Valentine Scams: Romancing the Stony-Hearted

As we've seen so many times before, cybercriminals are not ashamed to exploit horrors like the Haiti earthquake or 9/11, so it would be naive to expect them not to make use of our warmer sentiments, too. My colleague Urban Schrott at ESET Ireland has just blogged a cautionary note on that very topic. 

I recently blogged at Mac Virus about an excellent blog by Dancho Danchev on “How the Koobface gang monetarizes Mac OS X” by compromising legitimate sites with a PHP backdoor shell in an attempt to direct OS X traffic to affiliate dating programmes.  

As I mentioned at the time, Dancho included a lot of detail on a range of scam dating sites that are currently active. Not surprisingly, we’re seeing somewhat related material (Russian bride scams, malware populated domains with Valentine’s Day themes)  at ESET.

Here are some domains Pierre-Marc has flagged that include malware-populated pages that seem to have Valentine's Day themes. (For obvious reasons, I haven't included the full pages.)

  • hxxp:// 
  • hxxp:// 
  • hxxp:// 
  • hxxp://
  • hxxp:// 
  • hxxp://

I'm also hearing about large quantities of Russian Bride spam: my colleague Urban Schrott in Ireland has mentioned sites like and Journalist Larry Seltzer has also mentioned receiving lots of this stuff.

Checking my own spam traps, I found some of those fake eCards that Randy loves so much, a sprinkling of  East European ladies wanting to get to know me, and an avalanche of Viagra spam. I wish I could tell you what my wife said about that, but this is a family blog.

By the way, quite a few of those fake eCards include compressed URLs. You might want to watch out for those.

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter: (or
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

  • Please remove hxxp://  here and your Facebook page. There is no malware on this website and you mentioning it without letting the web owner is not ethical

    Thank you

    • Randy Abrams

      The Facebook page belongs to an employee of a distributor in Ireland. we are in no position to change the Facebook page. There are far too many compromised sites for us to contact the site owner for each one, especially since many sites do not contain legitimate contact information. If there is no malware on the domain now, that is a great thing, but there was at one time. I have asked the researcher who came across the malware to send me the exact page and I will be happy to advise you of its location if you have not already removed it.

  • I don’t think so

    it is difficult to find some hot smokin russian wife with very good manners, most of them are just after the money -;`

    • David Harley

      You didn’t really think I’d let you advertise here, did you, Mr Liposuction?

      • Randy Abrams

        The browser closing trick doesn’t work if there was an unpatched vulnerability. That is why it is critical to keep all of your software up to date.

    • Randy Abrams

      Did you try Googling “Quality hot smoking Russian wife?” Perahps it is personal? I don’t know? Maybe you should look for a hot Russian woman who isn’t already a wife. Perhaps you would do better looking for someone who isn’t already married. Just a few pointers.

Follow us

Copyright © 2017 ESET, All Rights Reserved.