A well-known spammer is using hacked web servers, some of them used by schools and church groups, to host new landing pages designed to sell stolen photos of naked celebrities, according to Cloudmark.
The messaging security vendor claimed that the porn spammer's latest campaign began at the start of September, two days after the stolen pics began to appear on 4Chan.
A worldwide botnet is used to spam out unsolicited emails with no subject line and only a single link in the body text. Clicking on this will lead the user to a file placed on a compromised web server.
“Our automated scanning has counted several hundred compromised servers used for this spam over the past three weeks, including schools and church groups,” explained Cloudmark research analyst, Andrew Conway.
“A disproportionate number of them have characteristics of WordPress sites, so it’s probable that this spammer is exploiting vulnerabilities in WordPress or its plugins.”
The HTML for the spam landing pages is hosted on these hacked web servers, but the static JPEG banners and animated GIF banners, as well as other pornographic images, are hosted on a .ru domain in Russia.
However, clicking to purchase one of those images would lead the user to a site hosted in Massachusetts containing a large collection of the stolen celebrity pictures, Cloudmark said.
The spammer may have made a fatal error of judgement in offering pics not only of the likes of Jennifer Lawrence and Kate Upton, but also gymnast McKayla Maroney who was allegedly underage when it was taken.
“Since the photograph of McKayla Maroney may constitute an illegal explicit photo of a child under US law, Cloudmark has reported the details of this content to the National Center for Missing and Exploited Children, and followed all the appropriate steps for handling of such content,” said Conway.
He advised users never to click on links in unsolicited emails and to ensure any WordPress versions running on users' PCs are up-to-date.