I’m seeing another round of weight loss spam that abuses third party Yahoo accounts for sending. It is similar to the earlier “Raspberry Ultra Drops” weight loss spam that also used compromised Yahoo accounts.
Here is one of the advertised domains, which is hosted on many different servers:
biggsetfatburningsecret.com. 1439 IN A 220.127.116.11
biggsetfatburningsecret.com. 1439 IN A 18.104.22.168
biggsetfatburningsecret.com. 1439 IN A 22.214.171.124
biggsetfatburningsecret.com. 1439 IN A 126.96.36.199
biggsetfatburningsecret.com. 1439 IN A 188.8.131.52
biggsetfatburningsecret.com. 1439 IN A 184.108.40.206
biggsetfatburningsecret.com. 1439 IN A 220.127.116.11
biggsetfatburningsecret.com. 1439 IN A 18.104.22.168
biggsetfatburningsecret.com. 1439 IN A 22.214.171.124
biggsetfatburningsecret.com. 1439 IN A 126.96.36.199
biggsetfatburningsecret.com. 1439 IN A 188.8.131.52
biggsetfatburningsecret.com. 1439 IN A 184.108.40.206
The domain is registered through Ukrainian registrar ukrnames.com using forged WHOIS contact details.
The buy link on that site redirects to authenticgreencoffee.com, a domain registered last July, with the owner hidden behind a WHOIS proxy.
Other domains hosted on the same servers, some of which are part of the “Work from home mom” scam series:
The “work at home mom” scam series also used hacked Yahoo accounts for advertising websites that are made to look like network TV news sites, so these scams are probably related.
The spam senders are often abusing mail interfaces meant for mobile phones. The Yahoo message IDs of the spams contain some of these strings:
Probably “.androidMobile” is for use by the Yahoo Mail for Android app, though the spam is not necessarily sent from Android phones. More likely it is just using the servers provided for Android, but accessing from a PC.
The “BPMail” IDs are an interesting one. I suspect the “_noncarrier” variants involve IP addresses not connected to one of the phone carriers that bundle Yahoo mail with their service, while the “_carrier” variants mean the IP address is part of the provider’s address pool, though it could be used by a PC accessing via a wireless broadband modem.
“High” and “low” could be an internally assigned spam rating, though that is mere speculation. However, “.BPMail_high_noncarrier” is the most common Google hit of these 4 that comes up when searching for information about this type of spam. When investigating a pool of spam samples, this was the order of declining frequency: “.BPMail_high_noncarrier” was by far the most frequent, followed by “.BPMail_high_carrier” and finally relatively small numbers of “.BPMail_low_noncarrier” and “.BPMail_low_carrier”.
The spam recipients (common numbers: 1, 3, 9 or 10) tend to include the last addresses the legitimate owner of the Yahoo account has emailed. So perhaps the spammers are harvesting email addresses from the “Sent” folder of the Yahoo account after gaining access to it.
I find it amazing that Yahoo has yet to find a away to close the vulnerability that allows this spam and fraud to continue, despite the months and years since it was first observed.