In a blog post last November, we talked about a replica YouTube notification spam that tells recipients about their “delayed/deferred mails”.

If you’re still wondering how a video streaming service can, in some way, notify users of missed emails without providing further context, you’ll find that the individual or group behind this new batch of fake automated mails are none the wiser.

We are able to retrieve three samples of emails purportedly from Facebook, WhatsApp, and Skype—all of which follow a similar ploy we’ve seen that fake YouTube email used before. The format are identical to each other as well.

All links on each spam lead to redirector PHP pages housed on compromised sites. Below illustrates simple redirection schemes for each of the spam messages we looked into:

fake-pharma-diagramclick to enlarge

Details of the spam messages:

From: Skype+Team
Subject: You missed emails oddity
Message body:
You have missed email.

View emails.

Warm wishes
Skype+ service
From: Facebook Notifier
Subject: Deferred mails shelton
Message body:
Deferred mail.
View mails.

Best regards
Facebook team
From: WhatsApp Notifier
Subject: Incoming voicemessage 10:07AM
Message body:
Missed voice message.

Details

Dec 10 10:07 AM
06 sec

Listen

The destination URLs, globalhealthsupply[DOT]ru, saferemedymarket[DOT]ru, and curingremedyshop[DOT]ru, were first seen in the wild some time in mid-November. They resolve to several IP addresses that have been known to host scammy or malicious content. 95[DOT]84[DOT]156[DOT]43 from Russia is one of those IPs.

Please ensure that the above URLs we mentioned are already blocked by your security software. If not, you can manually do this by adding them to your browser’s blacklist. When you’re still unsure of what legitimate online pharmaceutical sites to trust, we suggest that you visit LegitScript and review their list.

Recommended reading/s:

Jovi Umawing