search engine) company in China.
When clicked, it also redirects to brain improvement scam/phishing sites:
All of these sites have exactly the same content, were recently created between the 11th and 16th of November, 2016, with the domain ownership information hidden.
We ran a query on the Baidu link, and the report can be found here: http://urlquery.net/report.php?id=1479371457834
When the potential victim attempts to purchase the brain improvement product, they are redirected to the payment site at hxxps://verty-top-ssl.com/brain_int/special3/
Interestingly, this payment site’s main page hosts a fat-loss scam, shown below:
Note that verty-top-ssl(.)com was also recently created on 19th October 2016.
Identical content is also hosted on portal-top-ssl(.)com. This site was also created recently, on 18th October 2016, but had already been taken down at the time of this writing. However, you can see a screenshot of the site when you look it up in Domaintools. It carries a maximum “Risk Score” of 100.
Scams similar to these are very active on the Internet. They are everywhere, on every corner, and appear on the ads on popular websites and social media.
For those who know what to look for, these sites are easily identifiable as scams - from the Forbes logo that does not link to Forbes websites, to the fake Facebook testimonials (no links to Facebook either.) Most people who take the time should be able to easily identify these sites as a scam without much difficulty.
However, fat-loss and brain improvement products continue to be some of the most popular and sought after products on the market today. The scammers who have built this phishing campaign were smart to focus on these two products. I would also say that they have designed their sites with careful attention, ensuring that they take advantage of the most desperate, uninformed, and non-IT savvy targets.
Judging from the way they attempt to obfuscate their tracks with multiple redirections, using new domains for only 10 days or so, and their unscrupulous “marketing” via compromised/stolen Skype accounts, it is likely that there is a highly skilled syndicate behind these scams, and more importantly, there is a substantial amount of money being made.
Aside from earning good money from selling bogus pills, these scammers will also not hesitate to sell their victims’ credit card information on the Darknet.