By Dancho Danchev
Just like true marketers interested in improving the click-through rates of their campaign, pharmaceutical scammers are constantly looking for new ways to attract traffic to their fraudulent sites.
From compromised web shells on web sites with high page rank, the impersonation of legitimate brands, to the development of co-branding campaigns, pharmaceutical scammers persistently rotate the traffic acquisition tactics in an attempt to trick more end users into purchasing their counterfeit pharmaceutical items.
In this post, I’ll profile two currently spamvertised campaigns impersonating YouTube and Twitter, ultimately redirecting end users to pharmaceutical scams.
Screenshot of the ‘YouTube Video Approved’ themed email:
Screenshot of the ‘Twitter Support” themed email:
Sample spamvertised URLs located on compromised domains:
Spamvertised pharmaceutical scam site:
- hxxp://medslevitraleiby.com – Email: firstname.lastname@example.org
Both campaign redirect users to pharmaceutical scam domains, such as medslevitraleiby.com which is responding to 18.104.22.168. In the past, it used to respond to the following IPs: 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11; 18.104.22.168; 22.214.171.124.
The spammers are monetizing the traffic by participating in a revenue-sharing pharmaceutical affiliate program.
Users are advised to be extra vigilant when interacting with email from unknown sources, and not to purchase counterfeit items from pharmaceutical shops delivered to them via spam messages, no matter which company they’re attempting to impersonate.