RSSCanadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA
Feb 02
Spam canadian, college, december, definition, domains, february, internet, january, july, june, past, Phishing, source, Spam, spamislame, storm, trademark, washington, world No Comments
To whom it may concern (and ultimately it concerns all of you.)
I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.
Glavmed are the sponsor program promoting the very-widely-spammed property known as “Canadian Pharmacy”. (Hereinafter referred to as “CPh”.) If you have an email address of any sort, it is very likely that you’re at least mildly aware of Canadian Pharmacy. It’s the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain, dadsymbol.com:
Sales of these alleged “generic” pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.
Finally: sale of controlled substances – phentermine definitely qualifies, but again: who knows what’s actually in the pills this “company” is selling to you? – is also against the law when done so without any registered pharmacist or a valid, authorized prescription.
This organization breaks several international laws, but more importantly it poses a very serious threat to the public’s health.
Promotion Via Illegal Spam
The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By “illegally-sent”, I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale “botnets” (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.
I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I’ve specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.
Finnish Security Company “F-Secure” posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as “Warezov” was capable of sending spam. That spam contained urls for websites promoting what was then known as “Pharmacy Express.” Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it’s functionality later.
Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)
Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the “dadsymbol.com” domain by running a “dig” command against that domain:
sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.
So how did I discover the link between Glavmed’s affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.
As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as atlantea.com (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now, rx-partners.biz.
Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.
This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)
Glavmed / Spamit / Storm / Canadian Pharmacy / RBN
Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as Spamit.com. (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as “inert filler”. Another contained “high metal content”. This is clearly a very high risk to the public’s health.
I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.
Please take this appeal very seriously. I welcome your feedback.
Very sincerely,
SiL / IKS / concerned citizen
Further research into Canadian Pharmacy
Spam Wiki: Canadian Pharmacy
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy
Further research into the Storm Worm
Storm Worm Botnet Cracked Wide Open
http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open–/news/112385
Russian Business Network (RBN): Georgia Cyberwarfare – Attribution & Spam Botnets
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-attribution.html
Full-disclosure: It’s time to get serious about Storm Worm / RBN
http://seclists.org/fulldisclosure/2008/Mar/0300.html
Slashdot: We Know Who’s Behind Storm Worm
http://it.slashdot.org/article.pl?sid=08/01/29/1823242
Excerpt from:
Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA
