Archive for the ‘fake meds’ Category

Fake Canadian pharma site causing headaches

June 1st, 2011 No comments

I awoke the other day to a friend calling me and exclaiming into the phone: “My Yahoo email account was hacked !!!” He had been angrily accused by others in his contact list of sending spam messages and sharing inappropriate website links. Most of the questions he fielded had the same query: "Why did you send me to this site!?" He was pretty shocked about the ordeal and called me for help.


After checking my inbox, I too had received a message from my friend. We did a quick check of his account and learned that the password was apparently guessed or stolen and his email account was used to send over 20 emails with links to domains like “Canadian  Neighbor Pharmacy” to his contact lists at 2:59 AM in the morning, while he was asleep:


View of spam messages in the Sent folder of compromised account 
Image 1 – View of spam messages in the Sent folder of compromised account


The catch with these messages here is that they originated from someone I knew, suggesting I could more likely trust the content. Below is an example of the email message as sent by a spammer using the stolen account credentials:


Example of spam email message

Image 2 – Example of spam email message



The following are other examples of spam messages sent in bulk by a spammer:

  • Make your first step on the way to lose your weight!… malaysia*****.com/frie*ds_links.php?kogID=53at5
  • Cool!!! You will be happy with the results!..  auxil*****.org/fri*nds_links.php?ipage=05wj4
  • Move your ass at this site!…  kds-l*****.de/fri*nds_links.php?ossiteid=97ho7
  • Wow! Now I know where I can find everything I want to diversify my life!.. lausit*****.de/fri*nds_links.php?soSID=23oq3
  • I hope you’ll enjoy after visiting this site….  comitemarnebi*****.com/fri*nds_links.php?hoqaolid=35ly8

Note the re-use of the PHP page “friends_links.php”. When a recipient of the email message clicks on the link in the message, it redirects them to the following fake Canadian Neighbor Pharmacy site:

Fake pharma site

Image 3 – Fake pharma site


With further research, I learned that the “Canadian  Neighbor Pharmacy” site is part of a list of sites promoted by an underground organization called “”. This organization encourages spammers and hackers to target email recipients from domains like,,, etc. The site itself functions as a front for credit card fraud and identity theft by targeting unwitting users that register an account on the site and order promoted pharmaceuticals that may never arrive.

With the summer (or winter, depending on your hemisphere) among us, watch for seasonal or themed email messages too. Be alert to email messages with typos or bad form and a single hyperlink with little or no explanation about the link itself.

Special thanks to Patrick Nolan for contributing to this blog.

— Wei, MMPC

Categories: fake meds, fraud, pharma, phishing, spam Tags:

Slick links linked to slinky Winwebsec

May 3rd, 2011 No comments

I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further.

Message 1, about two weeks old, contained a simple URL shown as ‘’.  The hyperlink actually is for a different site, “”, a site that has been taken down when I tested in our lab.

Message 2 contained another URL, also displayed as ‘’ and the hyperlink this time was for another site, “”.   As of April 27, the site was still alive, and appears to be a fake site for the purchase of drugs online:

Image 1 – fake pharma site


Message 3 arrived only a few days ago, and it too used the ‘’ ruse. The message contained a single line of content, with a displayed link of ‘’ and an actual hyperlink of “”. I turned to a fellow researcher Tim to investigate. Below is a short summary of what he discovered.

When visiting the URL, it installs a program with a file name of “pack.exe” (ShA1: 6286972A5DA540E058DD2AEDFC38B6061FF67F14). A quick search at VirusTotal – an online service that scans submitted malware samples using multiple security scanners – indicated no current detection by security vendors.

When I ran the program, a familiar interface popped up – it was the rogue Win32/Winwebsec:

Image 2 – Win32/WinWebsec rogue


And now, they want $99.95 for it:

Image 3 – purchase lure


After having a peek at the HTML code of the malicious website, we found there was actually an exploit kit being implemented to install rogues, using a “drive-by-install” method. The exploit is similar to the known “Zombie Infection Kit” and also the “Siberia exploit kit”, and it includes the following exploitation methods:


Image 4 – CVE-2006-003 – Microsoft Data Access Components (MDAC) Vulnerability


Image 5 – CVE-2010-0886 – Java Deployment Toolkit Vulnerability


Image 6 – CVE-2010-1885 – Microsoft Windows Help and Support Center Vulnerability

If these exploit methods look familiar, that’s because they are the exact exploit toolkits heavily used to distribute Zbot (aka Zeus). The rogue installed by the web page mentioned above is detected as Rogue:Win32/Winwebsec.

If you only draw one conclusion from our research, let it be “don’t click on suspicious links”.


–Tim Liu & Scott Wu, MMPC