Friday, January 5, 2007

My Canadian Pharmacy - another illegal rogue affiliate

If you receive email, anywhere, to any account: you have likely received spam messages promoting these sites.

Up until quite recently they all followed the same pattern:


  • Email messages consisting of one line of illiterate text ("nice V1@garra") followed by the link

  • Web domains consisting of seemingly randomized syllables resulting in a non-language domain name ("kuderunahexadunfes.com","funhadensalinhes.com", etc.)

  • Websites featuring logos for Pharmacy Checker, Better Business Bureau, CIPA, Verisign and Verified by Visa, all linking to fraudulent "supporting" statements. (Needless to say: not one of these organizations supports or authorizes any of these sites.)

  • A link to a so-called "License file" which is completely fake. (It looks like something a seven year old might be fooled by.)


There has been a great deal of research done, notably by the good people over at f-secure, into the technical infrastructure of these sites, their spamming operations, and the viruses which are used to hijack pc's into their botnets for all manner of nefarious activity.

This link outlines their tracking of the recent "Warezov / Spamthru" trojan. You will notice the similarities between the domains used to spam, the domains used to download and install the trojan, the WHOIS info for all of the domains, and the domains of the websites themselves. It's a painfully obvious exposition of their entire operation, and clearly outlines their maliciously fraudulent activity. In recent days this operation has been definitively proven to be of Russian origin, and having no plans whatsoever of stopping the spamming or the operation of their illegal websites.

My own fight against this operation has taken place on two fronts: DNS cancellation (ISP's definitely don't want to be the ones on the hook for supporting this criminal activity) and order form seeding. I wrote the first "Pharmacy Expressorator™" back in March of 2006 and it has proven to be extremely effective against these sites. So much so, that I noticed in recent days: they've completely modified the entire way their back end processes work. (The sites used to be delivered via Microsoft .NET sites. Now they use Apache and PHP. Totally different product ID's, etc.) They also don't use the gibberish domain names nearly as much, resorting instead to sequential, brief domain names (22rx.com, 33rx.com, etc.) This may be a sign that they are aware of how much they seem to have exposed the inner workings of their operation.

So I have update my Pharmacy Expressorator™ and released it into the wild. It is very easy to find and is extremely useful in providing these assholes with precisely what they continue to ask us for: orders. They want them. I'm merely providing a means of fulfilling their request. They emailed me illegitimately, so I'm providing the exact same service in return. If they ever choose to work legitimately, I'll stop.

Most spam researchers have tied the Pharmacy Express series of websites back to Leo Kuvayev, yet another Russian criminal. It appears that his last known geographic location was either Montreal, Canada or London, England. But he likely has several homes around the world, all at our expense. Isn't that great?

He's also tied to the usual cadre of illegal activities these spammers love so much: money laundering, credit card and identity theft, and of course: child porn.

I will continue to provide technical and other detailed information to law enforcement around the world, as I have been for the past year or more. I want these assholes gone, and I don't care what it takes to do so.

More as it happens. Happy New Year.

SiL

32 comments:

Anonymous said...

so, how do you get off Canandian Pharmacy's spam list? I am getting 6-10 pieces a day.

IKillSpammerz said...

> so, how do you get off Canandian Pharmacy's spam list? I am getting 6-10 pieces a day.

Your guess is as good as mine. They spam every email address that they can verify as being active, even ones which have never been published anywhere.

Please note that "Canadian Pharmacy" (a spamit property, tied directly to the operators of the Storm worm and to the Russian Business Network [RBN]) is different from "My Canadian Pharmacy" (a Bulker.biz property, tied to the operators of Bulkerforum.biz.)

However they do have one similarity:

They never "opt out" anyone. Not ever. They never respond to any communication unless it pertains to an order which was successfully placed.

SiL

Anonymous said...

They also reply if they had trouble with your credit card number. If I have time I will visit the sites they spam me with and place a big order for "Cialis Professional" using my real email address. They end up sending me several emails about how they couldn't get my money, and of course I reply with obscenities I haven't uttered since my days as a Marine infantryman. You are right in that no matter what, you can never opt out. you will get this email until the day the spammer is caught, which I hope to help facilitate.

Anonymous said...

I receive mail from Canadian Pharmacy nearly everyday. I don't know where they came from or how they found me but they use my name to spam myself. In other words, I receive email from myself addressed to myself about Canadian Pharmacy. What can I do???

IKillSpammerz said...

> What can I do???

Read all the previous comments. :)

There is no way at the moment to stop them from sending you mail. That's the truth. Instead you can complain to their domain registrar by using The Complainterator.

While you're at it you can send a complaint to the FTC regarding glavmed.com, who are the sponsors of these sites. They are well aware that they spam illegally. SO far nobody has taken them down.

Canadian Pharmacy spammers send at least 6-10 messages per day to (no joke) virtually everyone on the internet. You are definitely not alone. This is far from a targeted list. They want to spam everyone on the planet, period.

SiL

Anonymous said...

any way to fight back by hacking their site of or a 'denial of service' attack?

IKillSpammerz said...

> any way to fight back by hacking their site of or a 'denial of service' attack?

Hacking their site: these are all hosted on already-hacked unix servers which the operators of My Canadian Pharmacy do not own. You wouldn't be hurting them, you'd be hurting someone who was already hacked by these criminals.

DDOS: same deal, and by the way that is absolutely not recommended.

What you CAN do is report the domains and dns host names. Use the Complainterator (complainterator.com) If enough people do this, it will end up costing them far more to do business, and eventually make ytheir rampant spamming far less profitable.

SiL

David Kessler Author said...

My response to these Canadian Pharmacy spams is to place an "order" using a debit card linked to an old bank account that I opened under another name which has a zero balance. I use the old address linked to the account, but my real phone number. This often prompts calls (apparently from a call center in India) which I string out for as long as possible with questions like "do you supply pheromones as well?" I don't always have time for these (admittedly puerile) tactics, but if we can't catch them, let's at least run up their operating costs.

Anonymous said...

god i hate canadian pharmacy.

and all the emails i send to myself reminding me to visit them.

Anonymous said...

Thanks for posting this interesting information, especially the fact that they use hacked servers, I didn't know that.
These people are the scum of the earth. I get automated emails from all over the world telling me that a Canadian Pharmacy spam message "from" my business email address could not be delivered to a recipient.
To change my email address would be a major hassle - it's on all my letterheads, so I protected it as well as anyone could. Didn't do any good. Some Russian scumbags hacked into my ISP a couple of years ago and harvested thousands of emails, including mine.

Oh, I would love to find out where these b******s live.

Anonymous said...

Why not creat something like the "complainterator" that would make false account numbers and false information on there orderpage and ironically return spam them to them.
Because thats how they feed off us and tell us we gave wrong credit card info? I believe there is such programs that have like auto fill out forms for internet exporer/firefox? If everyone did it much more efficient. You dig? slick22@gmail.com

"http://www.complainterator.com/index.html

Anonymous said...

It was bad enough getting this crap from other email addresses- since the body of the "message" is a graphic, you can't filter it, and it seemed to come with a legit subject and email address. But now they come from my own email addresses. The only way I've stopped most of these is to set up a new Rule with my email client (Apple Mail). Now every time an email comes "from" my email address, it's automatically deleted. So far, I haven't seen any down side to this method.

Anonymous said...

Write a script/trojan that will place billions of random fake orders with them. That will keep them busy.

IKillSpammerz said...

> Write a script/trojan that will place billions of
> random fake orders with them. That will keep them
> busy.


I and many of my colleagues did precisely this. It only works for one or two orders. After that you are automatically banned. Using a proxy only temporarily extends your ability to keep sending orders. They're smarter than that.

So the focus continues to be:

Report their domains
Report their unix hijacks
Continue to monitor their activities and code mutations.

Nice suggestion though. :)

SiL

Anonymous said...

I called them left a voice mail no luck, when i tried to emial them i got denied...so yeah his idea sounds good. To bad we cant just crash there stupid site...

Gevorg Hakobyan said...

If I receive this kind of a spam from "me", will that mean, that they can use my email adress or email name to spam other people?

This is absolutely intolerable!

IKillSpammerz said...

> If I receive this kind of a spam from "me", will that mean,
> that they can use my email adress or email name to spam
> other people?


They can, and they already do. They've been doing this for years.

> This is absolutely intolerable!

You're absolutely right. They know this. They don't care.

But that's also the very least of the criminal activity they engage in. They take over Unix servers that don't belong to them all the time, and they use the identities and credit cards of total strangers to register their domains.

They're criminals, and they're scum. And they don't care that it aggravates someone like yourself.

It can't last forever though. Many of their mailers are based in the US. These are all very serious crimes in the US. Someone has to take these criminals to task.

SiL

Unknown said...

Canadian Pharmacy is sending e-mails to myself and everyone in my contact list...from MY e-mail address!!! >:o The e-mails have no subjecy, and the body says: http://gadefobi.angelfire.com/
When the link is clicked, it directs one to the Canadian Pharmacy website for Cialis, Viagra, etc.

From what I can tell, the only thing I can do is delete the e-mail account and make a new one. If you are being spammed by this on a business account, I would recommend taking all names off your contact list, and/or deleting your e-mail account. Check your sent list to make sure that if e-mails have been sent to others, you can make proper apologies and warn them not to visit the site or place orders.

IKillSpammerz said...

Oddly enough I have recently received a series of notices that several people have had their hotmail or Gmail accounts hijacked for the purposes of spamming "My Canadian Pharmacy", "Canadian Health&Care Mall" and several other Bulker.biz properties to the address books of the hijacked accounts.

I would recommend that owners of these accounts check to see if some new address has been placed in their "password recovery options" sections of any of these freemail accounts which have been taken over. Changing the password of the account on its own does not stop this activity, the criminals who have done this will routinely discover that the password has been re-changed and take it over again.

If you have had your account similarly taken over I'd be very interested to hear more details.

SiL

Anonymous said...

I have friends who are currently sending out emails unknowingly from their yahoo accounts with a link to Canadian pharmacy.

These aholes are driving everyone crazy.

IKillSpammerz said...

Please note that there is a big difference between "Canadian Pharmacy" and "My Canadian Pharmacy."

Two completely different affiliate programs, two completely different designs of websites, and two completely different sets of illegal hosting setups using, basically, your computer to do so.

Also: in all likelihood they aren't really using your friend's yahoo account, they just place it in the forged "From" and "Reply-to" headers of the spam messages. It's still a scumbag thing to do, but it doesn't mean they actually use your friend's account, not necessarily.

SiL

Anonymous said...

So, these illegal businesses actually make money from credit card payments for orders they do not send? They must get a lot of orders to support such a huge business. If this is how it works, don't people contest the payment through their credit card company? Excuse my naivety, but I don't understand how they make enough money to make this scam worthwhile.

IKillSpammerz said...

@Anonymous
> So, these illegal businesses actually make money from credit
> card payments for orders they do not send? They must get a
> lot of orders to support such a huge business.


Some researchers into this group say it was the #2 spam affiliate program in the world until Spamit folded a few weeks ago. Sales upwards of $30 million USD per year.

> If this is
> how it works, don't people contest the payment through their
> credit card company?


They do, but because criminal affiliate programs like this use what are known as "high risk" credit card processing companies, the complaints don't do anything to affect their ability to process credit cards.

The only credit card company that has 100% rescinded their services from high risk merchants such as the ones Bulker.biz use is MasterCard. Visa, for whatever reason, remains active. From time to time American Express is not an available option but they usually show up again after a brief absence.

High Risk merchants - coupled with gullible and / or desperate consumers with no insurance to cover more prescriptions for these medications - are the main reasons rogue organizations like this can still thrive.

> Excuse my naivety, but I don't
> understand how they make enough money to make this scam
> worthwhile.


Well: if your email deployment is essentially free (thanks to botnets that use *your* computer to send the messages) and your entire web hosting infrastructure is also essentially free (thanks to thousands of unix servers that this organization hacks into and takes over to act as DNS servers, image hosting servers and web servers, all without the actual owner's knowledge or consent) - even a single sale is virtually 100% profit.

When I monitored a series of hijacked servers, it was obvious that sales via these sites was extremely consistent, often as many as 20 - 30 every hour. One single hijacked server could serve out dozens of distinct website properties, and each was spammed to millions of recipients. It isn't hard to be profitable when your "costs" (such as they are) don't exist.

SiL

Anonymous said...

I've been battling these bastards for about 6 months. I tried to add the ip addresses to my internal blacklist, but that doesn't work since they keep hijacking different ip's. Luckily I found a setting in my mail server software that can check to see if it's coming from a dynamic ip and reject the message based on that. I don't know if it's kosher to say which mail server software I'm using, but outside of the Canadian pharmacy, I only get about 1 spam message per week.

IKillSpammerz said...

With very few exceptions, literally every part of their hosting, DNS, fly-by redirection pages, etc. are ALL hosted on somebody else's hacked server. Very few exceptions. Unfortunately the hosting companies whose servers have been compromised in this way remain very much unresponsive. It's disheartening to see.

One day someone will shut this scumbag affiliate group down. It's really just a matter of time.

SiL

gen said...

I hate Canandian Pharmacy spam. My site has been attacked by this spam. They post over 1000 reply. I want to kill this

IKillSpammerz said...

@gen: Don't we all!

The thing is that they're very hard to track down - other than knowing that they base their affiliate program in Russia and Ukraine - and even harder to shut down.

They're my main focus now. Hopefully we'll see the same thing happen to them that ultimately happened to Spamit and Glavmed.

SiL

Anonymous said...

I don't think you kill these spammers in the way I would them killed - Soprano style! But good effort, anyway.

Actually, maybe we could start a fund to set up a protection racket that worked for the human race?

-Sigmund

Anonymous said...

8 years later they're still going strong ;_; I can't even block them filters for some reason.

IKillSpammerz said...

They are definitely still going strong. They are one of the last remaining large-scale pharmacy spam operations in existence.

They still hack public servers constantly. 100% criminal operation. You should not expect the spam to stop. They're morons with their lists.

SiL

Anonymous said...

Complainterator is not really a helpful link as the domain is "for sale".
How exactly are we supposed to use that link?


IKillSpammerz said...

Well: the comment that lists that tool dates from 2009 so... yeah. It is gone now.

My team still reports as many of these domains as we can, and Eva Pharmacy is apparently noticing, and it does have the desired effect of generally making their lives difficult when it comes to profiting (easily) from this illegal pharmacy spam.

You can always join the inboxrevenge forum (http://ksforum.inboxrevenge.com) if you want to contribute to the group that reports these domains. They're certainly still active.

SiL