Over the weekend, a large number of Pinterest accounts were compromised and used to pin links to a miracle diet pill spam called Garcinia Cambogia Extract. Since most of the compromised accounts were linked to Twitter, these spam “pins” on Pinterest were also cross-posted to Twitter.
Figure 1. Pinterest miracle diet spam cross-posted to Twitter
Back in April, we published a blog on compromised Twitter accounts used to promote the same miracle diet pill spam. During our investigation, we made a connection to the Pinterest hack reported by TechCrunch in late March.
Figure 2. Miracle diet spam tweets from public figures in April 2014
All three incidents were very similar. They share similar scripted messages such as “I was skeptical, but I really lost weight!” They also led users to a fake version of the Women’s Health website. Based on the similarities, Symantec believes that all three incidents are connected.
Miracle diet spam on Pinterest
Figure 3. Miracle diet spam post on Pinterest
All posts on miracle diet spam on Pinterest features before and after weight loss photos of people. In addition to the awestruck descriptions, all posts linked back to blogs hosted on Tumblr.
Figure 4. Pinterest posts on the before and after pictures of people who underwent weight loss
Compromised Tumblr blogs
Many Tumblr blogs we discovered were legitimately used at one point. However, they all had not been updated for months or in some cases, years.
Figure 5. Compromised Tumblr blog used to redirect users to diet pill spam
Redirect script on Tumblr.com blogs
Each of these compromised Tumblr blogs contain a redirect script hosted on file sharing service Dropbox. Therefore, when users land on a compromised Tumblr blog, they will be redirected to the miracle diet spam site.
Figure 6. Source code of a compromised Tumblr blog pointing to redirect script
The miracle weight loss website impersonates the real Women’s Health website. The root domain for the spam is “com-june2014.us” and it uses the “womenshealth” subdomain to convince users they are on womenshealth.com.
Figure 7. Miracle diet pill site impersonates Women’s Health website
Why go through all of these hoops?
The main reason spammers go through all of these hoops is to evade spam filters on social networks. On Pinterest, plenty of users pin posts from Tumblr blogs. On Tumblr, a redirect script called 'tumblr-redirect.js' hosted on Dropbox is inserted into each Tumblr page.
Are Twitter accounts compromised?
It does not appear so. Most of the tweets we have seen show they were shared through Pinterest and not Twitter. Symantec Security Response recommends the following tips for Pinterest, Tumblr, and Twitter users: