The other day I received this ominous message on Skype from an infected machine:
A Trail of 302s
The URL redirects to
Even in Shandong, programmers like the K&R indent style. Let’s try one of these random URLs:
curl -Lv 'http://fuckyou.com-n7d.net/a=311397&c=wl_con&assholes' [...] < HTTP/1.1 302 Found [...] # Gasp! Another redirect < Location: http://com-zau.net/?a=311397&c=wl_con [...] # The domain is owned by the same Shamdong individual < HTTP/1.1 302 Found [...] # Gasp! Another redirect < Location: http://277-beauty.com-zau.net/dekedj/womenshealth/ [...] # Same host < HTTP/1.1 200 OK < Server: nginx < X-Powered-By: PHP/5.3.28 # old, grumpy PHP version [...]
The Fake Magazine
Fake Women’s Health magazine article
The article seems to cater to insecure women that are desperately trying to lose weight and are thus easy bait for weight loss drug scammers. In it, two drugs are being promoted: Garcinia Cambogia + Pure Life Cleanse, AKA Pure Wallet Cleanse, amirite??!
Who is behind it?
Let’s see whether we can find out which company is selling these weight loss drugs.
After sifting through the order page that is linked on the fake article, one can quickly see that a company called BioTrim Labs owns the product. The redirect path there is interesting: It goes through another host name
vikingtrck.com which runs
Microsoft-IIS/7.5. Now, we all know what IIS stand for: Level 10 CVE. Not only do these scammers hardly cover up their WHOIS records, their server infrastructure is vastly outdated.
Now, when you try to look up BioTrim labs at a UK, US or Germany company registry, it does not turn up. So this is where the trail ends. I have no idea who you should sue once your intestines turn into jello.