An ongoing outbreak is making extensive use of stolen accounts from Yahoo, Hotmail (Live) and AOL accounts. Sample emails sent from these accounts are shown below. A wide range of accounts have been tracked by Commtouch Labs – several thousand for each provider. The emails do not have a subject and simply feature a link in the body of the email.
The links ultimately lead to pharmacy and enhancer websites but are directed via thousands of compromised sites – most of them WordPress. Before being redirected users are shown an initial page hidden within one of the WordPress subdirectories (see image below) which greets clickers with the text:
You are here because one of your friends have invited you
to try our free trial.
Hurry up! Limited quantity available!
We try to be helpful for you.
Page loading, please wait….
A few seconds later the redirect takes users to the enhancer site.
The image below shows:
- The initial site
- The final destination enhancer site
- The actual homepage of the compromised WordPress site.
The large use of compromised accounts illustrates an increasing trend described in Commtouch’s quarterly Internet Threats Trend Report. In addition we have more thoroughly explored the issue of compromised/stolen/hacked accounts in our special report “The state of hacked accounts”.