mxlab - all about anti virus and anti spam » canadian pharmacy

Emails “Sent via Google Maps” is a redirect to the Canadian Pharmacy

mxlab — Mon, 26 Sep 2011 09:27:32 +0000

MX Lab, http://www.mxlab.eu, intercepted some spam messages with subjects like:

Sent via Google Maps: Brett Lepper sent you: A Maps link
Sent via Google Maps: Brenna Eber sent you: A Maps link
Sent via Google Maps: Theodora Cavitt sent you: A Maps link
…

The subjects start with ‘Sent via Google Maps:’ and end with ‘A Maps link’.
The from email address is spoofed but starts with ‘admin@’ combined with a subdomain address.

Message body examples:

This email was sent to you by a user on Google Maps:

Hi

hxxp://gertie8kthv.blogginc.asia/10/8/gertie-bawa.html

This email was sent to you by a user on Google Maps:

Hi

hxxp://elmira4221c.blogsun.asia/11/10/elmira-antoniuk.html

The URLs in the message will redirect the user to the website of the Canadian Pharmacy at hxxp://www.bestrxs.com/.

Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”

mxlab — Sun, 03 Apr 2011 10:06:47 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed email addresses in the format that Facebook is using on the domain facebookmail.com. Some examples:

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
…

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

Spam from Canadian pharmacy masked as “Delivery Notification”

mxlab — Wed, 23 Mar 2011 18:49:05 +0000

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign by email with the subject ”Delivery Notification”. What appears at first as a simple email notification is in fact a spam campaign for the Canadian Pharmacy.

The message is sent from a spoofed email addresses like:

Notification-15955
Notification-07997
…

The body of the email only contains a link to a web site:

http://www-48023.outdomnovolume.net

http://www-35051.outdomnovolume.net

….

The 5 numbers inside the web site address change with every email but always shows the web site of the Canadian Pharmacy:

The domain outdomnovolume.net is registered a few days ago according to a WHOIS is with the following details:

Domain name: outdomnovolume.net

Registrant Contact:
   Xicheng
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Administrative Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Technical Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Billing Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

DNS:
ns1.dnsfopiq.com
ns2.dnstow.ru

Created: 2011-03-19
Expires: 2012-03-19

Spam message inside a ZIP file

mxlab — Wed, 25 Aug 2010 14:37:32 +0000

Spammer often use new techniques in order to deliver the message to the recipient without being catched by email security solutions. Today, one of such spam emails did caught our attention because of the original technique that has been used.

The spam email had the subject “Your wife photos attached”, a very short body content ” Your wife photos” and the attached file rooster.zip.

At first, we thought this was some new email security treath so we investigated the ZIP archive. Once extracted the file rooster.jpg was available. The filename does not end with .exe or the combination of many spaces with at the end .exe so we opened the JPEG and got this spam advertisment for Viagra, Cialis and VPXL.

The instructions, if you are interested, is to go to med242.ru which leads to the web site of the Canadian Pharmacy.

I can understand that spammers try different techniques but this one is, in my humble opinion, not a very good one. What a hassle to read the message.

Yahoo Groups being abused by spammers

mxlab — Fri, 06 Aug 2010 00:41:35 +0000

Great names are quite often the subject of abuses and this time, the Yahoo Groups are being used in spam messages. Spammers have created a large amount of account on the Yahoo Groups and are including URLs in their spam messages.

The messages comes with the subject line in the form of: ****@***.be VIAGRA ® Official Site -77%. The body of the email only contains an URL to for example hxxp://groups.yahoo.com/group/*****/message.

This is an example of such a web site.

The image that promotes Viagra also contains an URL that leads to, in our case, hxxp://superdrugsudden.com:8080/. And yes, it’s the Canadian Pharmacy again. We have to admit that they are very active on the internet.

YouSendIt abused in a malware and spam distribution

mxlab — Thu, 05 Aug 2010 16:32:50 +0000

MX Lab intercepted a emails with the subject “You have received a file from aleppotz@rockypointinc.com via YouSendIt.” that contains a potential risk of a malicious payload and redirects you to a Canadian Pharmacy web site. The email address in the subject line can be different depending on the spoofed senders address.

The message indicates that you have a file, in this case an audio file in MP4 format, for you to download at YouSendIt, the well known online file sharing and distribution web site.

The URLs in the message however, do not point to the YouSendIt web site but will lead to hxxp://carlaustiniii.org/x.html. When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.

The web site has the following HTML code:

PLEASE WAITING 4 SECOND...

We believe that at this stage that these messages have a malicious payload that could infect your computer. Afterwards we got redirected to hxxp://spruceteam.com/, the famous Canadian Pharmacy web site.

MX Lab has detected an increase in combined strategies during the last few weeks and months where emails leads to a web site with malicious code and exploits and then forward the user to a spam web site in the hope that the end user will not note that his computer is also infected with a trojan.

Flickr welcome message leads to Canadian Pharmacy web site

mxlab — Tue, 06 Jul 2010 16:06:13 +0000

Various brands have been subject to spam campaigns and today Flickr, the photo sharing web site, is now also being abused by spammers.

MX Lab started to intercept messages with the subject “[Flickr] Welcome!”, send from a spoofed email address, with an welcome message from Flickr (see image below).

Every link in the message leads to a different URL, even the links behind Terms of Services or the Privacy Policy.

hxxp://mahimatex.com/sanitation.html
hxxp://electricbrochures.com/custodian.html
hxxp://eventosgs.com.ar/climate.html
hxxp://newcivas.altervista.org/overstatements.html
hxxp://complicat.go.ro/modestly.html
hxxp://kankash-g-s.com/chicagoans.html
hxxp://pliki.open-it.pl/deigned.html
hxxp://turismatica.go.ro/grapefruit.html
hxxp://behsood.ir/schedulable.html
hxxp://jpaquino.com/headlines.html
hxxp://awtchiro.com/consulates.html

The web sites above function as a redirect to hxxp://keptoften.com/

Each message has different URLs included so these spammers are using a massive amount of domains in this campaign.

I personally do not understand why they are doing this because an Intent Analysis filter, that analyses the included URLs in emails, can blacklist many URLs from these web sites immediatly when investigating one single spam message.

When only using the domain for visiting the sites we get quite often a warning from our browser that the site is known to host malware. In other cases, or when ignoring the warning, we are redirected to hxxp://bestadultsite.ru/run/go.php?sid=3 and afterwards to the web site of Canadian Neighbor Pharmacy hxxp://pharmacymentalhealth.com (see image below).

Spam campaign from Canadian Pharmacy also contains web based threats

mxlab — Mon, 15 Feb 2010 09:46:25 +0000

MX Lab detected several email based threats in a spam campaign from Canadian Pharmacy masked as an order confirmation of Amazon.

The campaign comes from the spoofed email address Customer Support <***.***@service.amazon.com> and has the possible following subjects (*** numbers will vary):

Confirm #***
Confirmation Order #***
Notice #***
Notify #***
Notification #***
Order Confirmation #***
Order Notice #***
Order Notify #***
Order Notification #***

The body of the email:

Your Order S\n:10444064511 Accepted.
Details hxxp://www.klaudiusz.ramtel.pl/afrikaners.html

Thank you.
Amazon.com Customer Support

The campaign is detected yesterday but today we found a few threaths when following the included URLs. One threat was named HTML:iFrame-LZ[Trj] (Avast).

HTML:iFrame-LZ[Trj] is a malicious HTML script that may be downloaded unknowingly by a user when visiting malicious Web sites. The script will make connection to sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

Rustock is back online, spam levels rise again

mxlab — Tue, 25 Nov 2008 09:09:48 +0000

UPDATE, Nov 27th: One of the new CnC servers, ‘sdx3Fs5B.info’ was resolving to 72.233.114.74 at LayeredTech. FireEye sent an abuse notification to LayeredTech when the CnC servers went online and they have pulled out the server.

—————-

Yesterday, Nov 24, 2008, I noticed a sudden spam rise. When checking some samples I found that the ‘Canadian Pharmacy’ spam is back and some new image based spam campaigns have been launched.

But the ‘Canadian Pharmacy’ spam is where we should focus on. These spam campaigns are being sent by Rustock, so the conclusion is that these guys are back online and in business.

With subjects like Obama.s new plan, Food crisis in California or Bush.s last words they try to get their email opened to see the ‘Canadian Pharmacy’ advertisment. URLs, like hxxp://alsi.kugusup.cn or hxxp://ppbka.kugusup.cn will redirect you to hxxp://beautythrow.com/ where the Canadian Pharmacy web site is hosted.

When looking for more information if Rustock is back I found that the Company FireEye Security has posted more details on their blog.

As expected, the bot admins learned from the shut down of McColo. They can now simply change DNS to make sure that their command and control server still can be accessed.

The new Rustock spam campaign is already having an impact on the spam levels. The image below is the graph for one of my domains and you can see the spam level drop when McColo was taken down. The red line is the global spam level.

We have a peak during the weekend, the absence of business emails, and a global spam level between 75% and 85% during the week. Yesterday we had a spam level of 89,4% and at the time of writting this article we are back at 93%. You can see the graph going up again after the re-activation of the Rustock C&C servers.

Canadian Pharmacy spam looks like a mailing

mxlab — Wed, 01 Oct 2008 07:14:33 +0000

Most of the time, spam for viagra and other pills from Canadian Pharmacy doesn’t look so good like this campaign.

Their latest spam campaign is rather nice looking and has some tricks to lure the receiver into their trap with an Unsubscribe link, Manage Subscription links and Privacy policy note.

They also use different domains and change this quite often during the day to avoid detection by intent analysis techniques.

Using one of these links http://www.voiceold.com/memberservices/remove.php?recipient=info@*****.be&SESSID=51706986E9245C just leads you to a web site and gives the response “Not Found”.

I would recommend not doing this because they can easily track your actions on their web site with these links. You will only confirm that your email address is valid by using those links and receive more spam.