In a blog post last November, we talked about a replica YouTube notification spam that tells recipients about their “delayed/deferred mails”.
If you’re still wondering how a video streaming service can, in some way, notify users of missed emails without providing further context, you’ll find that the individual or group behind this new batch of fake automated mails are none the wiser.
We are able to retrieve three samples of emails purportedly from Facebook, WhatsApp, and Skype—all of which follow a similar ploy we’ve seen that fake YouTube email used before. The format are identical to each other as well.
All links on each spam lead to redirector PHP pages housed on compromised sites. Below illustrates simple redirection schemes for each of the spam messages we looked into:
click to enlarge
Details of the spam messages:
From: Skype+Team Subject: You missed emails oddity Message body: You have missed email.View emails.
Warm wishes Skype+ service
From: Facebook Notifier Subject: Deferred mails shelton Message body: Deferred mail. View mails.Best regards Facebook team
From: WhatsApp Notifier Subject: Incoming voicemessage 10:07AM Message body: Missed voice message.Details
Dec 10 10:07 AM 06 sec
Listen
The destination URLs, globalhealthsupply[DOT]ru, saferemedymarket[DOT]ru, and curingremedyshop[DOT]ru, were first seen in the wild some time in mid-November. They resolve to several IP addresses that have been known to host scammy or malicious content. 95[DOT]84[DOT]156[DOT]43 from Russia is one of those IPs.
Please ensure that the above URLs we mentioned are already blocked by your security software. If not, you can manually do this by adding them to your browser’s blacklist. When you’re still unsure of what legitimate online pharmaceutical sites to trust, we suggest that you visit LegitScript and review their list.
Recommended reading/s:
Jovi Umawing
