Security researchers from Imperva Incapsula recently embarked on an investigation of the “Canadian pharmacy” scam which it describes as the most common form of spam that has clogged inboxes with ads for Viagra and painkillers for years.
During its investigation, the Incapsula researchers say they intercepted encoded communications from a botnet consisting of 80,000 compromised devices. The botnet was used for an innovative spam campaign built to circumvent security countermeasures.
The scam has been traced back to organised crime syndicates operating in what is estimated to be a US$431 billion (£336 billion), and growing, market. Its scale, and the danger counterfeit drugs pose to the public health, prompted repeat action from FDA, Interpol, among others.
The investigation began when they had noticed an unusually high number of base64-encoded requests triggered by their security rules. A deeper inspection found that the requests originated from a large undocumented botnet that was issuing command orders to websites infected with a WSO Web Shell—a commonplace PHP backdoor used for remote file management and code execution.
They were able to identify three types of requests:
- Orders to modify .htaccess files
- Orders to inject compromised sites with custom-made PHP malware
- Heavily obfuscated payloads meant to be decoded by the PHP malware
One indicator of the size of this operation is the number of fake pharmacy domains the offenders have at their disposal.
In the course of the investigation, they were able intercept payloads with details of 51 websites used by spammers to sell counterfeit drugs. These were located in China, Malaysia, Vietnam, Ukraine, France, Taiwan, Russia, Indonesia and Romania.
Tracing back the IPs of these website Incapsula says discovered 1,005 more active domains, presumably used by spammers. 70.2 percent of these are hosted in Russia and the rest are hosted in France.
No less impressive is the size of the botnet that controlled this network of compromised websites. Over a period of 14 days, they intercepted communications from 86,278 unique IPs worldwide.
This botnet functioned as a colossal C2 (command and control) center for the network of compromised sites. In practical terms, it was responsible for issuing injection commands and periodically sending out B64ryoshka payloads with details of new spam targets.
The botnet's surprising size, considering the relatively low-resource function it serves, illustrates both the effort its operators invested in the scheme, as well as the lengths taken to cover their tracks.
Incapsula adds: “And in case you were wondering, we have reasons to believe that this wasn't yet another IoT botnet. For one thing, in the course of our investigation, we saw legitimate browser requests originate from compromised devices that were consistent with what's considered to be typical traffic patterns.”
This could indicate that the bulk of the botnet IPs belonged to some type of web browsing devices (eg home computers) that were compromised through an application layer attack, such as a malicious browser ad-on. An even stronger indication was the fact that only a few of the botnet IPs were recorded in Shodan, which would not be the case if it was an IoT botnet.
Previous reports have already linked Canadian pharmacy spam to Russian and Ukrainian criminal organisations, and Incapsula says it has seen these footprints in their data as well, both in the prevalence of .ru domains and the location of the botnet devices used in the attack.
The Incapsula team says: “Our analysis furthers this discussion by showing just how elaborate spam campaigns have become and the methods have evolved to bypass current-gen spam filters. We hope that in sharing this data, we can promote awareness among potential victims of spam schemes. Site owners and security vendors in charge of email filtering run the risk of having their websites blacklisted for being unwittingly used in similar spam attacks.”