McAfee Labs

New Clothes for 'Canadian Pharmacy' Spam

By on Jun 30, 2010

It has been a little while since we heard something new from the pharmacy spam corner, but right on time at the end of Q2, they are back–and with reinforcements!

Our researchers have found an enormous number of spam URLs, and they are all related to some well-known malicious IPs ranges–194.xx.xx.x2 and 194.xx.xx.x4.

The first IP range alone could give us a repertoire of almost 200 alike-sounding URLs with words such as erect, drugs, med, pharm, or pill. And, of course, they appear in various combinations with several number-letter extensions, for example, hxxp://33a2.xxxxxxxxxxxx71a.xx. or hxxp://drugsxxyyzz.xx.

Although these IPs contain the “Canadian pharmacy” spam terminology, their TLDs are mostly from Russia and Ukraine.

The start pages all appear in the familiar design of the previously mentioned “Canadian Pharmacy Group,” but this time with different persons smiling at us.

Canadian Pharmacy

Canadian Pharmacy 2

Even though these sites have gotten a design refresh, they are made with the same fraud patterns and goals of all pharmacy spam. Keep in mind that there are hundreds (or more) of new URLs on a daily basis. So if you get to one of these sites, you should handle it with great caution. Look out for any evidence of Canadian pharmacy association in combination with a foreign country TLD on these pages. If you find some, get away from them as fast as possible! Don’t get trapped or lured into one of their offers or you may need more than pills for your headache, data theft, or potential identity theft soon enough.