During the recent months, spam originating from China has been hitting the mailboxes of users from all over the world. One interesting fact is that this latest wave of spam is constructed differently from its predecessors. What makes this spam different is the way that the advert is delivered to the victim.

Such spam takes the form of a greeting e-card originating from greetingcard.org or 123greetings.com. These two domains are legitimate domains however the spammer is using these brand names to fake the origin of the email. The body content contains a typical greeting message urging the receiver to click the URL to view the e-card. 

The URL in this case does not directly lead to a store promoting the spamvertised products but to a post in a forum or group showing a screenshot of the store. It is this hyperlinked screenshot which redirects the potential victims to the store being operated by the spammer.

This technique offers a lot of advantages to the spammer:

  1. Social Engineering – inexperienced users are very prone to accepting the message of an email. In this case a greeting e-card is used which targets this type of user. Content checking and statistical techniques for filtering are bypassed easily because basic English words are used.
  2. The spammer is using a ‘middle man’ to lead the victim to the store. The ‘middle man’ is the website hosting the forum\group post. It is the task of the administrators of the forum\group to remove such a post. Obviously this may take a considerable amount of time until the post is reported and action taken.
  3. These forum\group posts are very easily generated using scripts and hence there might exist thousands of different forum posts which lead to the same store. Checking only the URL against a blacklist provider such the surbl.org typically results in a negative result because the unlimited possibilities where the post is hosted and typically the forum\group are legit domains.

The URLs of the group of spam messages under test conditions, redirected to a post hosted on Google Groups ,which in turn contained a screenshot redirecting to buybegin.com. This domain hosts a ‘Canadian’ pharmacy store selling Viagra, Cialis and other medicine of dubious quality and origin.

Forum post hosted on Google Groups

The redirected website ‘buybegin.com’ from the post hosted on Google Groups

 

It is very clear that the domain buybegin.com has been very recently registered and it seems that the owners do not intend to remain in ‘business’ for a long period of time. In fact the domain is registered for only one year. The administrative and billing contacts of the domain are clearly fake and only the contact email address may be genuine. 

Whois record for ‘buybegin.com’ domain

 

Digging deeper into this information reveals that the registrant with the name “Du Qiaowen” has 24 other domains registered under his name such as MagnetAroma.com. The MagnetAroma.com domain has a very similar whois record as buybegin.com with both domains being registered on the same day. The MagnetAroma.com website hosts the same pharmacy store as buybegin.com. All of these indications are the trademark of a large scale scam operation.