A phishing SMS impersonating a doctor offers pre-approved GLP-1 weight-loss prescriptions and links to a tracking subdomain that redirects to fraudulent pharmacy sites selling unapproved compounded GLP-1 products. Threat infrastructure included track.savezmeet[.]com and MyStartHealth.com; Malwarebytes telemetry shows track.savezmeet[.]com observed since August 2 and MyStartHealth.com blocked since March 2025. #track.savezmeet #MyStartHealth.com
Keypoints
- The scam SMS impersonates βDr. Santosβ claiming a GLP-1 prescription was pre-approved and includes a link that directs recipients to phishing infrastructure.
- The senderβs phone number was a Texas number sent to a California resident, indicating cold-texting and long-distance targeting.
- The link first contacts a tracker subdomain (track.savezmeet[.]com) that collects click data via URL parameters and then redirects to a phishing domain.
- URL parameters appear to encode campaign/vector type (e.g., βtxt1β) and a 10-digit phone number to identify which target clicked the link.
- Malwarebytes telemetry observed track.savezmeet[.]com starting August 2 and has blocked MyStartHealth.com since March 2025.
- The fraudulent site advertises compounded, non-FDA-approved GLP-1 products (not branded Ozempic/Wegovy/Mounjaro) and includes buried disclaimers about being unvalidated.
- Advice provided: donβt click unsolicited links, research products and sites, watch financial accounts if you purchased, and use Malwarebytes Scam Guard and security solutions to block malicious domains.
MITRE Techniques
- [T1598] Phishing β The attacker uses SMS messages impersonating a doctor to lure victims to a malicious link (βGood morning. This is Dr. Santos. I pre-approved your GLP1 prescription. β¦ {followed by a link}β)
- [T1071] Application Layer Protocol β The phishing flow uses HTTP(S) redirects and URL parameters to transmit tracking information and perform redirection (βThe site tried to redirect me to a known Phishing domain while sending some information in the URL which might be used to identify which of the targets clicked the link.β)
- [T1608] Spearphishing via Service β The campaign leverages SMS (a messaging service) to deliver targeted lures and identify victims via phone-number parameters (β{var3} is a 10-digit number meeting the format of a US phone number, which may be mapped to the target.β)
- [T1592] Gather Victim Identity Information β The tracker subdomain collects visitor-identifying data via URL parameters to map clicks to recipients (βThe use of a dedicated tracker subdomain (track.savezmeet[.]com) matches common phishing infrastructure, where user data is collected as soon as the victim clicksβ)
Indicators of Compromise
- [Phone Number] SMS sender β +1(682) 416-2557
- [Domain] Tracker/phishing infrastructure β track.savezmeet[.]com, savezmeet[.]com
- [Domain] Fraudulent pharmacy site β mystarthealth[.]com (blocked by Malwarebytes since March 2025)
- [Domain] Additional malicious domain β andkovz[.]com