Posts Tagged ‘Canadian Pharmacy’

View All Botnets

Revisiting the King of Spam

By Rodel Mendrez  •  July 29th, 2010  •   Botnets

We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.

Who’s the Rustock spambot that we know?

Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.

Read More

Tags:    |    |  

View All Spam

World Cup Twitter or just another Canadian pharmacy spam campaign?

By Rodel Mendrez  •  June 9th, 2010  •   Spam

Over the past couple of months, we have observed variants of fake Twitter notifications that link to Canadian Pharmacy websites. The criminals behind these spam campaigns have made their social engineering so versatile that it covers a wide range of interests, one of which is the upcoming FIFA World Cup 2010. As most of you know, FIFA World Cup 2010 kicks off today and this event is another opportunity for cybercriminals to target.

Below is a sample of spam messages claiming to be from Twitter, notifying users that the email address associated with their Twitter account has changed. Then a confusing phrase enters the message, saying "New Service for staff picks for World Cup Twitter" with an accompanying link.

The link seems to be pointing to a hacked webserver serving the cybercriminal's HTML file. Inspecting one of the HTML files, we noticed that it contains a META refresh tag that points to islandspeak.com that redirects to a Canadian Pharmacy website similar to this.

These Twitter spam campaigns not only target the World Cup, they also come in different "flavours" such as messages relating to fashion, technology, and sensational news items.

With the ongoing FIFA World Cup 2010, a wave of scams and spam relating to this event is inevitable. There is no patch for social engineering and the best way to protect you is caution.

Tags:    |    |  

View All Spam

Canadian Pharmacy no Longer King

By Gavin Neale  •  May 5th, 2010  •   Spam

The majority of spam people see contains a link to some sort of pharmacy or replica website, offering the recipient cheap Viagra, weight loss pills, dating sites, Rolex watches or designer handbags. Most of these websites are designed around a brand created by an affiliate program which affiliates are paid, usually on commission of sales, to promote.

About seven months ago we posted a blog about our survey of affiliate brands in spam and determined that Canadian Pharmacy was by far the most spammed brand with over 60 percent of all spam containing links to Canadian Pharmacy websites. The next closest brand, Prestige Replicas, was advertised in less than 10 percent of spam.

In the last month a pharmaceutical brand named Canadian RX Drugs has overtaken Canadian Pharmacy as the most spammed affiliate brand, stealing almost half of the market share that Canadian Pharmacy once held. Another brand, Dr Maxman, has also increased from less than one percent to just over 10 percent.

The chart below is from a sample taken from spam we have received over the past seven days and only from spam that contains links to a website. All percentages will be slightly lower when considering total spam.

Casino Generic is the name we have given to a group of casino brands such as King spin, Golden mummy, Ruby royal and Seven stars, all available from a single affiliate program. These casino brands are usually promoted by the Maazben botnet.

Casino Websites we categorized as 'casino generic'

Other than Mega-D and Maazben which exclusively spam out links to Canadian Pharmacy and Casino websites respectively, the top spam botnets promote a range of brands. This could either be because the botnet controllers belong to multiple affiliate programs or because they rent out spamming capacity to different people who are affiliates trying to promote their chosen brand.

The table below shows which, of the top six affiliate brands, promoted in 90 percent of spam in the last week, was sent by the top spam botnets.

Some of the botnets involved in sending this stuff have a huge amount of spamming capacity, like Rustock which is currently sending around 40 percent of the spam we see. As such, botnet operators have the ability to greatly influence the market shares of affiliate programs simply by changing their spam templates. So with a flick of a switch, what we see today could easily be different tomorrow.

Tags:    |    |