I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.
Glavmed are the sponsor program promoting the very-widely-spammed property known as "Canadian Pharmacy". (Hereinafter referred to as "CPh".) If you have an email address of any sort, it is very likely that you're at least mildly aware of Canadian Pharmacy. It's the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain, dadsymbol.com:
Please note that depending on your geographic location, this same domain will appear as "Canadian Pharmacy", "European Pharmacy", and a variety of other variations on that brand name. They do this by using geographic sensing of inbound IP addresses to the site. The overall layout and functionality remains the same.
The Websites
On the surface this appears to be a fairly innocuous website selling what appear to be legitimate pharmaceutical products. However a little further examination proves that this is a site selling fake, knock-off, imitation versions of some fairly widely-sold pharmaceutical products such as Viagra and Cialis. The clue that this is not legitimate is that they also sell the following products:
- Viagra Professional
- Cialis Professional
- Viagra Super Active
- Cialis Super Active
- Viagra Soft Tabs
- Cialis Soft Tabs
- VPXL
- Levitra Professional
- Levitra Super Active
None of these products have ever been produced by the actual originators of the original Viagra or Cialis. These products have only been sold from shady, illegitimate online pharmacies.
Add to this that they have creatively spelled the names of one or more dangerously addictive and harmful products such as "Phentrimine", and offer another bogus version of this same product named "Herbal Phentermine", and it becomes clear that this is a company which is distributing products of dubious origin and manufacture.
All of these products are sold without the need for any prescription, whcih violates several FDA regulations, especially for the sale of controlled substances such as phentermine.
Further (although technically speaking this is less of an issue than the risk to public health and safety): these sites' continued use of the brand name "Viagra" is in violation of the trademark and intellectual property rights of Pfizer, who owns the Viagra name and the patent on its particular medicinal formula. There is no such thing as "generic" Viagra, nor has there ever been. It is not legal to make -- or claim to make -- Viagra while Pfizer still holds the patent. The same is true of Cialis and Levitra.
Sales of these alleged "generic" pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.
Finally: sale of controlled substances - phentermine definitely qualifies, but again: who knows what's actually in the pills this "company" is selling to you? - is also against the law when done so without any registered pharmacist or a valid, authorized prescription.
This organization breaks several international laws, but more importantly it poses a very serious threat to the public's health.
Promotion Via Illegal Spam
The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By "illegally-sent", I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale "botnets" (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.
I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I've specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.
Finnish Security Company "F-Secure" posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as "Warezov" was capable of sending spam. That spam contained urls for websites promoting what was then known as "Pharmacy Express." Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it's functionality later.
Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)
Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the "dadsymbol.com" domain by running a "dig" command against that domain:
As you can see from this simple check, the website itself is hosted on rotating IP addresses. This is a technique known as "fast flux" hosting (definition), and it's used by these CPh sites to hide their true location. Research has shown that these IP addresses are, invariably, infected household PC's owned by individuals who are unaware that their computer has been taken over to be used in support of these illegally-operating websites.
The IP addresses in this particular example are all located in Beijing, China, hosted at three distinct companies:
China Network Communications Group Corporation
CHINANET hebei province network / China Telecom
Beijing Zhongbangyatong Telecom Technology Co.,Ltd
This is not often the case. Several researchers have discovered some CPh sites using household dsl connections in the US Midwest, cable internet connections in Poland, and numerous other types of always-on cable or dsl connections around the world. All of this is believe to be provided by the Storm worm.
100% False Claims
Canadian Pharmacy has made numerous completely false claims throughout nearly every word they say in every spam message sent, and on every page of their websites. Among these are claims that they offer security when processing credit cards (they do not, and never have, and this is something you can see by investigating any of the domains spammed to promote this operation,) that their products are safe (numerous researchers have found that they either contain no active ingredient, or that they contain only trace amounts of the active ingredient, or that they actually contain harmful elements or materials,) and they often listed contact information which was actually for the College of Pharmacists of British Columbia, who strenuously denied having anything to do with this operation or its continued illegal spamming practices. They also listed icons for the Better Business Bureau, Verified by Visa and an organization known as "Pharma Checker", none of whom actually supported or endorsed any of these sites. (And in all cases, representatives from all three expressed frustration in being able to get this group to remove their icons from their sites.) Only in the past four months have they removed these icons. It is unclear why, although one could surmise that the increased investigations into their operations are to blame.
In fact even the very name of these sites, Canadian Pharmacy, is a lie. They aren't located anywhere near Canada, the products often ship from India, and the domains and name servers are hosted around the world. There isn't any Canadian source for any of these websites.
Further: the contact information used to register websites and nameserver domains routinely feature 100% fake information. This is true for literally every single website registered for the promotion of Canadian Pharmacy.
These websites represent a very serious risk to the public's health, no matter which country the unwitting customers of these malicious websites happen to live in.
But I encourage you to join me in digging deeper into what other illicit activities this series of illegal websites is tied to.
Glavmed's Connection to Storm / Warezov Infections
I mentioned Warezov in an earlier paragraph.
Over the past 2 years, Warezov has come to be known alternately as Storm or Asprox. There are other names for this type of PC infection. It has continued to grow in size, and has continued to be used for all manner of illicit online activity ranging from the aforementioned spamming, through to plainly illegal activity such as performing large-scale Distributed Denial Of Service attacks (aka: DDOS attacks) against any site the botnet operator chooses (source), performing SQL injection attacks (source,) and most importantly for providing hosting and infrastructure for these Canadian Pharmacy websites, including name servers. Storm worm has also occasionally been used in phishing attempts. (source)
As far back as Jan. 31, 2008, tech news stories abounded that law enforcement authorities knew who had created and continued to operate the Storm worm (source), yet nearly a full year later absolutely no action has been taken against them. Further research by a variety of individuals as well as Wired Magazine tied Storm worm to a shadowy criminal organization known as the Russian Business Network, or "RBN". (source)
No less a source than the Washington Post's Brian Krebs has previously posted in great detail about who is behind the Storm Worm, and boldly declared he had connected all the dots in a story dating from January 29th, 2008. (source, with extensive background research.)
Glavmed Affiliate Program
In the past year, after monitoring numerous spam-friendly forums, many of which now no longer exist, I discovered one website which was responsible for acquiring new affiliates to promote the Canadian Pharmacy brand: a site called Glavmed.com. This is not immediately obvious from just visiting their main website, glavmed.com. (Although they do of course mention that the sites being promoted are pharmacy websites.) Their sites page features no mention of the brand "Canadian Pharmacy", only vague descriptions of what the sites sell, and that anyone can join this program. Their sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.
So how did I discover the link between Glavmed's affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.
As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as atlantea.com (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now, rx-partners.biz.
Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.
This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)
Glavmed / Spamit / Storm / Canadian Pharmacy / RBN
Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as Spamit.com. (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as "inert filler". Another contained "high metal content". This is clearly a very high risk to the public's health.
I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.
Please take this appeal very seriously. I welcome your feedback.
Very sincerely,
SiL / IKS / concerned citizen
Further research into Canadian Pharmacy
Spam Wiki: Canadian Pharmacy
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy
Further research into the Storm Worm
Storm Worm Botnet Cracked Wide Open
http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open--/news/112385
Russian Business Network (RBN): Georgia Cyberwarfare - Attribution & Spam Botnets
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-attribution.html
Full-disclosure: It's time to get serious about Storm Worm / RBN
http://seclists.org/fulldisclosure/2008/Mar/0300.html
Slashdot: We Know Who's Behind Storm Worm
http://it.slashdot.org/article.pl?sid=08/01/29/1823242
