Who To Sue If Skype Spam Kills You

Published:
September 10, 2015

The other day I received this ominous message on Skype from an infected machine:

http://octavo.in/v/yx7vj.php?liveID=[myskypeusername]

A Trail of 302s

The URL redirects to http://professtanitim.com (with a revealing WHOIS record), which just serves this mysterious JavaScript:

<script type="text/javascript">
function generate(len)
{
// generates a random string with length len
}

function rand(min, max)
{
// random int >min and <max
}

var urls =
[
'com-n7d.net/?a=311397&c=wl_con&', // These two
'com-3fg.net/?a=311397&c=wl_con&' // are owned by a resident of Shandong
];

redir ='http://'+generate(rand(5,10))+'.'+urls[rand(0, urls.length-1)]+generate(rand(5,10));

parent.location.href = redir;
//-->

Even in Shandong, programmers like the K&R indent style. Let’s try one of these random URLs:

curl -Lv 'http://fuckyou.com-n7d.net/a=311397&c=wl_con&assholes'
[...]
< HTTP/1.1 302 Found
[...] # Gasp! Another redirect
< Location: http://com-zau.net/?a=311397&c=wl_con
[...] # The domain is owned by the same Shamdong individual
< HTTP/1.1 302 Found
[...] # Gasp! Another redirect
< Location: http://277-beauty.com-zau.net/dekedj/womenshealth/
[...] # Same host
< HTTP/1.1 200 OK
< Server: nginx
< X-Powered-By: PHP/5.3.28 # old, grumpy PHP version
[...]

The Fake Magazine

Fake Women's Health magazine article

Fake Women's Health magazine article Open in new tab (full image size 95 KiB)

The article seems to cater to insecure women that are desperately trying to lose weight and are thus easy bait for weight loss drug scammers. In it, two drugs are being promoted: Garcinia Cambogia + Pure Life Cleanse, AKA Pure Wallet Cleanse, amirite??!

Who is behind it?

Let’s see whether we can find out which company is selling these weight loss drugs.

After sifting through the order page that is linked on the fake article, one can quickly see that a company called BioTrim Labs owns the product. The redirect path there is interesting: It goes through another host name vikingtrck.com which runs Microsoft-IIS/7.5. Now, we all know what IIS stand for: Level 10 CVE. Not only do these scammers hardly cover up their WHOIS records, their server infrastructure is vastly outdated.

Now, when you try to look up BioTrim labs at a UK, US or Germany company registry, it does not turn up. So this is where the trail ends. I have no idea who you should sue once your intestines turn into jello.

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index