Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion

Yesterday recipients of the Malcovery Today's Top Threat report were among the first to get a detailed analysis of the new spam campaign offering videos of the Boston Explosion. Our normal practice is to report on any email campaign that sends us at least 1,000 malware attachments or at least 1,000 malicious links that would lead to a malware infection if the link was to be followed. By mid-afternoon, we had already seen 80,000 copies of this spam!

Because of the prevalence of the campaign, we decided to share a copy of the T3 Report with anyone who wanted it, rather than reserving it for our paying customers. You can still get a copy by following this link:

.
Click Logo for your Free T3 Report

Today, our analysts have uncovered the newest update to the threat ... more than 18,000 emails already received this morning with subjects related to the Texas Fertilizer Plant explosion.

 count |                subject                                             
-------+-----------------------------------------------------
  3263 | Fertilizer Plant Explosion Near Waco, Texas
  2110 | Raw: Texas Explosion Injures Dozens
  2074 | CAUGHT ON CAMERA: Fertilizer Plant Explosion
  2045 | Texas Plant Explosion
  2014 | Texas Explosion Injures Dozens
  1943 | CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
  1609 | Texas plant explosion
  1572 | Video footage of Texas explosion
  1542 | Plant Explosion Near Waco, Texas

The Boston Explosion spam subjects are still an active part of the campaign as well, with nearly 10,000 additional messages coming from that group!

 count |                subject                                             
-------+-----------------------------------------------------
  1315 | 2 Explosions at Boston Marathon
  1197 | Explosions at the Boston Marathon
  1104 | Boston Explosion Caught on Video
  1100 | Video of Explosion at the Boston Marathon 2013
  1034 | Explosions at Boston Marathon
  1032 | Aftermath to explosion at Boston Marathon
  1027 | BREAKING - Boston Marathon Explosion
   999 | Explosion at the Boston Marathon
   958 | Explosion at Boston Marathon

The "count" tells how many samples we have received in the UAB Spam Data Mine, which powers the Malcovery T3 offering. The UAB Spam Data Mine was created as part of UAB's initiatives to create new tools, techniques, and training to fight cyber crime! In December of 2012, UAB launched Malcovery Security to enable our Spam and Phishing efforts to protect more businesses.

To prove that yesterday's campaign and today's campaign are actually one and the same, we traced the URLs being advertised, and found many of the emails that linked to certain IP addresses yesterday with a URL ending in "/boston.html" or "/news.html" are now being advertised in spam with a "/texas.html" link that is being used in the new messages today.

Despite the fact that there are DOZENS of malicious URLs that can be seen in the emails above, we have so far only identified seven "exploit addresses" that are hidden in those malicious websites.

hxxp://auris.comlu.com/ozsr.html
hxxp://bestdoghouseplans.com/azsq.html
hxxp://emucoupons.com/amiq.html
hxxp://nlln.org/aeir.html
hxxp://sambocombat.us/hwsr.html
hxxp://your360solutions.com/emsr.html
hxxp://zendeux.com/wzsq.html

Today's Top Threat subscribers are notified of this type of information each day in their daily T3 reports. By knowing the danger points in top spam campaigns, they are able to use this information either PROACTIVELY, by putting rules into their network security devices and software to block these destination addresses, or REACTIVELY, by scanning their log files to determine if any computer on their network visited one of those sites.

Just like yesterday, any Windows computer that visits one of the links in their email will be shown several YouTube videos, while one of the exploit sites listed above is used to interrogate their computer, infect it with appropriate malware, and add it to their spamming botnet.

Yesterday we clocked individual infected computers as sending approximately 400 emails per minute. 400 * 60 minutes per hour * 24 hours per day == 576,000 emails per day per infected computer! Each computer that clicks this link adds the ability for the spammer to grow their spamming rate by a half million emails per day!

We call this the "Growth Stage" of a botnet. When the objective of a spam message is to cause more computers to also send spam, the botmaster (the criminal who runs the botnet) is trying to enlarge his infrastructure. At some point, the botmaster can issue a command to cause any portion or all of his new collection of "bots" to perform new actions.

These actions could include:

• sending spam that earns money for the criminal, such as Pharmaceutical spam.
• infection with a new malware that steals personal financial information, such as the Zeus or Cridex malware.
• infection with a new malware that causes your computer to attack company websites as part of a "Distributed Denial of Service" (DDOS) Attack, such as the attacks that have been going on against large banks and other companies.
• infection with a new malware that can steal documents, or allow remote control of your company computer to use as a base of infiltration into your organization, such as what happened to the South Carolina Tax Office
• infection with a new malware that can delete data or cause your machine to be unbootable such as the Dark Seoul Attacks in South Korea last month.

Read More

Boston Marathon explosion spam leads to Malware

A new malware spam campaign, claiming to provide videos regarding the Boston Marathon explosion tragedy, is infecting computers and sending spam at a rate that is unprecedented in more than a year. The UAB Spam Data Mine, which has partnered with Malcovery Security to offer the "Today's Top Threat Report" received more than 80,000 copies of the malicious email, with more than 50,000 arriving before noon today.

The top spam subjects for this campaign so far have been:

(count listed as of noon)
  5952 | Boston Explosion Caught on Video
  5885 | Explosions at the Boston Marathon
  5873 | Aftermath to explosion at Boston Marathon
  5855 | 2 Explosions at Boston Marathon
  5729 | Explosions at Boston Marathon
  5725 | Explosion at Boston Marathon
  5690 | Video of Explosion at the Boston Marathon 2013
  5530 | Explosion at the Boston Marathon
  4891 | BREAKING - Boston Marathon Explosion

A second spam campaign is also active, using "CNN-related" spam subjects:

    88 | Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    84 | Opinion: Osama bin Laden's legacy - Boston Marathon Explosions - CNN.com
    82 | Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
    79 | Opinion: Boston Marathon Explosions - Who benefits? - CNN.com
    77 | Opinion: China Official's  child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
    75 | Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
    70 | Opinion: Boston Marathon Explosions - CIA Benefits? - CNN.com
    70 | Undeliverable: Explosion at the Boston Marathon
    69 | Opinion: Osama bin Laden still alive - Boston Marathon Worse Sensation!? - CNN.com
    67 | Undeliverable: Explosions at Boston Marathon
    67 | Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
    65 | Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
    64 | Undeliverable: Boston Explosion Caught on Video
    62 | Opinion: Boston Marathon Explosions - Osama bin Laden still alive? - CNN.com
    61 | Undeliverable: Video of Explosion at the Boston Marathon 2013
    60 | Opinion: Osama death was Faked by CIA - Boston Marathon Explosions Worse News. - CNN.com

The first group of spam messages have the subject line followed by a single URL, consisting of an IP address followed by either "boston.html" or "news.html".

 count |          machine          |  path                                                                       
-------+---------------------------+-------------------
  1667 | 118.141.37.122            | /boston.html
  1564 | 190.245.177.248           | /boston.html
  1533 | 178.137.120.224           | /boston.html
  1507 | 110.92.80.47              | /boston.html
  1484 | 37.229.92.116             | /news.html
  1466 | 188.2.164.112             | /boston.html
  1448 | 178.137.100.12            | /news.html
  1422 | 78.90.133.133             | /boston.html
  1376 | 118.141.37.122            | /news.html
  1363 | 212.75.18.190             | /boston.html
  1356 | 178.137.120.224           | /news.html
  1344 | 110.92.80.47              | /news.html
  1331 | 83.170.192.154            | /boston.html
  1330 | 37.229.92.116             | /boston.html
  1317 | 219.198.196.116           | /news.html
  1314 | 37.229.215.183            | /boston.html
  1312 | 61.63.123.44              | /news.html
  1309 | 61.63.123.44              | /boston.html
  1280 | 219.198.196.116           | /boston.html
  1271 | 85.198.81.26              | /news.html
  1247 | 190.245.177.248           | /news.html
  1214 | 94.28.49.130              | /boston.html
  1171 | 94.28.49.130              | /news.html
  1157 | 94.153.15.249             | /news.html
  1150 | 83.170.192.154            | /news.html
  1137 | 78.90.133.133             | /news.html
  1100 | 95.87.6.156               | /news.html
  1069 | 85.198.81.26              | /boston.html
  1061 | 94.153.15.249             | /boston.html
  1056 | 212.75.18.190             | /news.html
  1055 | 37.229.215.183            | /news.html
  1038 | 95.87.6.156               | /boston.html
  1028 | 188.2.164.112             | /news.html
  1011 | 178.137.100.12            | /boston.html
   960 | 46.233.4.113              | /news.html
   791 | 176.241.148.169           | /news.html
   766 | 176.241.148.169           | /boston.html
   758 | 91.241.177.162            | /news.html
   739 | 46.233.4.113              | /boston.html
   735 | 213.34.205.27             | /boston.html
   651 | 213.34.205.27             | /news.html
   642 | 91.241.177.162            | /boston.html
   626 | 62.45.148.76              | /news.html
   553 | 85.217.234.98             | /boston.html
   511 | 62.45.148.76              | /boston.html
   484 | 85.217.234.98             | /news.html
   205 | 31.133.84.65              | /news.html
   152 | 31.133.84.65              | /boston.html
    47 | 109.87.205.222            | /boston.html
    44 | 109.87.205.222            | /news.html
    19 | 50.136.163.28             | /news.html
    17 | 50.136.163.28             | /boston.html

The second group uses a website address rather than an IP address followed by either "cnn_boston.html" or "bostoncnn.html"

 count |           machine            |                         path                         
-------+------------------------------+------------------------------------------------------
   191 | www.domcomfort.ru            | /bostoncnn.html
   176 | www.whchivast.com            | /cnn_boston.html
   142 | relax-perm.ru                | /bostoncnn.html
    80 | www.peaceofchristparish.org  | /cnn_boston.html
    71 | imdh.knu.ac.kr               | /cnn_boston.html
    63 | create-serv.ru               | /popeabuse.html
    59 | skinnee.net                  | /cnn_boston.html
    56 | numeralarmowy-112.pl         | /cnn_boston.html
    56 | imdh.kyungpook.ac.kr         | /cnn_boston.h
    41 | higherthanab.com             | /cnn_boston.html
    40 | ufferichter.dk               | /cnn_boston.html
    37 | business-link.net            | /cnn_boston.html
    25 | ochronaprawkonsumenta.pl     | /cnn_boston.html
    24 | mannesmann.cz                | /cnn_boston.html
    20 | kuzenergo.ru                 | /cnn_boston.html
    20 | siemsrl.com                  | /bostoncnn.html
    18 | alex-spil.dk                 | /cnn_boston.html
    17 | host321.ru                   | /cnn_boston.html
    13 | www.vdnh.kiev.ua             | /cnn_boston.html
    10 | www.theophany.co.nz          | /cnn_boston.html
     8 | yanjingedu.org               | /cnn_boston.html
     6 | china-ptjc.com               | /cnn_boston.html
     5 | econ-group.com               | /cnn_boston.html
     3 | mezdustrok.com.ua            | /cnn_boston.html
     2 | alltomforsakringar.nu        | /cnn_boston.html
     2 | ufferichter.com              | /cnn_boston.html

We self-infected by visiting one of the IP address links in a web browser. The page had a series of YouTube videos, including this one:

However, if we look at the source code of the page, we notice something that certainly seems out of place!

The last IFRAME there calls a site called "spareroomwebdesign.com" and a file "waiq.html"

One of the changes to our machine was the addition of a registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent: "C:\WINDOWS\Temp\temp86.exe"

When we checked, we found a hidden file, 815,616 bytes in size in that location.

The MD5 of the file is: fdbc94958b8f0ec2b24302c6d4685c46

As of this writing, only 8 of the 46 Anti-virus programs at VirusTotal are aware of this malware and able to detect it. https://www.virustotal.com/en/file/560766fc73edf8eff02674a220e2794c008caeefc476c8fef04c21a16eb23a0f/analysis/

Once infected, your machine BECOMES THE SPAMMER, and begins to distribute emails. In a 48 second run our infected machine attempted to send 348 spam messages, all with a subject from the list above.

The SECOND, CNN-themed spam campaign is a Financial Crimes malware infector, known as Cridex.

Both campaigns have been thoroughly documented in the Malcovery Security Top Threats Today report, normally reserved for our paying subscribers. Due to the extremely prolific nature of the Boston Marathon Explosion spam campaign, we are offering that T3 report as a free sample for any interested parties.

.
Click Logo for your Free T3 Report

Read More

New Spam Attack accounts for 62% of our spam!

A new spamming botnet seems to be on the scenes, distinguishing itself with an extremely high spam volume, a great diversity of email subjects, and an amazingly diverse collection of URLs, mostly hosted on compromised websites.

Four of the top six spam subjects in the past 36 hours came from this new botnet:
• Obama’s policies affecting unemployed
• Change your life in 60 seconds.
• Recently got a job offer?
• Have you ever considered working on the internet?

When we used the Malcovery Spam Data Mine to review the sending IP addresses, we found that these messages had come from more than 23,000 different IP addresses. Just for the “Obama’s policies” subject, we saw 296 unique URLs advertised just this morning before 8:00 AM! Here are some of the Top URLs for that spam message.

count                 machine                     path                      
38  www.ghostsquad.altervista.org          /cellchickengrahamwilliams/
36  rundeecke.bplaced.net                  /connectiondevicejamesbailey/
35  sungoldcoast.com                       /assistantelegantjasonedwards/
35  www.coloniasunidas.com                 /conflictarticlephilipwood/
35  www.cocheenminiatura.altervista.org    /arrestautumndanielhill/
34  protetyk.ovh.org                       /engineercorealanspencer/
33  www.ghostsquad.altervista.org          /cellchickencraigdavies/
32  guildrampage.com                       /besickendwaynemiller/
32  cuorebravo.com                         /armyeastkevinspencer/
31  www.curiosando.altervista.org          /clockconflictjohnking/
31  www.divorcecamp.com                   /equalatmospheregeoffreycooper/
31  6sejc.com                              /associatealliedadrianthomas/

When we check for other websites advertised in spam, JUST FOR SPAMMING IP ADDRESSES THAT SENT THE FOUR SUBJECTS ABOVE, and ONLY FOR THE PAST 36 hours, we find that 3,849 distinct URLs were spamvertised a total of 1,217,196 times – only counting the spam in our Spam Data Mine!

A great variety of subject lines were used in addition to the four top ones above. By “theme” there were:

Oprah and Celebrity subjects:

• Oprah Winfrey Reveals That She Has A Sister Named Patricia
• Kourtney & Kim Take NY
• Oprah’s big secret: she has a sister
• Oscar 2011: What To Expect
• Ivanka Trump Has A Baby Bump
• Ellen DeGeneres secret
• Rapid-Fire Fitness: Katy Perry
• Release Your Soul with Pamela Anderson
• Your morning fashion and beauty report: Reese Witherspoon
• Anne Hathaway find out how

Fitness subjects:

• Fitness: Love the 30s!
• Body and Soul women’s weight loss
• Healthy Hollywood
• Miracle Diet or Scam
• Sorry, guys, these fitness classes aren’t for you
• No workout, lose weight
• Miracle or science?
• Get fit
• Women try to balance fitness, safety
• No diet just weight loss
• Workouts for Women

Silly “fwd” and “re” subjects:

• Fwd: private
• Fwd: hey
• Fwd: question
• Fwd: hello
• Re: important
• Re: hey
• Fwd: deal
• Fwd: ?
• Fwd: information
• Fwd: …
• Fwd: business
• Fwd: answer
• Fwd: help

News Subjects:

• Fox investigates claim
• Fox News investigates: “Change your life in 60 seconds!”
• Need some money? Fox News wants to help
• BBC: Online giant Google, worth over 100 billion dollars..
• Unemployed? Fox! Investigates.
• TBS breaking news

Random number weight loss subjects:

• She lost 54 lb in 3 weeks.
• She lost 46 pounds in 3 weeks.
• She lost 53 lbs in 3 weeks.
• (etc.)

And there are still “Work at Home” scam versions, even though the URLs now take you to weight loss websites instead:

Home Maker Dad claims investigated by Fox
 Work from home Dad claims investigated by TBS
 Work from home Mom claims investigated by CNN USA
 Home-Maker Mom claims investigated by Fox!
 Work from home Mom claims investigated by Fox News
 Work from home Mother claims investigated by BBC
 Work at home Mom claims investigated by TBS
 Work-from-home Dad claims investigated by CNN
 Stay-at-home Mom claims investigated by Yahoo!
 Stay home Mother claims investigated by TBS
 Home-Maker Dad claims investigated by CNN USA
 Homemaker Mom claims investigated by BBC
 Stay home Father claims investigated by Fox
 Stay home Mom claims investigated by CNN
 Stay at home Mother claims investigated by Fox!
 Stay home Dad claims investigated by CNN!
 Work-at-home Dad claims investigated by CNN
 Stay home Mom claims investigated by BBC
 Work-at-home Mom claims investigated by Fox!
 Work-at-home Mom claims investigated by CNN!
 Work-from-home Mom claims investigated by BBC
 Work at home Mother claims investigated by BBC USA
 Work-at-home Mom claims investigated by BBC USA
 Stay at home Mom claims investigated by Fox!
 Homemaker Mother claims investigated by CNN
 Work at home Mother claims investigated by ITV
 Homemaker Father claims investigated by CNN!
 Stay at home Mother claims investigated by TBS
 Work-at-home Dad claims investigated by Fox
 Home Maker Mom claims investigated by ITV
 Home Maker Father claims investigated by Fox
 Work-at-home Dad claims investigated by BBC USA
 Homemaker Mother claims investigated by CNN USA
 Work at home Dad claims investigated by Fox News
 Work from home Dad claims investigated by BBC USA
 Home-Maker Father claims investigated by Fox News
 Home-Maker Mother claims investigated by Fox News

What do those pages do when you visit them?

On Monday morning, they sent you to a website with information about a new “Work at Home” program that you could learn about for the low low low price of $100.

But today, they are sending you to a page that proclaims:

Breakthrough Diet Exposed: Celebrity Doctor Uncovers The “Holy Grail of Weight Loss”

This is an on-going campaign that has recently advertised various miracle weight loss products including Raspberry Drops, Green Coffee Bean Extract, and now, “Garcinia Cambogia Featured on TV”

The method for doing this is the use a tiny javascript to set the “parent location href” equal to com-independentvoice.net (or one of many other redirector pages) and passing an “indexer.php?a=225783&c=job” parameter along with the new address. This causes the browser to go to that page and look up the job offer, which displays the weight loss miracle of the day by forwarding the visitor to the path “/diet/GarciniaCambogiaDiet/”

Trying to leave the website generates pop-up messages like these:

Several great clues that these guys are not legitimate including:

The domain is registered by UKRNames.com (Ukrainian Domain Name Registrar of Ill Repute)

The IP address, 201.182.92.166, is hosted at AS52284, Panamaserver.com, claiming to be in Panama.

That IP is also “naturaldietforyou1.com” as well as:

Burnfatandgetflatstomach1.com
Rapidfatlossnatural1.com
Getbestdietsecret1.com
Howtoloseweightquicklyexercises.com
Howtoloseweightfastwithexerciseanddiet.com
Easistnaturalwaytoloseweight.com
Com-work24.net
Finance-reports.com-work24.net
Com-newslocal6.net
Finance-reports.com-newslocal6.net
Com-cbc.net
Finance-reports.com-cbc.net
Finance-reports.com-thestar.net
Com-world-jobnews.net
Com-globejobnews.net
Com-dailylocalnews.net
Finance-reports.com-cnnnewsnet
Com-independentnews.net
Alternativenewsdaily.net

Just picking one of those addresses, com-cnnnews.net was also hosted at:
31.184.192.35
31.184.192.36
81.17.23.40
142.0.72.101
142.0.72.103
176.9.208.121
176.9.208.122
176.9.218.182
185.12.45.102
185.12.45.107
199.91.174.71
199.91.174.72
199.182.168.139
201.182.92.166

More subjects:

 Need some money? CNN! wants to help
 Fox investigates claim
 Fox News investigates: "Change your life in 60 seconds!"
 Need some money? Fox News wants to help
 BBC: Online giant Google, worth over 100 billion dollars..
 Unemployed? Fox! investigates.
 TBS breaking news
 Lost your job? Fox News wants to help.
 CNN! investigates "impossible" claims.
 Lost your job? BBC USA wants to help.
 CNN! investigates: "Change your life in 60 seconds!"
 CNN investigates: "Change your life in 60 seconds!"
 Fox!: Online giant Google, worth over 100 billion dollars..
 BBC investigates latest claim.
 BBC investigates claim
 Fox! breaking news
 CNN investigates latest claim.
 ITV investigates claim
 ITV investigates: "Change your life in 60 seconds!"
 CNN!: Breaking news!
 CNN USA investigates: "Change your life in 60 seconds!"
 Unemployed? CNN USA investigates.
 Lost your job? BBC wants to know.
 Need some money? TBS wants to help
 Unemployed? Yahoo! investigates.
 Lost your job? CNN USA wants to know.
 ITV investigates latest claim.
 Yahoo! investigates: "Change your life in 60 seconds!"
 TBS: Online giant Google, worth over 100 billion dollars..
 Lost your job? CNN wants to know.
 Lost your job? TBS wants to help.
 CNN!: Online giant Google, worth over 100 billion dollars..
 Lost your job? TBS wants to know.
 Lost your job? CNN! wants to help.
 Lost your job? CNN! wants to know.
 Fox!: Breaking news!
 Unemployed? Fox News investigates.
 Lost your job? ITV wants to know.
 Unemployed? TBS investigates.
 Need some money? CNN USA wants to help
 Lost your job? CNN USA wants to help.
 Lost your job? Fox! wants to help.
 CNN USA investigates claim
 Yahoo! investigates latest claim.
 Fox! investigates claim
 CNN: Breaking news!
 Lost your job? Yahoo! wants to know.
 BBC USA investigates "impossible" claims.
 Yahoo!: Online giant Google, worth over 100 billion dollars..
 Lost your job? Fox! wants to know.
 Fox investigates: "Change your life in 60 seconds!"
 TBS: Breaking news!
 Unemployed? CNN investigates.
 Yahoo! breaking news
 Need some money? CNN wants to help
 Fox! investigates "impossible" claims.
 ITV breaking news
 Lost your job? Fox News wants to know.
 Unemployed? ITV investigates.
 BBC USA investigates claim
 CNN USA investigates latest claim.
 CNN investigates "impossible" claims.
 Fox breaking news
 Fox: Online giant Google, worth over 100 billion dollars..
 Lost your job? Fox wants to know.
 ITV: Online giant Google, worth over 100 billion dollars..
 Yahoo!: Breaking news!
 Need some money? Yahoo! wants to help
 BBC USA: Online giant Google, worth over 100 billion dollars..
 Lost your job? ITV wants to help.
 Need some money? Fox! wants to help
 Fox News: Breaking news!
 Fox News breaking news
 Fox News investigates latest claim.
 Yahoo! investigates claim
 Fox News: Online giant Google, worth over 100 billion dollars..
 Yahoo! investigates "impossible" claims.
 CNN USA: Breaking news!
 ITV: Breaking news!
 ITV investigates "impossible" claims.
 BBC USA investigates latest claim.
 CNN USA investigates "impossible" claims.
 CNN USA breaking news
 TBS investigates: "Change your life in 60 seconds!"
 BBC USA investigates: "Change your life in 60 seconds!"
 Fox investigates latest claim.
 BBC USA: Breaking news!
 BBC breaking news
 Unemployed? BBC investigates.
 TBS investigates claim
 TBS investigates latest claim.
 Need some money? BBC wants to help
 BBC: Breaking news!
 Need some money? ITV wants to help
 BBC USA breaking news
 Unemployed? CNN! investigates.
 CNN: Online giant Google, worth over 100 billion dollars..
 CNN breaking news
 Lost your job? CNN wants to help.
 Lost your job? BBC USA wants to know.
 Lost your job? Fox wants to help.
 Need some money? BBC USA wants to help
 CNN investigates claim
 Fox News investigates claim
 Lost your job? BBC wants to help.
 Fox! investigates: "Change your life in 60 seconds!"
 BBC investigates: "Change your life in 60 seconds!"
 Fox: Breaking news!
 TBS investigates "impossible" claims.
 CNN USA: Online giant Google, worth over 100 billion dollars..
 BBC investigates "impossible" claims.
 Fox! investigates latest claim.
 CNN! investigates latest claim.
 Unemployed? Fox investigates.
 Fox investigates "impossible" claims.
 Lost your job? Yahoo! wants to help.
 Need some money? Fox wants to help
 CNN! breaking news
 Unemployed? BBC USA investigates.
 Fox News investigates "impossible" claims.
 CNN! investigates claim


Work at home Dad claims investigated
 Rapid fire weight loss Salma Hayek
 Work-at-home Mom claims investigated
 Breaking news for Home Maker Father.
 Breaking news for Stay at home Dad.
 Breaking news for Home-Maker Father.
 Oprah Whinfrey Heads To Paris In Search Of The Perfect Wedding Gown!
 Breaking news for Home-Maker Mother.
 Breaking news for Work-at-home Mom.
 Ellen DeGeneres diet or scam?
 Salma Hayek diet or scam?
 weight loss Katy Perry
 Breaking news for Stay home Dad.
 Stay at home Mother claims investigated
 Breaking news for Stay home Father.
 Stay at home Father claims investigated
 Release Your Soul with Anne Hathaway
 weight loss Madonna
 Breaking news for Work-at-home Dad.
 Ellen DeGeneres secret
 Rapid-Fire Fitness: Katy Perry
 Release Your Soul with Pamela Anderson
 Your morning fashion and beauty report: Reese Witherspoon
 Anne Hathaway find out how
 Work from home Mom claims investigated
 Breaking news for Work at home Mom.
 Rachel Ray says
 Britney Spears Going Harder, More Urgent
 Pamela Anderson try to balance fitness, safety
 Check out how Natalie Portman did it
 Oprah Whinfrey try to balance fitness, safety
 Breaking news for Work from home Father.
 Ellen DeGeneres weight loss
 Breaking news for Homemaker Father.
 Homemaker Dad claims investigated

Read More