Experts link flood of 'Canadian Pharmacy' spam to Russian botnet criminals

The world's currently most voluminous spam generator, “Canadian Pharmacy,” is clogging networks with come-ons for male-enhancement drugs and painkillers -- and there’s growing belief it has a link to Russian cybercrime groups selling counterfeit medicines.

In this case, "Canadian Pharmacy," hyping itself as “the #1 Internet Online Drugstore,” is neither Canadian nor a pharmacy. In fact, "Canadian Pharmacy" doesn’t appear to exist as an established Web site but only a shifting hyperlink in a spam message generated by about eight crime botnets.

Spam volumes as a whole skyrocketed 60% between January and June to 150 billion messages a day, according to a report released this week by Marshal8e6, a vendor of Web and anti-spam security products, which says so-called “pharmaceutical spam,” or “pharma spam” for short, constitutes 75% of that.

About 83% of all spam today is generated by specialized botnets such as Rustock and Mega-D, according to Symantec’s MessageLabs division. Botnets are sophisticated command-and-control systems that exploit compromised computers and servers.

Spamming is one task botnets may be designed to do, and when it comes to pharma spam, "Canadian Pharmacy" is the spamiest, with half of the pharma volume, says Bradley Anstis, director of technical strategy at Marshal8e6.

"It's 65% of all global spam right now," says Adam Wosotowsky, principal engineer in messaging tactical response at McAfee, adding, "it's been surging since the end of last year."

Canadian Pharmacy spam changes in its content from time to time, and may sometimes looks like a newsletter with a fake AARP endorsement, says Wosotowsky.

Like many others, Anstis draws a connection between the massive volumes of "Canadian Pharmacy" spam and the Web site GlavMed.com that bills itself as a “pharmacy affiliate program” offering 30% to 40% commission fees on drugs sold.

“Every time you send your customers from your site to us, you earn up to 40% commission fee on each sale,” the GlavMed.com site advertises, claiming it doesn’t approve of sales methods involving spam. “We take charge of the entire shopping experience: fulfillment, customer service, and shipping, and we track the sales generated from your site.”

GlavMed.com, which didn't respond to requests for comment, is a domain name registered with Russian registrar Regtime Ltd.. under the registrant name Pharmos Limited in an address in Great Britain. The phone number, which when called offers no identification, accepts voicemail but no call was returned. While some pages on the GlavMed site are in English, the frequently asked questions are in Russian.

While Anstis is uncertain as to what GlavMed does, Cisco’s chief security researcher, Patrick Peterson, says it is a “criminal organization behind the pharmaceutical organization” that he learned quite a lot about while studying the activities of the Storm botnet last year.

Storm “makes a request every hour to GlavMed asking for the spam templates, the URL to be spammed and the address list,” says Peterson.