{"id":15325,"date":"2013-12-18T09:00:53","date_gmt":"2013-12-18T16:00:53","guid":{"rendered":"https://www.webroot.com/blog/?p=15325"},"modified":"2018-10-05T16:27:56","modified_gmt":"2018-10-05T22:27:56","slug":"fake-whatsapp-missed-voicemail-themed-emails-lead-pharmaceutical-scams","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/12\/18\/fake-whatsapp-missed-voicemail-themed-emails-lead-pharmaceutical-scams\/","title":{"rendered":"Fake &#8216;WhatsApp Missed Voicemail&#8217; themed emails lead to pharmaceutical scams"},"content":{"rendered":"<p><a href=\"https:\/\/www.webroot.com\/blog\/2015\/06\/01\/whatsapp-spam-emails-making-a-comeback\/\"><strong>WhatsApp<\/strong><\/a> users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they&#8217;re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let&#8217;s assess the fraudulent campaign, and expose the fraudulent infrastructure supporting it.<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshot of the spamvertised email:<\/strong><\/p>\n<p><a href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01.png\"><img decoding=\"async\" loading=\"lazy\" width=\"683\" height=\"374\" class=\"size-full wp-image-15328 aligncenter\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01.png\" alt=\"WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01.png 683w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam_01-300x164.png 300w\" sizes=\"(max-width: 683px) 100vw, 683px\" \/><\/a><\/p>\n<p><strong>Sample screenshot of the landing pharmaceutical scam page:<\/strong><\/p>\n<p><a href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam.png\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"587\" class=\"size-large wp-image-15326 aligncenter\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam-1024x587.png\" alt=\"WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam-1024x587.png 1024w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam-300x172.png 300w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/12\/WhatsApp_Fake_Rogue_Fraudulent_Email_Spam_Pharma_Pharmaceutical_Scam.png 1069w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p><strong>Redirection chain:<\/strong>\u00a0<em>hxxp:\/\/203.78.110.20\/horizontally.html<\/em> -&gt; <em>hxxp:\/\/viagraphysician.com<\/em> (109.201.133.58)<\/p>\n<p><strong>We&#8217;re also aware of the following fraudulent domains that are known to have phoned back to the same IP (109.201.133.58):<\/strong><br \/>\n67157d.pharmahimoft.pl<br \/>\nalbertacanadatab.in<br \/>\nasaletabla.at<br \/>\nbaruchelmedicine.in<br \/>\nbioportfoliotablet.com<br \/>\nbiotechviagrahealthcare.com<br \/>\nbuygenericspills.com<br \/>\ncanadascanadarx.com<br \/>\ncanadatab.in<br \/>\ncanadaviagras.com<br \/>\ncanadawelnesstoronto.com<br \/>\ncarehealthtabletspills.ru<br \/>\ncareteachers.com<br \/>\ncialismed.com<br \/>\ncialispharmdrone.com<br \/>\ncontabdiet.com<br \/>\ndietpharmediterranean.com<br \/>\ndietviagraweight.com<br \/>\ndocherbal.in<br \/>\ndrugrxmedicine.be<\/p>\n<p><strong>Name servers:<\/strong><br \/>\nns1.viagraphysician.com &#8211; 178.88.64.149<br \/>\nns2.viagraphysician.com &#8211; 200.185.230.32<\/p>\n<p><strong>The following fraudulent name servers are also known to have participated in the campaign&#8217;s infrastructure at 178.88.64.149:<\/strong><br \/>\nns1.wpdsasya.com<br \/>\nns1.bioportfoliohealthcaretab.com<br \/>\nns1.viagraphysician.com<br \/>\nns1.androidherbaltablet.com<br \/>\nns1.viagracialalec.in<br \/>\nns2.viagracialalec.in<br \/>\nns1.kgvghatm.eu<br \/>\nns2.kgvghatm.eu<br \/>\nns1.zwsxfwqn.eu<br \/>\nns1.worgad.ru<br \/>\nns1.iald.ru<br \/>\nns2.iald.ru<br \/>\nns1.fivere.ru<br \/>\nns1.gabrue.ru<br \/>\nns1.nagh.ru<br \/>\nns1.lonoci.ru<br \/>\nns1.menono.ru<br \/>\nns1.xior.ru<br \/>\nns1.uptras.ru<br \/>\nns2.uptras.ru<br \/>\nns1.qatt.ru<br \/>\nns1.aprpharmacyrx.ru<br \/>\nns2.aprpharmacyrx.ru<br \/>\nns1.swoltz.ru<\/p>\n<p><strong>The following fraudulent name servers are also known to have participated in the campaign&#8217;s infrastructure at 200.185.230.32:<\/strong><br \/>\nns2.medicarepillmedicaid.com<br \/>\nns1.tabdietmediterranean.com<br \/>\nns2.viagraphysician.com<br \/>\nns2.pharmacylevitrapharmacist.com<br \/>\nns2.viagracialalec.in<br \/>\nns2.kgvghatm.eu<br \/>\nns1.zwsxfwqn.eu<br \/>\nns2.worgad.ru<br \/>\nns2.fivere.ru<br \/>\nns1.gabrue.ru<br \/>\nns2.nagh.ru<br \/>\nns1.tabletsmedshealth.ru<br \/>\nns2.menono.ru<br \/>\nns2.xior.ru<br \/>\nns2.uptras.ru<br \/>\nns2.swoltz.ru<\/p>\n<p>We expect that <a href=\"https:\/\/www.webroot.com\/blog\/2013\/10\/09\/fake-4-missed-emails-gmail-themed-emails-lead-pharmaceutical-scams\/\"><strong>more legitimate brands will continue getting targeted in such a way<\/strong><\/a>, with the fraudsters behind the campaign continuing to earn revenue through <a href=\"http:\/\/www.zdnet.com\/blog\/security\/inside-an-affiliate-spam-program-for-pharmaceuticals\/2054\"><strong>pharmaceutical affiliate programs<\/strong><\/a>.<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are protected from these scams.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WhatsApp users, watch what you click on! A currently circulating fraudulent spam campaign is brand-jacking WhatsApp in an attempt to trick its users into clicking on links found in the email. Once socially engineered users fall victim to the scam, they&#8217;re automatically exposed to a fraudulent pharmaceutical site, offering them pseudo bargain deals. Let&#8217;s assess [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[23407,3881,23411,5609,5611,5607,5601,5019,4047,5247,4027,23143,23409,5603,5599,5613,3875,5605,4417,3529],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15325"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=15325"}],"version-history":[{"count":7,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15325\/revisions"}],"predecessor-version":[{"id":26145,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15325\/revisions\/26145"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17051"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=15325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=15325"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=15325"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=15325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}