Spam for fake Canadian Pharmacy is back, as "My Canadian Pharmacy"
In October 2010, the Russian based criminal enterprise that ran and financed the fraudulent Canadian Pharmacy scams closed their doors, leaving hundreds of affiliate spammers without a payment portal or template system. Well, their baaaaack!
Today my Hotmail account received a spam email claiming to be from "Canadian-Pharmacy." I investigated for a while and my findings are listed below. Before anybody reads any further, suffice it to say that this is a fake/rogue Internet pharmacy, which despite their claims on their web pages, has absolutely no connection to Canada, or to any accreditation bodies mentioned in the spamvertised websites. Everything about this new version of Canadian Pharmacy is a fake as the ones before it.
Let's dissect the new version of this scam, which is now going by the name: "My Canadian Pharmacy" - and reveal the facts that the average Joe might not see, or be aware of.
In a nutshell, what a potential victim of this scam may not know is that the website they land on is not hosted in Canada, but, in this case, in Romania. The page you see is not running on a normal, commercial web server, but on the Russian Nginx web server, popular with Russian cybercriminals. It it surreptitiously installed on compromised PCs, after they have been infected with botnet malware.
The message I receive earlier today had a subject and body text promoting trademarked prescription anti-ED drugs, which if used improperly, without consulting your personal physician, could cause you a lot of medical trouble, or even cause your death. Worse, these drugs are not made in the USA or Canada, but in Asian labs that specialize in counterfeiting American brand name drugs and producing snake oil herbal remedies. At the end of the body text there was a link, with the text: "Click Here Now." Hovering over that link (holding the pointer over it without clicking on it !) revealed the destination URL, which I copied, using the technique described in the next paragraph.
If you left-click (using normal mouse setups) on a link you go directly to that location, or to the location it redirects you to (!). If you right-click instead, you get a flyout list of non-committal options, which you can act upon as desired. By right-clicking while you hover over a hyperlink (in email or on web pages), you will usually get the option to copy the link location. I did this and copied the URL that was concealed under the words "Click Here Now."
When you are investigating spam and scam email messages it is not usually safe to click on, or copy and paste a link from those messages into your browser's location/address bar. You could easily end up getting exploited and having malware installed on your PC!
What I do is to copy the link's location (by right-clicking while hovering over the link), then going to www.wannabrowser.com, where I paste in the URL in the Location field. Then, to cloak where I am browsing from, I type a dash (-) into the Referrer field, then click on the Load URL button. After a few seconds you will be taken to the website in question, where everything about it is displayed in plain safe text. On the upper right side you will see the actual location and IP address of the website you have landed upon. In a large text are below you will find everything that is revealed by the server, including the entire source code of the web page.
The information that is displayed in the results on Wannabrowser are sufficient to act as a starting point, for most spam detective work. The value depends on your viewpoint, so, if you can afford it, please use the Donations button on the Wannabrowser results pages and send the owner a little love.
In the case I am writing about, the destination URL (ERGADOYMA dot COM - known badware/scam site) is hosted on an Nginx web server, on a PC in Romania, with an IP address of 220.127.116.11. The URL is already blocked by Trend Micro Internet Security, which I use, as a hostile site hosting harmful content.
The source code of the web page showed that it represented itself as "My Canadian Pharmacy." Remember, this web page was hosted in Romania. By the time I publish this article, it will be hosted elsewhere, on another botnetted PC. It featured a whole bunch of images of Canadian flags, logos, people in white Doctor outfits, pills, capsules, trademarked drug brand names, Accreditation claims, Visa and MasterCard, etc. What I found interesting about these images is that they were all pulled in from five (5) different IP addresses, from botnetted computers in Bangladesh, China, Panama and Russia, using port 8080.
Botnets setup hidden web servers on zombie PCs and set them to communicate on port 8080, to avoid detection by the ISPs through which they are getting their Internet access. Most ISPs block outgoing port 80, which is the standard used to "serve" web pages. The Nginx server gets around these blocks by using port 8080.
All of the logos claiming that the site was licensed or accredited led right back to the very same botnetted computer, to a page deposited there when the scam website was installed on it. There is an order form leading to a payment portal owned by the criminal gang behind this scam. Anybody who purchases any of the pills listed on these fake pharmacies has given their credit or debit card details to Russian criminals. If they even receive the drugs they ordered (illicit drugs are often seized by US Customs), they will not be what they claim to be. The contents will be counterfeit and often contain extremely dangerous chemicals, used to simulate the effect of the real V pill. People have died from taking these fake, Asian drugs.
I ran a Whois look-up on the domain being Spamvertised in the email and found that it was one on about 99 recently registered by the same person, going by the name: Michael Field. of Newport Oregon, using the email address: [email protected] This person, real or fake, is well documented as a spammer and malware distributor.
The Domain's Registrar, BigRock.com, has been notified about the spam website. Interestingly, the Registrar in located in Mumbai India. The name servers used by the spamvertised website are located in China and Russia and are both registered as Russian name servers.
All of this matches the previous discoveries that I and many other security researchers have uncovered, concerning the rogue Canadian Pharmacies and their offshoots. These are Russian operations, carried out by seedy characters who operate with relative impunity from prosecution, by paying bribes to criminal investigators and local authorities.
Do not be fooled into buying the illicit drugs spamvertised by email, from rogue Internet pharmacies. They are operated by spammers and criminals and sell dangerous and sometimes death dealing counterfeit drugs. Once they have your credit card information they will do with it as they please and you might not like what that is.
Note to Webmasters: I have updated my Chinese, LACNIC and Russian Blocklists to include the CIDRs that include the IP addresses used to host the images and the rogue pharmacy itself.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Movable Type 4.38