I get, as readers of this blog will know, a lot of spam. I’ve been using the same email address for decades (my AOL address since 1992, my own domain address since 1996), so I’ve had plenty of time to get on a lot of spam lists.
Recently, I started to see a whole series of very similar spam messages, all variations on the same message (“Hot Lady Wants You to F*ck Her,” “Invited to H00kup”) and all advertising redirectors on hacked Web sites. I’ve received a ton of these spam messages–about 75 in the last three weeks alone, with more coming every day.
The spam messages all spamvertise malicious redirectors that are placed on hacked Web sites. The redirectors all go to a destination that says “This is NOT a dating site! WARNING! You will see nude photos. Please be discreet.”
There’s a lot of hacking activity going on. Every spam message points to a different hacked site, all of which redirect to a whole network of identical landing sites. This, then, is the work of an organized, deliberate hacker or (more likely) group of hackers, likely using automated tools to hack vulnerable Web sites and plant the malicious redirectors.
Curious, I decided to go down the rabbit hole, to see what I could find out. I started collecting the spam emails, tracking how often they came in, what URLs they spamvertised, and where those URLs redirected to.
I discovered an organized gang of hackers and fraudsters operating out of a series of companies organized in Cyprus, who had built a large network of hacked sites and were using the hacked sites to funnel traffic into a fake dating site that attempts to get rather a large amount of money from marks it cons into signing up.
I followed the link from one of the spam messages, a site called
*** WARNING *** WARNING *** WARNING ***
The URLs mentioned in this post are live as of the time of writing this. I recommend you do not visit them if you don’t know what you’re doing. The URLs are compromised sites or sites owned by people who compromise Web sites. They may attempt other malicious actions.
Mitsis Building 1, Stasinou Avenue
I answered the questions and filled out a signup form on
The site at
Peiraios 30, 3016
If you are foolish enough to agree to give them a credit card number, totally just for age verification (and recurring membership fees of $49.95 per month), your credit card is sent to a Web site called
From there, you’re taken to yet another site,
and ten seconds after that, I got a chat request, supposedly from a woman near me:
This is par for the course for Web sites that prey on lonely and desperate men. The employees of such sites keep stables of fake profiles, often hundreds of them, and message new users with the intent to entice them to pay for the service. I’ve known folks who’ve worked for such sites.
So, it’s an ordinary and common fraud, atypical only in that the people who own the fraudulent site are aggressive computer hackers who compromise large numbers of sites and ten send out barrages of spam containing links to redirectors on the hacked sites.
I took a look at the Web host responsible for
So what’s happened is a group of folks operating out of Cyprus are running aphony, and very expensive, dating Web site. They are aggressively hacking large numbers of other sites, which they use as a redirection network. They spam their redirection network to funnel people into the fake dating site. The ISP hosting the fake dating site has explicitly said it refuses to hear spam complaints regarding the fake dating site.
The overall system looks like this:
So this is a group of sleazy operators in the sleazy fake dating sphere, who have crossed over from sleazy to outright criminal activity in using hacking to compromise Web sites and enlist them as traffic redirectors.
People often ask me, “what’s the big deal if I don’t stay on top of security for my little WordPress site? There’s nothing on it. I only get three visitors a month, and one of them is my mom. Why would anyone want to hack me?”
The answer is “people don’t hack you to get whatever’s on your site. They hack you so they can use your site for their own purposes–placing illegal content on your site, hosting phish pages on your site, planting malware on your site, putting redirectors on your site which they can then use in spam campaigns. It’s not about you. Obscurity doesn’t matter.”
Secure your Web sites. If you have a presence on the Web, it’s on you to prevent operators like these from hijacking you.
I have reached out to Rackco to see if they’re willing to explain why they host this site and refuse to accept spam reports about it. I’ll update this blog post if I get a reply.