Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Evolution of the "Work from Home" Scam

image
JULIEN SOBRIER
November 08, 2012 - 2 min read
Security Insights

Contents

  1. Article
  2. More blogs
The "Work at home mum makes $X,000/month" scam has been around forever. In fact, it has been an integral part of various scam campaigns which we've detailed in the past. These scams even appear in the list of the top-20,000 most visited websites in the world.

It is interesting to follow the evolution of this scam. The scam site always looks like a newspaper website (NBC, News Daily, etc.) with a legitimate news article, but they keep making small "improvements". Earlier this year, the scammers "borrowed" Facebook Like buttons to make it appear as though they had many supporters.

In the past two weeks, thousands of WordPress websites have been hijacked to redirect to online13workhome.com. New pages are added inside the /wp-includes/ directory:
  • http://crewing-russia.com/wp-includes/zaoedtis.php
  • http://nishikanttravels.com/images/gllsxayu.php
  • http://mitra-corp.com/wp-includes/kexohywj.php
  • http://aeflosangeles.com/wp-includes/bkpokbpc.php
  • http://logintofacebook.biz/wp-includes/hjgmmvsh.php
  • http://drhassanattia.com/wp-includes/zbfcbyom.php
  • http://sumittirathyatra.com/images/zypeeucx.php
  • etc.
The file names seem to be random and unique. Some of the hijacked websites are blocked by Google Safe Browsing, but the majority are not flagged and some of the websites have been cleaned up.

 
Image
"Work from home" scam


Above is a spoof of the CNBC website. The page is well designed, with fake ads for CNBC Pro, summaries of fake articles on the elections, etc.  They even use geo-localization to modify the title of the article to include the local city name: San Jose Mum...", "Atlanta Mum...".
 
Image
JavaScript used for geo-localization

All the links redirect to www.realonlineincnow.com (currently down). Neither online13workhome.com nor realonlineincnow.com are currently blocked by Google Safe Browsing, but some of the hijacked sites leading to them are blocked by Google.

 
form submtited
Thank you for reading

Was this post useful?

vote yes
Yes, very!
vote no
Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.

Explore more Zscaler blogs

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Read post
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Read post
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Read post
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Read post

01 / 02

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.