Thursday, April 22, 2010

Pharma-Fraud Continues to Dominate Spam

Have you taken a look inside your Spam folder recently?  Without a doubt you’ll find the folder full of pharmacy Spam, pitching everything from Cialis and Viagra to Vicodin and Hydrocodone.  The problem is almost none of the linked web sites are legitimate certified pharmacies.

Pharmacy Spam is delivered at an estimated 70% of global spam volumes, or 140 billion messages per day. These massive volumes are largely fueled by botnets such as Grum and Cutwail, creating all types of problems for business networks large and small.

These botnet operators are continually trying to find ways around Spam filters and web filters to earn money as part of the larger criminal operation behind these sites.  The latest attempt to get around these filters uses livejournal.com, a free blogging service, to link back to fraudulent pharmacy sites.  eSoft has seen similar attempts using other free blog services, including Windows Live Spaces.












In this example, a number of methods were used to get around Spam filtering technologies including using numbers and underscores (0rder_Now) to prevent the text from being detected as Spam.  A user following the link is taken to the Live Journal blog which then links them to the fraudulent online pharmacy.














In our research, the image link provided on each of the blogs linked back to many different “Canadian pharmacy” type pages.  eSoft has very good detection of pharma-fraud sites, finding hundreds of new sites per week.  Last year eSoft worked with the ThreatChaos blog to report on these sites.  The recent government crackdown has decreased the amount of sites coming online as compared to last year’s report, but certainly not stopped the operation or the related Spam.

It can be difficult to ascertain if an online pharmacy is legitimate or not.  The National Association of Boards of Pharmacy (NABP) provides some excellent safety information for buying medicine online.  Here are a few of the jaw dropping stats from their site.

83% do not require a valid prescription
42% offer foreign or non-FDA-approved drugs
55% do not provide a physical address
96% of sites reviewed are NOT recommended

At the time of writing, Live Journal has disabled the fake blogs we found using their service.  eSoft categorizes these fake blogs and the pharma-fraud sites they link to as "Pharmaceuticals" paired with “Phishing & Fraud” and “Spam” if the URL was detected in a Spam message.

Note that visiting these sites may result in stolen identity, delivery of fake products, further Spam and more.  eSoft strongly recommends sticking to lists of approved pharmacies and always using extreme caution and skepticism before following links in emails.

Thursday, April 8, 2010

Tiger Woods (Searches) Not to Be Trusted


Tiger Woods’ personal life and marital affairs have attracted constant attention from the press and has certainly damaged his public reputation.  With his return to the Masters only days away, Nike has released a new commercial in an effort to rebuild Woods’ image.  This compelling commercial is intended to spark a reaction, and may well be the next thing you talk about at the office water cooler.  Anyone who hasn’t seen it will go right back to their desk and search for the video. Blackhats have once again worked their way into these search results, leading users to malicious sites and Rogue Anti-Virus downloads. 

A user looking to see the commercial online would likely search “tiger woods commercial” – the search is heavily poisoned.  Out of the top 7 search results, six lead to Fake Anti-Virus pages begging the user to install malicious software.  The video results have also been poisoned to do the same.
























With low anti-virus detection rates, users tricked by this attack have little to prevent them from installing downloaded malware.  In fact, only 1 out of the 20 scanners on Jotti detected the payload as malicious.










Users should also be wary of any Masters’ related searches as these will also be a target of cyber criminals. eSoft’s proactive detection of these attacks protects any SiteFilter customers.  Any sites associated with these attacks are being flagged as malicious or compromised.

[Additional Note: In this particular attack, the referring site is also important.  If the user is not coming from Google, or presumably other search engines they will be redirected to cnn.com rather than the malicious site.  eSoft has noted the use of this technique in the past, but it is interesting the attackers have chosen CNN for use in this campaign.]

Monday, April 5, 2010

Affiliate Programs Rising Cause of Fraud and Abuse

What happens when you offer up money to anyone who can drive traffic to your website?  Hackers, scammers, spammers and fraudsters come to your aid.  That’s the case with online movie site zml.com, which offers 30% of each sale and 5% of rebills paid via anonymous means to anyone who refers paying customers to the site.  And zml.com is just one of many.

In general, it works like this: a person signs up as an affiliate and is given a code.  If someone goes to the website with the proper code embedded in the URL, then a cookie is set and if that person later buys something on the site, the affiliate gets a piece of the transaction.  Outside of the shadows this means others are encouraged to setup ads or to refer friends to the site.  But on bigger scales, this can be big money, so the established cyber criminal community gets in on the action – not always by breaking the law, but certainly using shady means to drive customers to these websites.

Among the techniques being used by these shadow affiliates are blackhat SEO, fake blogs, spam campaigns and more.  These will frequently redirect through servers managed by the shadow affiliate and, in eSoft’s investigations, frequently used for other purposes such as malware distribution and phishing campaigns.

Windows Live Spaces is again being abused with a slew of fake blog pages covering hundreds of popular movies available for download. The download links redirect the user to a number of different movie sites that offer high paying affiliate programs.

Example 1

















The blockbuster movie The Hangover is the sole blog post in the blog shown above and includes a promo image and full description of the movie with links to download. After a series of redirects to ensure the scammer gets paid, the user is brought to moviedownloads-pro.com. In order to download for free, the user must sign up for a yearly subscription with a credit card and our blog spammer gets a cut.


















After signing up, the user is emailed a link to download software which we suspect to be questionable although we did not give up our credit card info to find out.  The affiliate network in this case is Marketbay, which is also home to some other very shady software including 14 different bogus anti-virus products.

Example 2

















In another example, the eSoft Threat Prevention Team found the intermediary sites used by a shadow affiliate were hosted on the same site used in a ring of fraudulent "OEM Software" distribution sites we blogged about last year.  These links lead to zml.com, whose affiliate signup page contains the warning, "SEO or E-Mail spam is not tolerated!"  However, after sharing information of abuse with zml.com five days before the posting of this blog, we have yet to see the affiliate removed or to receive any response from zml.com.  In all likelihood, it is simply more profitable to turn a blind eye.

















Using Windows Live Blogs to disguise URLs can be an effective way to get around some Spam and Web filters. eSoft reported on a similar tactic used to push pharma-fraud sites just a few months back. While this is nothing new, it goes to show that cybercriminals will continue these types of campaigns so long as they continue to be effective and profitable.

eSoft currently categorizes a number of these affiliates’ sites as Phishing & Fraud due to their use in Blackhat SEO campaigns and others are categorized as Online Ads or Spammed URLs depending on the methods being used to drive users to the links.