Recently, I started to see a whole series of very similar spam messages, all variations on the same message ("Hot Lady Wants You to F*ck Her," "Invited to H00kup") and all advertising redirectors on hacked Web sites. I've received a ton of these spam messages--about 75 in the last three weeks alone, with more coming every day.
The spam messages all spamvertise malicious redirectors that are placed on hacked Web sites. The redirectors all go to a destination that says "This is NOT a dating site! WARNING! You will see nude photos. Please be discreet."
There's a lot of hacking activity going on. Every spam message points to a different hacked site, all of which redirect to a whole network of identical landing sites. This, then, is the work of an organized, deliberate hacker or (more likely) group of hackers, likely using automated tools to hack vulnerable Web sites and plant the malicious redirectors.
Curious, I decided to go down the rabbit hole, to see what I could find out. I started collecting the spam emails, tracking how often they came in, what URLs they spamvertised, and where those URLs redirected to.
I discovered an organized gang of hackers and fraudsters operating out of a series of companies organized in Cyprus, who had built a large network of hacked sites and were using the hacked sites to funnel traffic into a fake dating site that attempts to get rather a large amount of money from marks it cons into signing up.
I followed the link from one of the spam messages, a site called hypnotherapyandnlp.co.uk. This site had been hacked to have a redirection script placed on it that redirected me to juicy-hotgirls69.com which in turn redirected me to naughty-juicygirls.com, where I was asked a simple series of questions.
*** WARNING *** WARNING *** WARNING ***
The URLs mentioned in this post are live as of the time of writing this. I recommend you do not visit them if you don't know what you're doing. The URLs are compromised sites or sites owned by people who compromise Web sites. They may attempt other malicious actions.
The site naughty-juicygirls-com is registered to an outfit calling itself Tralox Overseas Limited, which lists its business address as
Mitsis Building 1, Stasinou Avenue
I answered the questions and filled out a signup form on naughty-juicygirls-com, and was taken to yet another site, sexmyamateurass.com. This site attempted to get me to enter a credit card number--purely to confirm my age, doncha know. At least that's what the text on the left side of the Web page claimed. But what the left side giveth, the right side taketh away; text on the right side of the screen told me I'd be signing up for a "VIP membership" that would automatically renew at $49.95 per month.
The site at sexmyamateurass.com is also registered in Cyprus. It is registered to a company calling itself Canderstone Limited, whose address is given as
Peiraios 30, 3016
If you are foolish enough to agree to give them a credit card number, totally just for age verification (and recurring membership fees of $49.95 per month), your credit card is sent to a Web site called statusfee.com. This site is also registered to Canderstone Limited in Cyprus.
From there, you're taken to yet another site, megafuckbook.com. This claims to be a dating site, though as fraudulent dating sites go, it's pretty transparent. Within fifteen seconds of being redirected to megafuckbook.com I received notification that a woman had sent me an email--which, naturally, I would need to pay money to see.
and ten seconds after that, I got a chat request, supposedly from a woman near me:
megafuckbook.com is registered, unsurprisingly, to Tralox Overseas Limited.
This is par for the course for Web sites that prey on lonely and desperate men. The employees of such sites keep stables of fake profiles, often hundreds of them, and message new users with the intent to entice them to pay for the service. I've known folks who've worked for such sites.
So, it's an ordinary and common fraud, atypical only in that the people who own the fraudulent site are aggressive computer hackers who compromise large numbers of sites and ten send out barrages of spam containing links to redirectors on the hacked sites.
I took a look at the Web host responsible for megafuckbook.com. It's hosted on a Web hosting company called RackCo. RackCo looks to be a Virginia company that's basically Yet Another Managed Hosting Provider, nothing particularly interesting about them. However, a quick check at Spamcop did turn up something interesting: Rackco is specifically not interested in hearing complaints about megafuckbook.com.
So what's happened is a group of folks operating out of Cyprus are running aphony, and very expensive, dating Web site. They are aggressively hacking large numbers of other sites, which they use as a redirection network. They spam their redirection network to funnel people into the fake dating site. The ISP hosting the fake dating site has explicitly said it refuses to hear spam complaints regarding the fake dating site.
The overall system looks like this:
So this is a group of sleazy operators in the sleazy fake dating sphere, who have crossed over from sleazy to outright criminal activity in using hacking to compromise Web sites and enlist them as traffic redirectors.
People often ask me, "what's the big deal if I don't stay on top of security for my little Wordpress site? There's nothing on it. I only get three visitors a month, and one of them is my mom. Why would anyone want to hack me?"
The answer is "people don't hack you to get whatever's on your site. They hack you so they can use your site for their own purposes--placing illegal content on your site, hosting phish pages on your site, planting malware on your site, putting redirectors on your site which they can then use in spam campaigns. It's not about you. Obscurity doesn't matter."
Secure your Web sites. If you have a presence on the Web, it's on you to prevent operators like these from hijacking you.
I have reached out to Rackco to see if they're willing to explain why they host this site and refuse to accept spam reports about it. I'll update this blog post if I get a reply.