October 22, 2010

First we take Canada, then we take the World

Ran Mosessco Principal Security Researcher

By now, Web sites related to "Canadian Pharmacy" are well-known to email users around the globe, many of whom have had the "pleasure" of receiving spam messages offering a way to buy cheap medications.

Recently, Websense Security Labs™ ThreatSeeker™ Network came across what looks like a newer variant: "World Pharmacy".

What's interesting about this campaign is that it uses links to compromised Web sites, which in turn redirect to the World Pharmacy affiliate site. So far, it seems that the compromised pages contain only a simple redirect, but there's no guarantee that the campaign will remain this benign. The wide variety of compromised sites (Web Hosting, Nepal Government office site, English school, and more), suggests that the spammers want to use the good reputation of legitimate sites to get their message across.

Websense customers are proactively protected against this spam by our Advanced Classification Engine -  ACE.

This particular variant arrives through email with various subject lines, like: 

More energy for affairs
Your powerful uprise will excite women
Prevent ero-failures
Show her your potential
Stop ruining yourself
Buy macho-doping online
Make her joy stronger
Dreaming of being number one for her?
Huge success in male augmentation
Magnesium oxide replenishment to your organism.
Secret of lasting acts of love
Secret of male victories



The email tries to endear itself to the recipient by addressing the reader as Dear <user name from the recipient's email address>,

After such a personal opening, who can resist clicking on the link text, which ranges from male enhancement offers to a generic registration confirmation, or "Would you believe that?" and similar ploys.
To get around mail content filters, the text doesn't use explicit product names or overly objectionable expressions.

To add another bit of legitimacy, the footer clearly states that the senders are committed to your privacy, and that you can unsubscribe at any time. Of course, all the links in the footer point to the same compromised page with different parameters.


The compromised pages contain a simple redirect, as mentioned above, to a Web site registered to one "Vladislav Petrenko" from Moscow, who seems to have an affinity for the registration of spam domains...


In this case, Websense customers are protected by multiple layers: Websense messaging products recognize patterns in the messages and links; the Hosted products also identify abnormal network activity; and real-time Web protection prevents the user from accessing the links in the mail, thus avoiding the final redirection target.

As always, be careful of links in unexpected emails. They often lead to spam, malware, or other unwanted content.


Ran Mosessco

Principal Security Researcher

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.