Email Security.cloud

 View Only

Pharmacy Spam: Pharmaceutical Websites Fall into Two Distinct Operations 

Mar 01, 2010 09:20 AM

By Yuriko Kako-Batt, Anti-spam Analyst, Symantec Hosted Services

 
Spam is one of the biggest problems for all of people who are using email. And what we imagine when we think of the word of “spam” can be different for all of us and may include spam for dating, fake lotteries, fake designer brands, counterfeit watches, free software – and the list goes on. There are various types of spam that we all receive in our mailboxes every day, and I would be surprised if you had never received “Pharmaceutical spam” that includes hyperlinks leading to websites where you can buy your “little blue pills” without prescription.

This “Pharmaceutical spam” now accounts for more than 65% of all spam, as can be seen in the chart below.  This type of spam is almost always delivered some of the largest spam-sending botnets, including Rustock, Grum, Cutwail, Donbot.  

image001.png                       
[A snapshot of spam classified by category, MessageLabs Intelligence - February 2010]

In the world of pharmaceutical spam, the “Canadian Pharmacy” is perhaps one of the most well-known brands, an example of which can be seen below.

image002.png
[Example of a typical "Canadian Pharmacy" website]

Much of the pharmaceutical spam currently in circulation is connected this website or similar ones such as the “United Pharmacy,” or the “European Pharmacy.”

image003.png
[Example of a typical "United Pharmacy" website, bearing similarities to the Canadian Pharmacy website]

These two websites almost exactly share the same underlying design, the same prices (in USD, GBP or EUR), with only the exception of a few images and brand names.  This seems to strongly suggest that the same operations are responsible for all of these websites.  There is even a bizarre “mash-up” between the Canadian Pharmacy websites, and the United Pharmacy websites, such as when clicking-on a hyperlink on one website, you are taken to the other.  

A typical example of this is when clicking-on the FAQ section of a Canadian Pharmacy website, you are taken to the FAQ page of the United Pharmacy website.  Also, in the top right visitors can choose their currency by selecting one of the country flags on display.  Sometimes, clicking the flag for the United Kindgom on a Canadian Pharmacy site, takes you to the United Pharmacy site, with prices displayed in the appropriate currency.  Selecting the flag of the United States shows the Canadina Pharmacy website prices in US dollars, and by clicking-on the flags of other European countries , a “European Pharmacy” website is displayed, with prices presented in Euros.

Brands like Canadian Pharmacy, United Pharmacy, Canadian HealthCare, Online Pharmacy, and a few others have been prominent on the spam scene for many months, and some even for years.  Recently, we have seen a great explosion in new brands, each focused in different regions, which we suspect are all related to the well-established Canadian Pharmacy operations, and the others listed above.

One example of this is the “Indian Pharmacy,” which I spotted whilst investigating spam being sent to a Spanish domain in February 2010. I also took a screenshot of this website, which can be seen below.

image004.png
[Recent example of "Indian Pharmacy website]

This website clearly has some similarities to Canadian Pharmacy, United Pharmacy and other similarly well-established pharmaceutical websites.   The brand “Indian Pharmacy” is presented on the top left, with an image of some people in the centre, and the familiar FAQ and other hyperlinks at the top.  However, I couldn’t find anything obvious that could link this new Indian Pharmacy brand with the earlier websites.  The Indian Pharmacy may even be a new, competing operation who are seeking to emulate the seeming success of the Canadian Pharmacy operation.

We have also seen another new website “Toronto Drug Store.”  This again, has only a few vague similarities to the older, more established websites like Canadian, United, etc.  On the other hand, Toronto Drug Store  has many more striking similarities to the Indian Pharmacy website.   

image005.png
[Example of "Toronto Drug Store" website]

For example, Indian and Toronto have the same ads for branded ‘POWER PACKs’ for St. Valentine’s Day.   The wording using to describe them are exactly the same in both cases and both sites share the same FAQ content. And as can be seen in the screenshots below, the “About Us” pages are remarkably similar in design too.

image006.png
[About page from Indian Pharmacy website]

 
image007.png
[About page from Toronto Drug Store website]

With these findings, we also checked against a larger sample set of pharmaceutical spam samples, and found other similar pharmaceutical websites, all sharing similarities with the Toronto Drug store and Indian Pharmacy.  All of these other websites also had the same branded ‘POWER PACK’ offers for St. Valentine’s Day and at the same price of USD $74.95.

Below are some example screenshots of these new websites, highlighting the similar branding and shared content.

image008.png
[Canadian Health&Care Mall]

image009.png
[Canadian Pharmacy Network]

image010.png
[MyCanadianPharmacy]

image011.png
[Mexican Export Pharmacy]

image012.png
[CVSPharmacy]

All of these websites are selling the same pills at the same prices, with the same special offers. Even the  sentences and website designs are shared across multiple websites. Even when looking at the original spam emails, they share very similar wording and design, although they are for different online pharmacies, using a variety of hyperlinks, as can be seen in the examples following.

image013.png
[Spam email for Canadian Health&Care Mall]

image014.png
[Spam email for CVSPharmacy]

Again, this strongly suggests that all of these websites are linked in some way, perhaps they are all run by one operation, or the websites are being franchised and run by a small number of other groups.  My initially feeling are that there are probably 2 major gangs involved:  

Gang 1:

 

  • Canadian Pharmacy
  • United Pharmacy
  • European Pharmacy
  • Canadian HealthCare
  • Online Pharmacy

Gang 2:

 

 

  • Toronto Drug Store
  • Indian Pharmacy
  • Canadian HealthCare Mall
  • Canadian Pharmacy Network
  • My Canadian Pharmacy
  • Mexican Pharmacy
  • CVSPharmacy

Below is an example of how one of the new pharmacy websites, “Indian Pharmacy,” is advertised in spam. One of the most common emails for the Indian Pharmacy has been one containing just  a simple link to a personal webpage created on and hosted by a major free online hosting service.

image015.png
[Spam email for Indian Pharmacy using a major free online hosting service as a hyperlink]

By clicking-on the link, the recipient is taken to an online hosted personal web page.  Based on the appearance of name of the site ‘vxcvdfr[redux]56’ and the random looking text on the page ‘rjxs4o’ it would almost certainly seem that looks the spammers have registered a large number of different online accounts pages for this purpose, perhaps using CAPTCHA-breaking tools.  

For example, below is a screenshot of the page containing an image of the Indian Pharmacy website.  

image016.png
[Image of Indian Pharmacy website through a hyperlink in the spam email above, created using a major free online hosting service account]

This image was taken at some point from a German version of the Indian Pharmacy webpage, and also at a time when Indian Pharmacy was selling certain branded pharmaceuticals at a slightly higher price than today.  It just goes to show how lazy the spammers can be!  

A recipient clicking-on this out-of-date image of the Indian Pharmacy site would be taken to the real Indian Pharmacy site, shown below (with the lower prices!).

image017.png
[Screenshot of Indian Pharmacy website linked from content in free hosting service account above]

I have also checked the cheapest price per pill for some of the most popular pharmaceuticals being traded on their websites, since May 2009 (all prices in USD$).
 

 

 

 

 

Canadian Pharmacy

Canadian Healthcare

Indian Pharmacy

Toronto Drug Store

Canadian Health&Care Mall

 

blue pill

yellow pill

blue pill

yellow pill

blue pill

yellow pill

blue pill

yellow pill

blue pill

yellow pill

May-09

$1.15

$1.99

$1.15

$1.99

 

 

 

 

 

 

Aug-09

$1.15

$1.99

$1.15

$1.99

 

 

 

 

 

 

Oct-09

$1.15

$1.99

$1.15

$1.99

 

 

 

 

 

 

Jan-10

$1.15

$1.99

$1.15

$1.99

 

 

 

 

 

 

Feb-10

$1.15

$1.99

$1.15

$1.99

$1.73

$2.23

$1.73

$2.23

$1.73

$2.23

[Table showing price fluctuations in recent months]

“Canadian Pharmacy” and “Canadian Healthcare” have been selling the pills for the same prices for at least 9 months, with no change, whilst the “Indian Pharmacy” and “Toronto Drug Store” prices have been slightly higher.  

Perhaps because these are new brands, the organizations behind these websites feel they can push prices higher.  Or it could be that Indian and Toronto just can’t resell the them as cheaply as their more established competitors; that is assuming they have long standing deals with their suppliers, or buy in greater volumes, and that they are actually trading at all.

Moreover, Canadian Pharmacy and the more well-established websites may need to watch their backs as these newer websites expand and perhaps attract more customers.

MessageLabs Intelligence will continue to track and monitor these websites and look out for any other new brands as and when they emerge.  As yet, I haven’t performed an in-depth analysis of the IP addresses that these websites resolve to, or how the sites are hosted, or which countries the websites are hosted in, or even how long they are active for, but I intend to continue this research and post more information here in the future.

 

 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

May 04, 2018 08:20 AM

You never know which one is legal or not, but i think there is a lot of trusted website according to CIPA. 

No need to be so negative about them all. Doesn't know how this site https://oph.reviews/trust-pharmacy-review.html might be believable, but it says that Trust Pharmacy is a good option. I didn't try it but maybe it is works for someone 

 

Jan 07, 2016 11:13 AM

If Symantec knows this It is a safe bet that our government knows this. WHY is it allowed to continue? Why should every individual need to filter out this crap when some provider farther up the chain can do it for all of us. Not a retorical statement - I would really like to know.

Aug 22, 2011 11:32 AM

Does anyone have data on how many spam conversions there are, in the pjarmacy field.

Feb 26, 2011 01:26 PM

I think these guys have hacked into my wife's Hotmail account, and are now spamming her contacts using her name.

Is there anything she can do?

Is there such thing as a Canadian Pharmacy virus?

Googling "Canadian Pharmacy virus" yields lots of sites offering to help, but I suspect Canadian Pharmacy virus removal is itself a scam.

Symantec doesn't seem to recognize the existence of a Canadian Pharmacy virus.

We internet users would really appreciate a statement from trustworthy professionals at Symantec that said clearly something like,

1.  Canadian Pharmacy spam is [or is not] caused by a virus that can be removed by some tool.

2.  If Canadian Pharmacy is spamming others from your account, there is nothing you can do because they already have your contacts list [or whatever is the truth].

BTW, why are you giving these guys business advice ("… need to watch their backs")?

Thanks,

Scott

Related Entries and Links

No Related Resource entered.