McAfee Labs

Finding the Money Behind Rogue Pharmacies

0
By on May 31, 2011

It is relatively easy for illegitimate websites to “poison” Google search results and achieve a top-5 ranking. And it’s financially well worth their while. Last Friday, at the French CLUSIR/RSSIA conference, Frédéric Roumat from EdelWeb (groupe ON-X) gave us an impressively argued demonstration on the subject.

After Roumat exposed the methods to gain illegal traffic using blackhat search-engine optimization (backlinks, spam-indexing, doorway, cloaking, canonical beacon infection, SEO kits) or malware (man-in-the-browser attacks, DNS changer), he talked about the real aim: profit. His working hypotheses included the following:

  • Average click through rate (CTR) for a third rank in search engine result pages (SERP): 9.5% (source: Optify study, April 2011)
  • Medium e-commerce conversion rate (CR): 1%
  • Scareware pay-per-install commission: US$25
  • Rogue pharmacy commission: 40%
  • Rogue pharmacy medium shopping cart: $200

Recent news attracted the interest of the French and contributed to Google research spikes. On May 17, using Google Insight and Google Traffic Estimator,, Roumat captured this interest. With a consistent search string (“Paris”) he measured:

  • On May 2, 1.24 million (37,200,000/30) French searches for the “Paris” string,
  • On May 2, 1.82 million French searches for the “Ben Laden” string,
  • On May 16, 1.55 million French searches for “DSK” (the initials of Dominique Strauss-Kahn)

These hypotheses demonstrate the interest that cybercrooks pay to the news. For example, they show that a scareware campaign on the day of his death yielded a third-ranked Google search engine result for “Ben Laden” as well as a reward of $43,000 in one day:

  • 1.82 million results * 9.5% = 172,900 visits (with a 9.5% average CTR)
  • 172,900 * 1% * 25 = $43,225 (with a 1% CR and a $25 commission)

To convince the skeptics, Roumat next focused on rogue pharmacies to show how to obtain a third rank in a search engine routine. He invited the audience to search for “viagra” on Google.fr. Here is my search:

To verify the search’s finishing in third rank we ran a query on LegitScript.com. And, indeed, LegitScript warns us against this website, which lacks general conditions of sale and business address yet offers an attractive affiliates program.

By the way, LegitScript gives us some interesting information about the scope of rogue pharmacies. Their database contains:

  • 68,826 referenced pharmacy websites
  • With only 345 legitimate
  • And 1,212 candidates for approval
  • 66,725 pharmacy websites do not meet the standards

Let’s get back to the money: Searches on Google Adwords Traffic Estimator for “viagra” and “cialis” returns for the United States only 1,830,000 and 823,000, respectively, in local monthly searches:

Using these figures and a similar calculation as before, we can estimate the income of this suspicious pharmacy at $190,000 a month for the USA alone:

  • 1,830,000 + 823,000 = 2,653,000 visits * 9.5% (CTR) = 252,035 monthly visits
  • 252,035 * 1% * (200 * 40%) = $190,160 (with a 1% CR and an $80 commission)

So now we know why scareware and rogue pharmacies are so prevalent on the web.

Frédéric Roumat’s presentation (in French) can be downloaded here.
Under the CLUSIF label, I presented the 2010 Cybercrime Overview, which is available here.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>