By Yuriko Kako-Batt, Malware Data Analyst, Symantec Hosted Services
Pharmaceutical spam is the biggest group in all spam categories and is growing exponentially. In October 2009, MessageLabs Intelligence reported pharmaceutical spam at 65.3% of all spam. By May 2010, it accounted for 85% of all spam.
In a March blog post, MessageLabs Intelligence explored the various types of pharmacy spam. In this analysis we found that pharmacy gangs seem to fall into two distinct operations, with very similar websites. These are:
Toronto Drug Store
Canadian HealthCare Mall
Canadian Pharmacy Network
My Canadian Pharmacy
In my day to day analysis of spam, I look at spam to various top-level domains (TLDs). Usually most of the pharmaceutical spam, especially spam emails from “Gang1” and “Gang2” are written in English. Often TLDs of a non-English speaking country receive large volumes of English language pharmaceutical spam. In some of my most recent measurements, I spotted a pharmacy website that I hadn’t seen before: ‘Men’s Health’.
Below is an example of a spam email with a link to a ‘Men’s Health’ pharmacy site, which was sent to a Japanese domain in April. It is likely this one came from the Rustock botnet, which pumps out enormous volume of pharmaceutical spam every day.
[Spam email for Men’s Health]
While this email doesn’t mention the specific products, some pharmaceutical spam emails often contain specific names of their products. Sometimes these emails have completely different contents from pharmaceutical spam in the body but if you click the URL, it will connect to fake pharmacy websites like below.
[Example of “Men’s Health” website]
There are many similarities with other pharmaceutical websites I have seen before. For example, the design of the website, prices, currency, “Powerpack” advertisement, FAQ contents, are all features that are seen with some of the other pharmacy website brands. More specifically, ‘Men’s Health’ shows many similar characteristics to the websites generated by “Gang 2” above.
[Example of “Indian Pharmacy” website]
[screenshot of “TORONTO DRUG STORE” website]
[screenshot of “Canadian Pharmacy Network” website]
[screenshot of “Canadian Health & Care Mall” website]
So why do spammers create new brand websites continually? The brand names, pictures, designs change but the prices are the same. All of the websites of Gang 2 which I have seen are written in English. They don’t localize to non-English speaking areas with new websites, although the spam emails are sent indiscriminately to many countries. Gang 1 however, have made the effort to provide alternative sites in many different languages (the visitor can select the language using the selection of country flags on the front page).
Income from numerous websites with a great variety of styles and brands is very likely to flow into a relatively small number of gangs.
The new “Men’s Health” brand is just another in a long line of spammy pharmaceutical websites. Its appearance demonstrates that spammers are always looking for ways to keep their offerings fresh and to do so they often masquerade as a completely different company or brand. For a short period, this new brand has legitimacy, as very few spam recipients have seen it before. But like the others, it is not legitimate in actuality and should be disregarded as a reputable site.