Your Cyber Intelligence Source

There has never been greater focus on the threat posed by attacks on our nation’s infrastructure. The Obama administration has prioritized defending the United States from cyber attack by online criminals and other countries. Indeed, in May the President noted that cybersecurity would be designated as one of his key management priorities.

In their role as protectors of private and public sector infrastructure, companies in the information security industry bear witness to intimate details of the attacks against critical resources we all rely on. Appropriately sharing such knowledge and data about these attacks is an important step in preventing future attacks.

The United States Secret Service’s Electronic Crimes Task Forces were created to facilitate opportunities for such information sharing. Mandated by federal law signed by President Bush in 2001, the Electronic Crimes Task Force Initiative originally created ECTFs in eight metropolitan regions but has now grown to twenty-four task forces.

The Electronic Crimes Task Forces hold meetings on a quarterly basis where law enforcement of all levels, academia and the private sector gather to discuss trends and share information about recent threats and attacks.

As President Obama stated in his remarks in May, “This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.” Cyveillance encourages its colleagues, customers, and partners in the information security industries to participate in initiatives like the ECTF.

Cyveillance advises consumers to exercise caution when making online charitable contributions.  See the full announcement here.

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As part of one of the attacks, the email below is sent to users:

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

Tactic Used to Spread Malware Now Observed Hijacking Users, Pushing Them to Illegal Online Pharmacies

Less than three weeks ago, Cyveillance shared its discovery of Google search results that lead users directly to malware. In that exploit, cyber criminals infected websites and placed blog software on them that automatically posted pages that Google would later find, index, and include in its search results. Users that clicked the links in Google’s search results were redirected to other sites that attempted to install malware on users’ computers.

Cyveillance has now observed the same tactic being used to drive traffic to illegal online pharmacies. Similar to before, cyber criminals have inserted blogging software on compromised pre-existing websites. The blog software automatically generates content like that found in the following image.

The rogue blog posts content laden with references to the erectile dysfunction drug Cialis.

The rogue blog software notifies Google that new content is available, and Google’s crawlers visit the new content for inclusion in the search results it presents to users.

Sites that are unknowingly hosting this version of the rogue blog software can be found with the Google search allinurl:.store/cialis-online/index.

If a user were to click on any of the results shown above or any other search results from the directory where the rogue blog is found on the compromised sites, they would be redirected to a site like traffic-analytics.net, which in turn would redirect them to an online pharmacy like the one below.

Those who click on the poisoned results will be ultimately delivered to ultimatepharmsgather.com.

Enter Glavmed, the Notorious Illegal Pharmacy Ring

The site where these search results lead, ultimatepharmsgather.com, is part of the long-standing illegal online pharmacy network called Glavmed. Believed to be related to the Russian Business Network (RBN), Glavmed is a long-standing Russia-based organization that relies on affiliates to market counterfeit pharmaceuticals.

While Glavmed is perhaps best known for spam related to erectile dysfunction drugs like Viagra, Cialis, and Levitra, their sites sell medications for body-building and heavy duty painkillers.

What’s New This Time?

In our earlier report a user could avoid being redirected to the malware drop site by not clicking on the link in the Google search results and simply typing in the address of the link into their browser’s navigation bar. This time, typing in the link will still result in the user being redirected to the online pharmacy. This makes it harder for users to avoid being hijacked by the cyber criminals.

Further, last time it appeared that the middleman site that would perform the initial redirect to the malware drop site would change on a regular basis, almost daily. Since discovering the Google search results that lead to the online pharmacy, Cyveillance has observed the same redirector middleman site (traffic-analytics.net) and the same final destination (ultimatepharmsgather.com). Overall, this is a simpler scheme than before and should be easier to remove for the safety of internet users.

Closing Thoughts

The number of websites found that are unknowingly hosting these rogue blogs is relatively low at the moment. However, as described in our original post a few weeks ago, it would be naive to believe that those presented here are the only sites where this tactic is used by cyber criminals. Internet users should remember to exercise extreme caution when ordering medications online. The US Food and Drug Administration lists steps consumers should take when considering purchasing drugs online. Additionally, never order medications online from Glavmed.

Cyveillance saw a significant spike in phishing threats on Thanksgiving Day, representing more than a 100 percent jump in attacks compared to the average number of phishing attacks seen the in the previous weeks. This one day spike in the number of phishing attacks is a tactic used by criminals around long holiday weekends, targeting a variety of organizations ranging from major corporations to smaller businesses and credit unions.

The trend of phishers launching increased number attacks around Thanksgiving Day or Weekend is in line with trends of previous years. During the holiday season, users should practice extra caution when shopping and conducting business online. The potential for falling victim to phishing attacks can be minimized by never clicking on links within emails and only accessing online applications through known Web sites and pages.