Up until quite recently they all followed the same pattern:
- Email messages consisting of one line of illiterate text ("nice V1@garra") followed by the link
- Web domains consisting of seemingly randomized syllables resulting in a non-language domain name ("kuderunahexadunfes.com","funhadensalinhes.com", etc.)
- Websites featuring logos for Pharmacy Checker, Better Business Bureau, CIPA, Verisign and Verified by Visa, all linking to fraudulent "supporting" statements. (Needless to say: not one of these organizations supports or authorizes any of these sites.)
- A link to a so-called "License file" which is completely fake. (It looks like something a seven year old might be fooled by.)
There has been a great deal of research done, notably by the good people over at f-secure, into the technical infrastructure of these sites, their spamming operations, and the viruses which are used to hijack pc's into their botnets for all manner of nefarious activity.
This link outlines their tracking of the recent "Warezov / Spamthru" trojan. You will notice the similarities between the domains used to spam, the domains used to download and install the trojan, the WHOIS info for all of the domains, and the domains of the websites themselves. It's a painfully obvious exposition of their entire operation, and clearly outlines their maliciously fraudulent activity. In recent days this operation has been definitively proven to be of Russian origin, and having no plans whatsoever of stopping the spamming or the operation of their illegal websites.
My own fight against this operation has taken place on two fronts: DNS cancellation (ISP's definitely don't want to be the ones on the hook for supporting this criminal activity) and order form seeding. I wrote the first "Pharmacy Expressorator" back in March of 2006 and it has proven to be extremely effective against these sites. So much so, that I noticed in recent days: they've completely modified the entire way their back end processes work. (The sites used to be delivered via Microsoft .NET sites. Now they use Apache and PHP. Totally different product ID's, etc.) They also don't use the gibberish domain names nearly as much, resorting instead to sequential, brief domain names (22rx.com, 33rx.com, etc.) This may be a sign that they are aware of how much they seem to have exposed the inner workings of their operation.
So I have update my Pharmacy Expressorator and released it into the wild. It is very easy to find and is extremely useful in providing these assholes with precisely what they continue to ask us for: orders. They want them. I'm merely providing a means of fulfilling their request. They emailed me illegitimately, so I'm providing the exact same service in return. If they ever choose to work legitimately, I'll stop.
Most spam researchers have tied the Pharmacy Express series of websites back to Leo Kuvayev, yet another Russian criminal. It appears that his last known geographic location was either Montreal, Canada or London, England. But he likely has several homes around the world, all at our expense. Isn't that great?
He's also tied to the usual cadre of illegal activities these spammers love so much: money laundering, credit card and identity theft, and of course: child porn.
I will continue to provide technical and other detailed information to law enforcement around the world, as I have been for the past year or more. I want these assholes gone, and I don't care what it takes to do so.
More as it happens. Happy New Year.