Indeed they do. I recently looked into a similar scam, although the starting point was a hacked email account that sent out links to everyone in the address book to a hacked wordpress install. It was interesting following the rabbit hole. Here is a quick write-up I did on that instance:
This is what the original wordpress instance looked like (just the frontpage, which did not carry malicious content):
- However, the malicious page on this wordpress instance redirects to a site named foxrxs, registered a day ago (as of this writing) http://whois.domaintools.com/foxrxs.com - to "Gergo Czako" in Hungary.
- The foxrxs site is made to look like Fox News, but it basically just tries to sell people "raspberry ultra drops" - a diet supplement:
- This site was also registered yesterday (as of this writing): http://whois.domaintools.com/onlineslimdiet.com - in this case to "Uta Kalb" in Germany. However, what is notable is both domains use exactly the same name servers:
ns1.dnscentral.ru
ns2.dnsmax.ru
So, given the same exact registration date and same name servers, chances are, both are owned by the same entity.
- And, this seems to be a common scam:
http://www.complaintsboard.com/bycompany/raspberry-ultra-dro...
Basically, an email address is hacked one way or another, which then often links to a compromised wordpress blog. That redirects to a new domain that is made to look like fox news. The fake fox news site appears to endorse this miracle diet supplement, with all links pointing to another site where you can actually order the product. People apparently do receive the product, but I'm guessing the product itself is a scam. Nice way to make money - only $60 for two ounces of snake oil!
This is exactly what I had in mind. A web page stylized as a news website with an article that subtly points to some diet pills. If one didn't read the URL he could really fell for that.
This is what the original wordpress instance looked like (just the frontpage, which did not carry malicious content):
http://i.imgur.com/FeCKUu9.jpg
- However, the malicious page on this wordpress instance redirects to a site named foxrxs, registered a day ago (as of this writing) http://whois.domaintools.com/foxrxs.com - to "Gergo Czako" in Hungary.
- The foxrxs site is made to look like Fox News, but it basically just tries to sell people "raspberry ultra drops" - a diet supplement:
http://i.imgur.com/RHMxj7T.jpg
- Most of the links on foxrxs go to onlineslimdiet:
http://i.imgur.com/e4tdYm1.png
- This site was also registered yesterday (as of this writing): http://whois.domaintools.com/onlineslimdiet.com - in this case to "Uta Kalb" in Germany. However, what is notable is both domains use exactly the same name servers: ns1.dnscentral.ru ns2.dnsmax.ru So, given the same exact registration date and same name servers, chances are, both are owned by the same entity.
- And, this seems to be a common scam: http://www.complaintsboard.com/bycompany/raspberry-ultra-dro... Basically, an email address is hacked one way or another, which then often links to a compromised wordpress blog. That redirects to a new domain that is made to look like fox news. The fake fox news site appears to endorse this miracle diet supplement, with all links pointing to another site where you can actually order the product. People apparently do receive the product, but I'm guessing the product itself is a scam. Nice way to make money - only $60 for two ounces of snake oil!