A massive Viagra spam campaign has been uncovered, found to be enlarged by 80,000 compromised devices.
The sheer size of the operation is notable: In the course of an investigation by Incapsula, researchers were able intercept payloads with details of 51 websites used by spammers to sell counterfeit drugs. These were located in China, Malaysia, Vietnam, Ukraine, France, Taiwan, Russia, Indonesia and Romania.
Tracing back the IPs of these website researchers discovered 1,005 more active domains, presumably used by spammers. Seventy-two and two-tenths percent of these are hosted in Russia, and the rest are hosted in France.
No less impressive is the size of the botnet that controlled this network of compromised websites. Over a period of 14 days, researchers intercepted communications from 86,278 unique IPs worldwide. The firm determined that the bulk of the botnet IPs belonged to some type of web browsing devices (e.g., home computers) that were compromised through an application layer attack, such as a malicious browser add-on.
According to Incapsula, the innovative spam campaign also was built to circumvent security countermeasures.
The malware was programmed to construct spam emails from remotely received payloads containing certain parameters. The malware would decode these parameters, create the spam email and send it out using the email function from the sites’ configured SMTP server. Each payload had eight layers of base64 encoding, plus three more for each pipe (‘|’) separated parameter.
“We realized that what we had here is an elaborate attack built to bypass spam filters—the type that identifies unwanted messages based on sender identity and links to known malicious domains,” researchers noted. “The hustle works by pairing two compromised domains—one to issue out spam emails and the other to reroute visitors to the fake pharmacy store. [And] doesn’t account for the added complexity of running the scam over a network of interlinking sites, spewing out daily floods of spam email while juggling a multitude of visitors. Making something like this work requires a team effort. Based on everything we saw, there’s no doubt that we were dealing with a widespread criminal operation.”
“Among spam campaigns, the Canadian pharmacy scam is one of the worst,” the firm said in an analysis. “It's a poster child for pharma spam—the most common form of spam—which has been clogging inboxes with ads for male-enhancement pills and painkillers for years.”
The scam has been traced back to Russian and Ukrainian organized crime syndicates operating in what is estimated to be a $431 billion and growing market. The scale of this criminal activity, and the danger counterfeit drugs pose to the public heath, has prompted repeat action from FDA, Interpol and other law enforcement agencies.