Yesterday I spotted an interesting Twitter scam/spam campaign. I have reported this incident to Twitter. Most of the malicious links are already blocked.

Key elements:

  • Compromised Twitter accounts posted tweets with innocent looking links (otherwise the tweet content is suspicious)
  • Large number of hacked websites are used
  • Main target: stealth attraction online video training for “only” $69.95 – with a manly promise: “Just watch the videos, apply the methods, and [redacted] the [beep] out of any girl you want.”

If you click on a malicious link, you will be redirected to bonusim.ru website. If you do, just leave the site.

Example tweets:

  • Hey @follower power over women. And pretty much allows you to [link]
  • Hi Just say the magic words….[link] @follower
  • Hi [link] @follower seduction system truly is.
  • [link] @follower This video gets you laid?
  • Hi be behind a pay-wall to keep the prying eyes out. [link] @follower

The links are interesting: they are pointing to websites that don’t seem to have anything to do with the subject matter. All websites have at least one randomly named directory, which contains a small index.html file:

 document.location.href ='http://bonusim.ru'

urlQuery shows what happens if you click on the malicious link:

urlQuery imageLink to the urlQuery report: http://urlquery.net/report.php?id=1405064677113

Here is the landing page with more macho content. You don’t actually have to click on “the men click here” link: the annoying (controversial) video starts automatically.

bonusim siteBelow you can find a list of websites found so far:

andrewtuffs.co.uk
ninepoynder.co.uk
slingtastic.com
project1.uk.com
erinwalmsley.com
ayreheatplumb.co.uk
a-zstickers.com
businessfixers.co.uk
littlepig.org.uk
pretani.org.uk
hanlon-grist.com
agwebdata.co.uk
panikatak.co.uk
alanswebsite.co.uk
undergroundzero.co.uk
dwstudios.co.uk
isleofwightfilmboard.co.uk
sundaynightwhisky.co.uk
stevebrassington.co.uk
happypets4u.co.uk
web-roster.co.uk
silversoundselectronics.co.uk
aj-beauty.co.uk
sandsmotorsferndale.co.uk
porticus.co.uk
icisagency.com
phcars.co.uk
devongeneral.org.uk
keipenros.com
tjmbuildingservices.co.uk
rbxsolutions.com
ngatira.com
ecosandbox.co.uk
wedgwoodguest.co.uk
skyward-images.co.uk
athenalearning.co.uk
ashtonarmco.com
kellyallen.co.uk
j3solutions.co.uk
dementamania.com
rossanglingclub.co.uk
budget-tyres.biz
windyhillkennels.co.uk
safetestelectrics.com
foxblade.co.uk
nem.org.uk

Technical check of the domains revealed the following:

  • Majority of the domain names are old co.uk addresses
  • All domains are hosted by Freeparking
  • All domains are hosted on a IIS 6.0 server

It is likely that most, if not all, of the websites are hacked. Possibly using a single, easy to exploit vulnerability.

I hope that the hosting company notifies the affected site owners. Perhaps the hoster will be able to check how these sites were hacked and help to prevent any further misuse. If you know the hosting company or any affected website owner, please notify them.

If your Twitter account is hacked or compromised, please read this article: https://support.twitter.com/articles/185703-my-account-has-been-hacked

If your friend is posting malicious links, do her/him a favor and report the account as compromised:

Report account