Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Pinterest and Tumblr Accounts Compromised to Spread Diet Pill Spam

Created: 17 Jun 2014 19:36:05 GMT • Updated: 18 Jun 2014 05:55:32 GMT
Satnam Narang's picture
+1 1 Vote
Login to vote

Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter.

Pinterest and Tumblr 1 edit.png

Figure 1. Pinterest miracle diet spam cross-posted to Twitter

Back in April, we published a blog on compromised Twitter accounts used to promote the same miracle diet pill spam. During our investigation, we made a connection to the Pinterest hack reported by TechCrunch in late March.

Pinterest and Tumblr 2.png

Figure 2. Miracle diet spam tweets from public figures in April 2014

All three incidents were very similar. They share similar scripted messages such as “I was skeptical, but I really lost weight!” They also led users to a fake version of the Women’s Health website. Based on the similarities, Symantec believes that all three incidents are connected.

Miracle diet spam on Pinterest

Pinterest and Tumblr 3 edit.png

Figure 3. Miracle diet spam post on Pinterest
All posts on miracle diet spam on Pinterest features before and after weight loss photos of people. In addition to the awestruck descriptions, all posts linked back to blogs hosted on Tumblr.

Pinterest and Tumblr 4 edit.png

Figure 4. Pinterest posts on the before and after pictures of people who underwent weight loss

Compromised Tumblr blogs
Many Tumblr blogs we discovered were legitimately used at one point. However, they all had not been updated for months or in some cases, years.

Pinterest and Tumblr 5 edit.png

Figure 5. Compromised Tumblr blog used to redirect users to diet pill spam

Redirect script on Tumblr.com blogs

Each of these compromised Tumblr blogs contain a redirect script hosted on file sharing service Dropbox. Therefore, when users land on a compromised Tumblr blog, they will be redirected to the miracle diet spam site.

Pinterest and Tumblr 6 edit.png

Figure 6. Source code of a compromised Tumblr blog pointing to redirect script

The miracle weight loss website impersonates the real Women’s Health website. The root domain for the spam is “com-june2014.us” and it uses the “womenshealth” subdomain to convince users they are on womenshealth.com.

Pinterest and Tumblr 7 edit.png

Figure 7. Miracle diet pill site impersonates Women’s Health website

Why go through all of these hoops?

The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.

Are Twitter accounts compromised?

It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users:

  1. Make sure your password on all these services are strong and unique
  2. Tumblr users should enable two-factor authentication
  3. Twitter users should revoke and reauthorize access to the Pinterest application