Spam and WordPress

My WordPress blog has been live for some time, and I keep getting spam messages, trying to go through the comments section of my blog

All are blocked automatically by my spam protection. However, I have decided to take some time to analyze some of these spam messages, as a basic spam forensic introduction. So let’s go through the findings I made


Hairstylesvip

Comment: One thing I have actually noticed is that often there are plenty of misconceptions regarding the banking institutions intentions when talking about foreclosed. One myth in particular is always that the bank wants your house. The lending company wants your money, not your own home. They want the amount of money they lent you along with interest. Staying away from the bank will draw the foreclosed summary. Thanks for your post.

The comment was posted from an IP located in the USA, but it was done through a VPN, of course. This IP has a very high fraud risk according to Scamalytics (https://scamalytics.com/), to a maximum of 100

About M247 Ltd, described as a “high risk ISP”, please check this article : https://news.ycombinator.com/item?id=22086904

Excerpts here below :

“self-proclaimed No-logs VPN had started opening new servers with a provider called M247, which is based in Manchester, UK”; “M247 Ltd is operating an estimated 65-85% of these VPN servers, and 90% of the USA servers are operated by them”; “They’re cheap. They have excess capacity. So operators like VPN providers are buying from them. It doesn’t seem too surprising”

So I believe this scammer use VPNs supported by the network of M247 Ltd, because this company has a significant market share and a good exposure. However, M247 Ltd has nothing to do with the loosy business of these scammers. I believe that M247 Ltd, as most of the Internet providers, try hard to prevent any abuse of their network services

The Email adress Antonetti@hotmail.com, after some research, does not point to anything obvious. This adress appeared in five data breaches, according to Have I Been Pwned

The URL points to an IP located in Lithuania, having a fraud score of 67 on Scamalytics (medium risk)

This URL points to a domain wich is pretty new (around 1 year old as traced by the WayBackMachine [https://web.archive.org])

Looking into the different historical captures, one can see that this domain is very repetitive, with only random pictures of people, probably AI generated (https://thispersondoesnotexist.com/, for example, is an AI picture generator), or using pictures from celebrities

The texts are bot generated and repeating themselves from pictures to pictures, and make no sense at all

The website is crippled with ads, from domains which are of the same very poor quality

You can see comments found on the web about https://zolucky.com/ : poor customer service, terrible product, weak return policy

Looking into their Terms & Conditions, there is no information about their Legal Entity

This website provides the wrong impression that it’s a US based company but in fact products are coming out of Asia (China), according to users

Another ad I found in the captures, is referring to Chicros.com, which is also a platform selling clothes and other fashion stuff. The lady models used in this website are in some cases, the same as the ones from Zolucky.com !

Look at this one for example and compare with the above ad capture from Zolucky…you can easily find that this is the same lady on the left hand side

All these pictures are obviously photoshopped and fake. From then on, one may think that these websites are from the same owner, with backlinks to one another…

Chicros.com indicated in their Terms & Conditions that they have a registered office located near London, at the 134 London Road. Regus (IWG plc) is a company renting coworking space, company domiciliation and more. It has a fairly poor customer record according to Trustpilot (https://uk.trustpilot.com/review/www.regus.co.uk), so I would not be surprized that they can host loosy businesses

The domiciliated company is ME&D LTD

According to https://www.companyinformation.co.uk, the Director is M. Lingling Wu, Chinese, born in May of year 1983. This person holds a Director title at four UK companies

All are said to be “dormant” except ME&D LTD. These small businesses are said to be “Retail sale via mail order houses or via Internet”

What is to be found when you Google this name : M. Lingling Wu ?

Here is a good link in French : https://www.signal-arnaques.com/scam/view/189894)

This article points to another retail site : https://helochic.com/. It has a similar presentation as the other ones (same web templates etc), and is said to be a Chinese site, a scam, to be closed urgently

Almost for sure, this M. Lingling Wu is not a real name

For someone active in retail, with several Director roles in registered companies over UK, there is nothing to be found in Linkedin, which does not fit the role

Comment: I am curious to find out what blog system you’re utilizing? I’m having some minor security problems with my latest website and I’d like to find something more safeguarded. Do you have any recommendations?

The comment was again posted from an M247 Ltd operated VPN. This time, the Fraud score is very good

The Email used has been found in 3 data breaches

The Website is the same as in the first spam analyzed above

Just by typing this spam comment in Google, I found out that many blogs had let it slipped through. This is an obvious indicator that this message is massively used in spams, and also that many blogs and forums are ill secured

I have found that in most cases, this spam was used in the summer of year 2020, so pretty new and massive spam campaign

But traces of this comment are not new and can be found on much older spams

Comment: I do believe that a property foreclosure can have a major effect on the applicant’s life. Property foreclosures can have a Several to 10 years negative affect on a client’s credit report. The borrower who’s applied for home financing or any loans as an example, knows that a worse credit rating is, the more tricky it is to obtain a decent personal loan. In addition, it can affect the borrower’s ability to find a respectable place to lease or hire, if that turns into the alternative homes solution. Good blog post.

This one is just another repetition, same IP, same Email adress, same URL, and the comment is very similar. It just shows the magnitude of this spam campaign

Conclusion : Hairstylesvip.com is a site used as a web relay, and pointing to fraudulent web sites, hidden behind VPNs and domiciliated companies, trying to show a respectable impression to potential customers

Spam campaigns are used to expose and bring traffic to these websites, increasing their indexation in search engines. It would be very difficult to stop the progress of these sites, as they are constantly adapting, changing their domains and front offices

As Internet users, our responsibility is to be aware and block these spams out of our blogs, by proper security measures. If not, spammers get more and more incentive to continue their nasty business


Ifashionstyles

Comment: I relish, result in I discovered exactly what I used to be having a look for. You’ve ended my four day long hunt! God Bless you man. Have a nice day. Bye

The IP adress used for posting is similar to the spams from Hairstylesvip.com, and firstly points to a location in the USA. Again, it’s been posted through a VPN, via the network of M247 Ltd

The Email adress Verdier61985@hotmail.com brings nothing special, no pwn, no traces on Google

This domain points to the same IP adress as Hairstylesvip.com. It’s quite obvious we have the same people behing these sites

The IP has direct links to several domains

Comment: Hiya, I’m really glad I have found this info. Today bloggers publish only about gossips and web and this is actually annoying. A good web site with interesting content, that is what I need. Thanks for keeping this website, I will be visiting it. Do you do newsletters? Cant find it.

This time, the spam was posted from an adress in China. Maybe they forgot to hide their traces

Conclusion : this is a good indicator that the spam campaign launched by the Chinese scammers is massive, widespread, evolutive, with the target to “occupy the web”, with backlinks everywhere, getting as much traffic as possible. Quite badass 🙁


Cravefreebies

Comment: Hey very nice web site!! Man .. Beautiful .. Amazing .. I will bookmark your I’m happy to find numerous useful info here in the post, we need work out more strategies in this regard, thanks for sharing. . . . . .

The comment has been posted again via a VPN, still using the provider M247 Ltd

As shown above with Ifashionstyles, it shares the same IP adress in Lithuania

The domain was created a bit more than one year ago, similar to the other ones. All these scams are combined and in place since about one year

The front domains hairstylesvip.com, ifashionstyles.com, cravefreebies.com have all been registed at Alibaba.com in China, and the commercial domains such as Zolucky.com have been registered in the USA at GoDaddy.com

The Cravefreebies logo is almost identical to the one from Hairstylesvip.com

Conclusion : this scam is massive. They register in the USA, domiciliate in the UK, to gain credibility


Hataywebmasters

This one is pretty disconcerting…According to Scamalytics, the author IP is one from a provider located in Turkey, with a very high risk profile

The Email mail@mail.com has been seen in numerous data leak, as it’s a very standard adress. The website points to an escort girl service in Turkey, with “proposals” mainly in the south eastern part of this country, very close to Syria

After reviewing this site, it’s code base, I could not find any specific threat in the site itself

In terms of technology, it is based upon WordPress, such as many blogs. The website itself is hosted in USA, the domain was created in January 2020 so is pretty new

Looking into the captures of the WayBackMachine, I found that the website did change in the last months. Initially, the photos of the escort girls where also including individual phone numbers. All this data has been removed from the last version, where there is just a contact form available

I have found that when you search this website on Google, you find quite a few blogs with spam messages including a backlink to this site. Much probably for increased visibility

Conclusion : this spam could be an attempt to attract individuals to travel in this region of Turkey. To be noticed : the area is just a few kilometers from Syria. Maybe, there is a more obscure target to this


Crackedroomcomco

Comment: First of all I want to say superb blog! I had a quick question in which I’d like to ask if you don’t mind. I was curious to find out how you center yourself and clear your head before writing. I’ve had a difficult time clearing my thoughts in getting my thoughts out. I do take pleasure in writing however it just seems like the first 10 to 15 minutes are generally wasted just trying to figure out how to begin. Any suggestions or hints? Thank you!

The poster used an IP located in USA, Las Vegas (probably a VPN, again)

The Email adress has been found in many data leak and brings nothing obvious

The very long URL points to an IP located in the UK, to a document with a weird content

As you can see, the page contains some links (avast cleanup Crack, folder guard Crack,…), which bring you to the web site “crackedroom“, where you can find quite a lot of illegal stuff for download

I have checked the site : it is riddled with viruses

The avast cleanup Crack, for example, did raise a serious Trojan warning in my Virtual Machine

One has to be very carefull with this, as the malware is known to spread ransomware attacks

Conclusion : this one is a typical virus spreading through WordPress spams. The first URL is just here to provide keywords and backlinks to the real cracking site. These links may change, but the initial URL can port the dangerous message for a long time, spreading over Internet, as it does not contain malicious code

The attackers can therefore spread their payload all over the Internet, they will just need to change the links from time to time to avoid too much detection


Zenwriting

Comment: My partner and I stumbled over here by a different web address and thought I may as well check things out. I like what I see so now i’m following you. Look forward to going over your web page again

The posting IP is in the USA, again

And, it’s again a fake website with links which will lead you to corrupt your PC 🙁

You need to type in the full adress in the navigation bar as Google has not indexed this page

By clicking on one of the active links, you land at https://muzamilpc.com, which is another website full of virus propagated by cracked software. Do not try to install any of those. It’s again, illegal, and will risk to damage your data and computer. This time, the website is a WordPress one

A simple Google search shows a high quantity of sites providing some links to install this software (surely with some sort of malware)

Conclusion : it’s another relay site for malwares. It’s probably a high profile malware as the software is proposed on many sites


Cbdlifemag

The URL is a website dedicated to CBD – Cannabidiol (a form of Cannabis)

It aggregates quite a lot of resources about CBD, it’s advantages and usages

They have a physical location in London. The website is hosted in the USA

The spam was from an IP located in Bulgaria, and the comment refers to a Tobacco Vapor Store located in the USA

I believe this spam is just a way to make this URL more popular in the Google searches. The site promotes CBD, and proposes ad spaces for rent

Conclusion : it’s a CBD website, for your e-cigarette


Jerry Alicea

Author : Jerry Alicea (45.145.56.1)

E-mail : jerry.alicea@hotmail.com

Comment : YOU NEED QUALITY VISITORS for your: forensicxs.com

My name is Jerry Alicea, and I’m a Web Traffic Specialist. I can get:
– visitors from search engines
– visitors from social media
– visitors from any country you want
– very low bounce rate & long visit duration

CLAIM YOUR 24 HOURS FREE TEST => https://bit.ly/3h750yC

The author IP is located in Israel, and by following the URL, you get a warning message

But after a carefull review on urlscan.io and virustotal, I went through it and found out that it’s a website trying to sell web traffic and digital marketing tricks

The service provider asks you to provide a target URL and keywords describing it

People working for the service provider (such as low wage providers in low cost countries), will google search this URL and keywords

This should progressively increase your SEO score, although with no guarantee that this will end up with a better search engine indexation

Conclusion : this is another attempt to gain business exposure, through spam comments


Overall conclusion

We have seen in this article the variety of motivations that can lead spammers to try to post these messages

Overall, spammers and their bots are constantly flooding the blogs, forums

For spammers and spambots, poorly protected WordPress sites offer a cheap way to spread their URL

Poor maintenance and lack of security awareness among WordPress users is an important root cause for the success of these spammers and spambots

As long as basic security awareness is not increased, we will see more and more spams everywhere, polluting the internet and also the physical world by wasted Energy

I think that WordPress should bear a responsibility to implement more security features in their future releases, as I find that the user is left alone to secure his website (finding the right parameters, installing security addons, learning by doing…)

This would help increase the overall security level of the Internet, as many websites use a WordPress component

5 Replies to “Spam and WordPress”

  1. Very cool article !! We get at least comment a day from one of the names mentioned here and it’s very annoying. I also wanted to know what is behind these obvious scams, googled them & landed on your article. You just went so much deeper, this is amazing !! Thank you & please let me know if there is a way to stop those comments.

  2. Hey, I just found your post because I actually googled about this Hairstyles thing because I had 3 comments in a row and from different Email addresses, I don’t log the IPs but hey nice to see somebody actually looked them up. I don’t know if it’s the same people but intuitively I gotta say, there is a big possibility that there the same people.. thanks for you post! 🙂

    1. Hi DenKer, thanks a lot for your comment, and for refering my article on your website 🙂

      This article is a first attempt to analyse some typical spam messages that I received

      You are right to say that Hairstylesvip and its fellow websites such as Ifashionstyles, Cravefreebies, Zolucky etc…are part of the same cluster

      Apparently, the strategy of this cluster is the following :

      – rely upon millions of spam messages sent all over internet, to spread and gain visibility. WordPress sites with no spam protections are a good target
      – take orders for consumer goods sold at a price much higher than their real value
      – use drop shipping on a large scale
      – hide their real identity by all available means (proxies,…)

      I plan to write a much more detailed article about this, when I have the time, to help narrow down and understand better this “business”

      Cheers

  3. Your article is still helping bloggers three years later! Thank you from a newcomer to WordPress.

    I recently moved my blog to the new domain, so I want to do everything I can to encourage interaction with my readers. I don’t want to delete any legitimate messages by mistake! But I also don’t want to expose my readers to spam.

    Your article helped me determine that several seemingly legitimate comments were in fact spam. Helps tremendously knowing there are creditable sources looking into these websites and IP’s.

    Thanks for doing so much detective work!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.