ThreatChaos Security Blog

Sunday, 17 May 2009 15:22

When I was at Webroot Software in Boulder, Colorado there was a clever criminal who managed to acquire the domain name spysweeper.com. He created a site that looked like it was selling Webroot’s anti-spyware product, Spysweeper, but was just a way to steal credit card and banking info. Going to the site would lead you to an order form that asked for your address, phone numbers, credit card, bank account, even your birthday. Why bother selling an actual product online when you can just trick people into giving up their identity?

This week I had an interesting conversation with eSoft, another Colorado security company. eSoft is fast becoming one of the top research groups in the area of web security. They use one of the most effective ways to research URL’s and thus provide up to the minute threat assessments. They gather information from the UTM devices they have deployed around the world to identify new sites and then evaluate them using various automated techniques. The 10% of sites that do not succumb to automated analysis are passed on to eSoft’s research team that does an in depth analysis of the new site. When a category or a threat is determined they push the URL back out to their clients as well as the many OEM partners that use their database for their own content filtering solutions.

eSoft has determined that there has been a major spike in fraudulent pharmacy sites just this past week. Much like the fake SpySweeper site these pharma-fraud sites present a convincing storefront that appears to sell Viagra and Cialis. They have a sophisticated shopping cart system and take your money but do not bother with actually fulfilling orders.

eSoft provided me with data on seven different templates they have discovered. The quantity is amazing. In four days last week they detected:

1,104 canadian_pharm_light_blue
993 canadian_pharm_blue
27 top_pharmacy
23 canadian_pharm_white
18 health_sol
6 canadian_pharm_blue2
1 canadian_pharm_p_images

That is 543 of these sites per day over four days — and only for these seven templates.

“The canadian_* templates are clearly the most prevalent and we have traced these back to “GlavMed”, which we believe operates out of the Russian Business Network and is likely tied to the Russian mafia. The GlavMed hosts tend to stay online for no more than a couple of weeks.”

The other major outfit is Rx Partners/Rx-Commission Networks/ Stimul Cash and they have websites:

http://www.rx-partners.biz
http://www.stimul-cash.com/sites.html

Here are some recent (last 4 days) examples of these sites:

canadian_pharm_blue:
http://youngnice.com
http://rigpakin.cn (redirects to http://pharmacynewmeant.com/)
http://wihbahoy.cn (redirects to http://pharmacynewmeant.com/)
http://pfizer-pharmacy.com
http://www.pfizer-pharmacy.com
http://centralhealthmart.com (redirects to http://directmedicalable.com)
http://www.cheap-medications.net
http://www.canadianmedsguide.com
http://cheap-medications.net
http://canadianmedsguide.com

canadian_pharm_blue2:
http://canadian-pills.net
http://www.pharmagiant.com
http://pharmagiant.com
http://junglemix.in
http://evamedstore.com
http://nemf.ru

canadian_pharm_light_blue:
http://pexyufob.cn
http://satqogux.cn
http://varjezan.cn
http://riqrayil.cn
http://nibzofeh.cn
http://ronluhax.cn
http://geocities.com/fabianalvarado91
http://munlijes.cn
http://vuwxuvet.cn
http://sizwesis.cn

canadian_pharm_p_images:
http://nijvyccog.com

canadian_pharm_white:
http://softtabs4u.com
http://onepills.us
http://canadian-drugs-shop.com
http://ca-pills.com
http://www.ca-pills.com
http://doctordik.com
http://top1health.com
http://healmyfuture.com
http://ca-pharmacy-online.com
http://cialis-buy.info

health_sol:
Update 6-11-09
Affiliates of HealthSolutions removed at request of company They assure me that their affiliates do indeed process payments through them. There sites are not “fraudulent” in the sense that they are not stealing credit card info.

top_pharmacy:
http://nofreakingidea.com
http://bannerattack.com
http://samcoconstruction.net
http://lagogutierrezhotel.com
http://lauraflagler.com
http://gosouth.ws
http://hasteusa.com
http://christiansonmotorsports.com
http://mac-hacker.net
http://bijanscatering.com

Here are some sites they have learned to detect with some new techniques they have developed but have not yet dug into to determine ownership, etc.

Development System Examples
—————————
discounted_80:
http://365pharm.com
http://approved-medical.com
http://approved-pharm.com
http://buy-rx-today.com
http://generics-medical.com
http://lion-rx.com
http://maepharmacy.com
http://top-rx-pharm.com
http://us-pharm.com
http://value-drugstore.com

dovetemplate:
http://www.edonlinepharmacy.com
http://www.indian-pharmacy.org
http://www.longlovetabs.com
http://www.rxfeeling.com
http://www.usapharmacyshop.org
http://www.viagra-bestellen.info
http://www.viagracialisstore.com
http://www.viagra.name
http://www.viagraonlinebuy.com
http://yourpharmacare.com

order_viagra:
http://order-viagra-discreetly-online.com
http://order-viagra.biz

ra_pharmacy:
http://rapharmacy.com
http://rxbestpharmacy.com

rx_tab:
http://controlledpills.com
http://generictab.com
http://rx-tab.com

securetabs:
http://esquaredlaw.com
http://securetabs.com

top_pills:
http://generic-pharmacy.net
http://topills.com

us_pharmacy.us:
http://viagradrug.us
http://viagra-grugs.com
http://viagraonlinepurchase.com
http://viagraprescriptiondrug.com
http://viagra-prescription-drug.net
http://viagra-price.com
http://viagraretaildiscount.com
http://viagrasideeffects.net
http://viagra-usage.com
http://viagrawithoutprescription.us

eSoft says this is just the tip of the iceberg. Some major effort is being put into developing these fraudulent sites. I wonder what is next? Fraudulent pornography and online gaming sites? Fraudulent Father’s Day gift sites? The possibilities are endless.

The bank merchant card services are going to have to start monitoring the activity of their merchants to catch these. Of course, if the Russian Mafia is involved expect to see these stolen credit cards used in so called carding schemes where counterfeit credit cards are manufactured using the data collected from these sites. End users will have to be very careful when using their credit cards to purchase anything. The threats to ecommerce are escalating.

Thanks and kudos to eSoft’s research team for providing me with all this data.

Post from: ThreatChaos

Pharma-fraud escalates dramatically

Comments

Add New