Flickr welcome message leads to Canadian Pharmacy web site


Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message  from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 288 other followers

%d bloggers like this: