Experts link flood of 'Canadian Pharmacy' spam to Russian botnet criminals

Operation reportedly responsible for half of all 'pharma' spam

The world's currently most voluminous spam generator, “Canadian Pharmacy,” is clogging networks with come-ons for male-enhancement drugs and painkillers -- and there’s growing belief it has a link to Russian cybercrime groups selling counterfeit medicines.

In this case, "Canadian Pharmacy," hyping itself as “the #1 Internet Online Drugstore,” is neither Canadian nor a pharmacy. In fact, "Canadian Pharmacy" doesn’t appear to exist as an established Web site but only a shifting hyperlink in a spam message generated by about eight crime botnets.

Spam volumes as a whole skyrocketed 60% between January and June to 150 billion messages a day, according to a report released this week by Marshal8e6, a vendor of Web and anti-spam security products, which says so-called “pharmaceutical spam,” or “pharma spam” for short, constitutes 75% of that.

About 83% of all spam today is generated by specialized botnets such as Rustock and Mega-D, according to Symantec’s MessageLabs division. Botnets are sophisticated command-and-control systems that exploit compromised computers and servers.

Spamming is one task botnets may be designed to do, and when it comes to pharma spam, "Canadian Pharmacy" is the spamiest, with half of the pharma volume, says Bradley Anstis, director of technical strategy at Marshal8e6.

"It's 65% of all global spam right now," says Adam Wosotowsky, principal engineer in messaging tactical response at McAfee, adding, "it's been surging since the end of last year."Canadian Pharmacy spam changes in its content from time to time, and may sometimes looks like a newsletter with a fake AARP endorsement, says Wosotowsky.

Like many others, Anstis draws a connection between the massive volumes of "Canadian Pharmacy" spam and the Web site that bills itself as a “pharmacy affiliate program” offering 30% to 40% commission fees on drugs sold.

“Every time you send your customers from your site to us, you earn up to 40% commission fee on each sale,” the site advertises, claiming it doesn’t approve of sales methods involving spam. “We take charge of the entire shopping experience: fulfillment, customer service, and shipping, and we track the sales generated from your site.”, which didn't respond to requests for comment, is a domain name registered with Russian registrar Regtime Ltd.. under the registrant name Pharmos Limited in an address in Great Britain. The phone number, which when called offers no identification, accepts voicemail but no call was returned. While some pages on the GlavMed site are in English, the frequently asked questions are in Russian.

While Anstis is uncertain as to what GlavMed does, Cisco’s chief security researcher, Patrick Peterson, says it is a “criminal organization behind the pharmaceutical organization” that he learned quite a lot about while studying the activities of the Storm botnet last year.

Storm “makes a request every hour to GlavMed asking for the spam templates, the URL to be spammed and the address list,” says Peterson.

The "Canadian Pharmacy" domains get set up and torn down at a rapid pace, and when someone getting the pharma spam does place an order for drugs — Glavmed advertises about 75 prescription medications, including Cialis, Viagra, Zoloft, Lipitor, Prozac, Valium and Darvon — the order is fulfilled.

As part of his research, Peterson says he ordered a number of advertised medications from a "Canadian Pharmacy" spam Web site.

“They never ask for a prescription,” said Peterson. “The original pills are being shipped out of Mumbai, India, and subsequently from Shanghai and China. The brand imprint is bogus.” For example, Peterson said, “it's not a Viagra pill made by Pfizer, but a ripoff pill with the actual ingredients.”

Peterson also said there is a legitimate company Canada Pharmacy, which he spoke with “and they’re mad as hell.”

GlavMed, whose site logo features a woozy snake drinking from a martini glass of pills, is “the master criminal” behind the "Canadian Pharmacy" pharma spam blitz and also appears to control, says Cisco's Peterson. GlavMed has its roots “most certainly in Ukraine or Russia,” he adds.

Stefan Savage, associate professor of computer science at University of California at San Diego, who has studied botnet activity, says it’s difficult to know exactly what GlavMed is up to.

But “there is a great deal of spam for the 'Canadian Pharmacy' template, that is, the sites look the same, sent by different botnets” Savage notes this same template is also provided by GlavMed to its affiliates.

Savage adds that GlavMed could claim that its “templates were stolen and they aren’t behind it all.,” but there is strong circumstantial evidence linking them.

Some online groups, such as Spamtrackers, are keeping their own notes about "Canadian Pharmacy" and Glavmed, he points out. Opinions at Spamtrackers are severe, claiming fraud on several accounts and a connection to Russian cybercrime.

The "Canadian Pharmacy" spam started about four or five years ago, says Joe Stewart, director of security research at Atlanta-based firm SecureWorks. GlavMed does appear to be a spam sponsor and most of the spammers are Russians, he says.

GlavMed has come up with a “turn-key campaign” model for pushing fake meds that appears to be working, and because GlavMed doesn't appear to actually send the spam, “they put all the risk on the affiliates that are spamming — they distance themselves from crimes going on.” He adds it's uncertain if this type of spamming activity would even be considered illegitimate in Russia.

Spammers making hits with "Canadian Pharmacy" counterfeit drugs are usually paid by GlavMed via what’s called WebMoney, says Peterson.

WebMoney is an online payments system that also has offices in Russia and Eastern Europe, that can be described as “PayPal meets Western Union,” he says. WebMoney , owned by WM Transfer Ltd, offers payments in dollars, Russian rubles, Euros and other monetary units. “It’s probably also used for legitimate things as well as being attractive to criminals,” Peterson adds.

The U.S. Federal Trade Commission (FTC) has taken steps in the past to halt operations of international spam networks peddling prescription drugs and bogus male-enhancement products.

In October last year, the FTC participated in an international effort with New Zealand and Australian authorities and the FBI to shut down what was called the “Target Pharmacy” (and later “Canadian Healthcare”) operation that used botnet spamming to sell counterfeit meds that were shipped from India.

The FTC indicates it made undercover purchases from what it says was not a bona fide pharmacy, was never asked for a prescription, and found the drugs the agency investigators purchased were not approved by the Food & Drug Administration and were potentially unsafe.

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022