Complex botnet sending fake drug emails identified

A massive botnet operating more than 50 fake online pharmacies selling counterfeit drugs has been identified.

Consisting of more than 86,000 compromised computers, the botnet was revealed after website security firm Imperva Incapsula intercepted encoded communications from the network.

It follows the recent co-ordinated dismantling of the Kelihos botnet that sent hundreds of millions of spam emails advertising fake drugs.

The scam operation was brought to Imperva's attention, sparking a month-long investigation, when the firm noticed an "unusually high number of base64-encoded requests triggered by our security rules".

Further inspection revealed the encoded requests originated from a large botnet and involved three types of orders: to modify certain files to reroute visitors to a fake pharmacy, inject compromised sites with custom-made malware designed to construct spam emails, and deeply encoded messages (payloads) meant to be decoded by the malware that were sales pitches for counterfeit drugs.

"Together, the requests revealed a sneaky three-pronged spam attack" that worked to route visitors from non-existing (404) URLs in a spam email to an e-store allegedly selling counterfeit drugs, the company said. Furthermore, the commands were an "elaborate attack" built to bypass spam filters.

"The hustle works by pairing two compromised domains – one to issue out spam emails and the other to reroute visitors to the fake pharmacy store," according to the Imperva report.

The company said the scam was complex, being run over a network of interlinking sites, which sent out spam emails daily.

"Making something like this work requires a team effort. Based on everything we saw, there's no doubt that we were dealing with a widespread criminal operation. The botnet's surprising size, considering the relatively low-resource function it serves, illustrates both the effort its operators invested in the scheme, as well as the lengths taken to cover their tracks," Imperva said.

The e-stores the emails linked to were found to be advertised as a "Canadian Pharmacy", "despite the fact that most were .ru domains and none were hosted in Canada".

In the course of the investigation, Imperva researchers were able to intercept payloads with details of 51 websites used by spammers to sell fake drugs, generally erectile dysfunction pill Viagra, which were located in China, Malaysia, Vietnam, Ukraine, France, Taiwan, Russia, Indonesia and Romania.

"Tracing back the IPs of these websites, we discovered 1,005 more active domains, presumably used by spammers. Seventy percent of these are hosted in Russia and the rest are hosted in France."

The "Canadian Pharmacy" scam, which has been around for years, is one of the world's largest pharma email scams largely advertising fake male-enhancement pills and painkillers and has been linked to organised crime syndicates, particularly those in Russia. It is estimated as being a $431bn market.

Imperva said: "Our analysis shows just how elaborate spam campaigns have become and the methods have evolved to bypass current-generation spam filters."

The Imperva investigation, which has been passed to law enforcement agencies, follows the April arrest of Russian Pyotr Yuryevich Levashov in Spain, who was believed to be the operator behind the colossal Kelihos botnet that sent hundreds of millions of fraudulent emails advertising counterfeit drugs and installing malware. The US is now dismantling the Kelihos botnet.

Imperva said the firm considered its investigation may have been tracking Levashov's botnet but following the arrest the activity of Imperva's botnet increased by 11 per cent. "This shows it wasn't the one that was taken down and, in fact, might be even benefiting from the removal of a prominent competitor."