It was especially encouraging to see the dangers of counterfeit goods covered this morning on NBC’s Today Show. Serious video coverage can also be found at CNBC. Consumer education about the dangerous risks in ordering medications online without a prescription, as well as the inferior quality of other counterfeit products is always welcomed.

While such crooks are traditionally found in the notorious 3 P’s (porn, poker, and pills) sometimes these criminals will diversify into other areas. One major illegal online pharmacy marketing group from Russia recently announced their intention to enter the fashion market:

The project is aimed at selling clothes, shoes and accessories of the most well-known brands like Gucci, Armani, Galliano, Diesel, Burberry, Calvin Klein, Gianfranco Ferre, Cartier, DelMaro, Prada, Dolce & Gabbana, Guess, Dsquared, Hugo Boss, Moschino, etc. (There are more than 100 (!) different brands presented at the site).

Because we think it unlikely that a group of illegal online pharmacy operators from Russia has signed distribution and marketing agreements with 100 legitimate brands, we believe the merchandise from this site and others in its network are most likely counterfeit.

Indeed, here is one of their sites from this new effort:

A screenshot from a website that appears to sell all counterfeit goods.

The marketers for fake or “replica” clothing sites use the old fashioned spammy tactics often associated with online pharmacies to get the word out about their websites. In these next two screen shots, you can see the comment moderation panel for this very blog, where devious marketers of counterfeit goods have submitted comments to cyveillanceblog.com in the hopes that we will publish the comment and the accompanying link to their site. (Click the images to enlarge them).

As is clear, online criminals have no intention of slowing down their illegal tactics on the internet. We look forward to a public who is more informed about the serious risks involved in counterfeit products and will continue working hard to negate the threat posed to consumers by such cybercriminals.

International Drug Mart is just such an rogue online pharmacy. They will sell a large number of prescription drugs to anyone with a credit card. LegitScript, an online pharmacy verification service used by Google, Yahoo!, and Bing, has confirmed that InternationalDrugMart.com is a rogue online pharmacy due to unlawful, unsafe, or deceptive practices.

In mid-May Cyveillance wrote that International Drug Mart had employed the services of noted certificate authority Thawte, which is based in South Africa. International Drug Mart did so to give the impression that it is a reputable business and that it cares about its customers’ wellbeing. However this is a ruse and does not change the fact that dependence-forming painkillers, powerful anticancer medications and other drugs are available from International Drug Mart to anyone with a credit card.

Shortly after our publication of this information, Thawte canceled its services to International Drug Mart. Cyveillance commends Thawte for doing the right thing and withdrawing support to a business that clearly endangers the health of consumers.

Thawte’s responsible behavior was promptly mirrored by two other peers in the SSL certificate industry:

• After being denied by Thawte, International Drug Mart procured an SSL certificate from a certificate authority in the United Kingdom. Upon being informed of the nature of International Drug Mart’s business, the British certificate authority immediately canceled its service to International Drug Mart.
• After being denied by the British certificate authority, International Drug Mart procured an SSL certificate from a certificate authority in Romania. Upon being informed of the nature of International Drug Mart’s business, the Romanian certificate authority immediately canceled its service to International Drug Mart.

Now International Drug Mart has gone to Secure Trust, also known as Trustwave for its SSL certificate. (It should be noted that for quite some time, International Drug Mart has also used Trustwave’s Trusted Commerce program as well). Trustwave is based in the United States.

Cyveillance has reached out to Trustwave on multiple occasions in recent weeks. On June 22 Cyveillance received an email from a Trustwave vice president who wrote, “We have reviewed our validation of this site and it does meet all criteria to demonstrate organization control of the web domain and therefore we will not revoke the certificate at this time.”

By the logic offered in Trustwave’s response, anything on the internet, no matter what the content, is fair game for Trustwave’s services as long as the site meets certain technical requirements.

Just this week, Vice President Joe Biden offered (emphasis ours):

I applaud Google, Yahoo and Bing for the steps they’ve taken in recent weeks to stop selling advertising to illegal Internet pharmacies. But — but — we need to go further. It’s time for others to step up to, it’s time to stop supporting ads for drugs sold illegally over the Internet — and for a simple reason: for the public health of American — of our population.

The same goes for companies who support illegal Internet pharmacies in ways other than advertising. When we look at International Drug Mart, we see a site that is in clear violation of federal law and has serious potential for physical harm. We are disappointed that Trustwave, unlike its peers, does not have a problem doing business with such an organization.

Companies can take proactive steps to strengthen their security posture and minimize potential damage from problems that arise in the social media environment. The steps start with addressing challenges effectively with a solid understanding of the authorized and vast numbers of unauthorized social media users within the company. Next, companies should have a formal education and training plan in place that meets the needs of all sides of the business. Further, documented social networking policies, ongoing monitoring and a strong organizational feedback structure are essential. For more information, see The Impact of Social Media on Corporate Security: What Every Company Needs to Know published by Cyveillance in Spring 2010.

Cyveillance recently had the opportunity to interveiw Joseph Menn, the author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet, released in January 2010. Menn has reported on security and other technology issues for more than a decade at the Financial Times and the Los Angeles Times, mostly from his base in San Francisco. He is a two-time finalist for the Loeb Award, the most prestigious in financial journalism. Earlier, he won a “Best in Business” award from the Society of American Business Editors and Writers for tobacco coverage at Bloomberg News, where as legal editor he directed stories that revealed the landmark settlement talks between the cigarette companies and the states.

His latest nonfiction book follows two protagonists that were successful in bringing down a small group of cyber criminals. It also highlights the growing threat and active participation of organized crime syndicates in online criminal activity.

Cyveillance asked Menn for some comments on this serious problem.

Cyveillance: Your book covers a time frame from approximately 2000 through 2009. Based on the experiences of the book’s protagonists, what would you say the large scale trends in cyber crime during that time frame are?

Menn: It’s night and day. In 2000, hackers would knock down sites such as eBay and Yahoo for momentary fame. They were isolated teens or those with small circles of like-minded friends. In 2003, the first purely commercial viruses appeared, compromising tens of thousands of machines for illicit purposes. The initial motive for the people in charge was to make money by sending spam from addresses that would evade blacklists, which were growing more effective. But once they had the botnets, they began finding other ways of making money, including denial-of-service attacks for hire. They would take out a sponsor’s competitor for a price at first, but then the criminals became more enterprising and wiped out sites unless they were paid off, a freelance extortion gambit. The same gangs and bots are now engaged in mass identity theft and financial fraud against consumers and small businesses, as well as theft of trade and military secrets. By now, the vast majority of serious cyber crime is mob-related, and more than 90 per cent goes overseas.

Cyveillance: In the book both Barrett Lyon, an American citizen, and Andy Crocker, a British law enforcement officer, experienced frustration with domestic and international law enforcement’s ability to understand and take action against the cyber criminals they faced. Why do you think this is, and has the situation improved? If you think it has not improved, what do you think needs to change in law enforcement to more effectively take on sophisticated cyber crime?

Menn: Cyber crime cases are hard to prove. The Internet might as well have been designed with plausible deniability in mind. And law enforcement cooperation is hard to get even from allies, due to logistical issues, differing priorities and varying laws. But the overarching problem, which nobody in power wants to talk about, is that the worst of the worst are knowingly protected by corrupt governments or those that view the mobsters as intelligence assets or strategic weapons. The enforcement outlook has not improved substantially, while the crime has gotten much worse over the years. Britain, which during the period in the book was well ahead of US efforts overseas, has gone backward with the dismantling of the National Hi-Tech Crime Unit. The only ray of light is that people inside the Obama administration are paying more attention and thinking about the issue.

Cyveillance: How would you describe the connection between the cyber criminals described in your book and with traditional organized crime?

Menn: In Russia, both petty criminals and legitimate business owners typically need a “roof”, or mob patron, to whom they pay tribute in exchange for fending off other criminals and officials looking for bribes. So even independent hacking rings, once they got large, depended on traditional mobsters to perform such services. Once the old mob saw how lucrative Internet crime was, it began taking a more direct supervisory role, as it did with the Russian Business Network in St. Petersburg.

Cyveillance: The criminals in Fatal System Error were largely Russian in origin. What is it about Russia that seems to produce such sophisticated cyber criminals, and do you see that situation improving?

Menn: Russia has had first-rate math and computer education for decades. But there are limited legitimate career opportunities. In addition, crime isn’t viewed through the same moral lens we have in the West, it just isn’t seen as that bad a choice. The corruption is staggering. And now it is even worse, because the major criminal hacking groups have protection from intelligence and military wings of the national government. The same people are being used to attack Kremlin enemies, both internally and externally, including government and media sites in countries such as Estonia and Georgia.

Cyveillance: Based on your book’s findings and other accounts, there appears to be casual if not formal links between the Russian government and the online criminal enterprise known as the Russian Business Network. While botnets that are under the control of groups like the RBN are harmful by definition, is it your belief that the weaponization of criminal resources reportedly found here is an isolated incident, or is this a growing risk from other governments?

Menn: It is a pattern that is spreading. The second most serious threat comes from China. Hacking there has evolved the other way, beginning with state-sponsored and patriotic attacks and now with a major profit motive as well. Criminal outfits with bot networks may look for personal financial data first, but they share commercial and military goodies with the officials who protect them.

Cyveillance: If there is one lesson from Fatal System Error, what is it?

Menn: The internet as we have come to use it–for financial and business activities–cannot survive without drastic action that is highly unlikely to occur. We need to make the protection of criminals a major diplomatic priority, and we need massive funding for an opt-in protocol more secure than TCP/IP.

Cyveillance: Thank you for your time. Any other thoughts you would like to add?

Menn: I’ve covered cybersecurity for almost a dozen years at major newspapers. Since 2004, I’ve been convinced the topic needed a thorough but also entertaining book on the subject. I got very lucky in finding heroes like Barrett, who infiltrated both Russian and Gambino cyber-mob operations, and Andy, who was nearly killed while conducting the most successful West-Russian collaborative prosecution of hackers in history, yet had never told his story. With the New Yorker comparing Fatal System Error to Stieg Larsson’s trilogy and Slashdot saying it’s on par with The Cuckoo’s Egg, I feel I accomplished what I set out to do.

Many thanks to Menn for taking the time to answer our questions.

Two recent news articles feature topics that will quickly be abused by marketers for illegal pharmacies trying to make a buck.

• This May post New DEA rule touted as boost for e-prescribing from HealthCareITNews covered “the electronic prescription, also known as ‘e-prescribing’ of controlled substances”.
• On Sunday the New York Times discussed telemedicine in their article The Doctor Will See You Now. Please Log On. The piece describes communication using “face-to-face telemedicine, connecting doctors and patients by two-way video”.

Knowing that consumers will be searching more for terms like e-prescription and telemedicine as they become more commonplace, criminals will increasingly attempt to attract searchers to their sites. Their expertise in diverting traffic will mean that unknowing consumers will find themselves on sites where they can buy prescription medications with no prescription, some of which are not even approved by the FDA.

Cyveillance is hopeful about the increased efficiencies that technology can bring to medicine, however consumer education will be necessary as criminals will be eager to hijack the messaging around terms like ‘e-prescribing’ and telemedicine to further their rogue online pharmacy efforts. Organizations like the Food and Drug Administration and American Medical Association should increase their education efforts aimed at informing consumers about safe ways to take advantage of the internet for healthcare.

In our recent post covering the Canadian Health & Care Mall, we highlighted the great lengths to which illegal online pharmacies will go to present the illusion of legitimacy. Site like the Canadian Health & Care Mall will present false business locations, and falsified certificates of approval from the U.S. Food and Drug Administration to add credibility, and visitors will believe that they’ll be safe when they order medications from the site.

Another common tactic on sites like Canadian Health & Care Mall is to present fake Verisign Seals. While many consumers don’t know exactly what having a Verisign Seal means, they do know it increases the likelihood that transactions with that site are safe. So while some rogue pharmacies will go the extra step of creating fake Site Seals, unfortunately it appears that this is not always necessary, as some Site Seal issuers do not have a problem working with websites that illegally sell prescription drugs without a prescription.

This week International Drug Mart, a rogue online pharmacy that sells prescription drugs without a prescription from a medical professional, announced that it had “chosen Thawte, since it is a leading global certificate authority providing online security to millions all over the world”.

The Thawte Site Seal can be seen on the rogue online pharmacy site in this image:

…and the following image shows Thawte’s acknowledgement that International Drug Mart uses secure communications.

Unfortunately while the this rogue online pharmacy may appear to protect its customers’ payment information, the fact remains that it unlawfully and dangerously offers prescription medications to anyone with a credit card. It is surprising that a seemingly legitimate company would be knowingly associated with such a business, much less a company in the security industry. By doing so, it undermines their own credibility and diminishes consumer trust and confidence in their own site seal.

Cyveillance has reached out to Thawte for a response on the matter but has not yet received a reply. We welcome their comments.

As troubling as these reports are, we should not be surprised. When there is money to be made, criminals will take the steps necessary to gain every advantage possible. A Russian online pharmacy network called RX Partners (also known as StimulCash) has been publishing content using social media formats for some time. Note the examples of the RX Partners blog, forum, wiki, and twitter account below.

As of this writing, there are 1,165 subscribers to their blog according to Feedburner.

The RX Partners blog offers professional advice on how to market an online pharmacy using black hat search engine optimization techniques, general advice for online pharmacy webmasters, and of course, announces their upcoming retreat for their affiliates in on the mediterranean: a four day vacation in a five star hotel in the Turkish port Antalya.

The RX Partners online forum offers English, Russian, and Spanish sections for its affiliates.

The busy, closed forum allows online pharmacy webmasters to share techniques and has over 1,300 registered users.

If you are an affiliate in the RX Partners network with technical expertise, you can contribute on their wiki.

Learn how to integrate illegal online pharmacy sales into one’s WordPress using this wiki example.

And of course, RX-Partners has its own twitter page as well. At the time of this writing they have 1,071 followers.

Don’t think their use of social media is meant only to spread information among their sales affiliates. The modern online pharmacy template from this crew encourages visitors to take advantage of social media sites to spread the word about the pharmacy itself, promoting the sale of products that have not been approved by the US Food and Drug Administration like chewable or “soft” Viagra.

Visitors to this online pharmacy are encouraged to share it with friends using Facebook, Twitter, StumbleUpon, Digg, and other popular sites.

Cyveillance endorses the Partnership for Safe Medicine’s call for internet companies to do a better job of removing unlawful content from their sites. Content like online pharmacy marketing on popular social media sites endangers a public that may be easily deceived by slick marketing but delivers a host of dangers, like counterfeit, stolen, and unapproved medicines.

While reports like this are not new, users continue to fall victim to traps on trusted social media sites. It is time for these sites to realize the serious impact that attacks have on user confidence and make the necessary adjustments to proactively protect their users from dangerous links and ads resting on their pages.

For example, Cyveillance works with customers who use their data feeds to ensure the protection of advertiser’s brands online. These organizations understand the importance of staying one step ahead of the dangers on the Internet and utilize Cyveillance’s real-time content monitoring to deliver early warnings of potential violations. In doing so, advertisers are aware of any brand misuse online, which helps to keep Internet users protected against rogue links that may be falsely associated with the company, thus providing a safer online environment. 

As malware continues to plague social media sites, it is time for these Websites to take action. A proactive security approach will not only create a safer online environment, but also generate greater user confidence among the growing social media sites.

…the Gmail spam is hardly sophisticated. It’s being used to flog Canadian pharmaceutical Web sites that promise to send cheap drugs to U.S. customers

Although the spam component may not be very sophisticated, a more detailed analysis shows the attack is more complex. The fulfillment of the scam is relatively complicated and like many websites which sell prescription drugs over the internet, Canadian Health & Care Mall has no real connection to our neighbors above the border at all. In fact the websites to which Cyveillance has seen internet users routed in this scam are hosted in countries like Thailand, Iran, and China, and registered to individuals in Russia.

Canadian Health & Care Mall

When recipients of the spam coming from compromised Gmail accounts click the link in the email, they are sent to various legitimate websites around the world. Unfortunately these sites have been hacked by cyber criminals and visiting certain links on them will redirect the web surfer to websites that look like the one pictured above.

At first glance, this fake online pharmacy site’s efforts to appear legitimate are impressive. The cyber criminals have fabricated Verisign certificates and even included a digitally altered seal of approval from the United States Food and Drug Administration.

The certificate, dated 2001, reads:

All the drugs sold at Canadian Health&Care Mall are considered to be FDA approved.

The FDA is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, our nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and food more effective, safer, and more affordable; and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.

A little digging shows the inaccuracies in the website’s claims. Their Contacts page lists their USA headquarters’ address at “2723, Guadalupe St, Austin, TX, USA”. A look in Google Maps shows a Taco Bell and Chinese restaurant at that location.

This building is not found at the USA address provided on the fake online pharmacy.

Another red flag – how often is your credit card number required simply to submit an inquiry on a web form?

Despite the small lock icon next to the credit card field, no security measures appeared in place on this page.

The scam shows how elaborate fraud campaigns on the internet can be today. Consumers’ hacked email accounts were used to distribute the spam. Compromised web servers redirect their visits to illegitimate pharmacy websites. These destination websites where the fraud is actually perpetrated are located on servers in far off lands where interactions with hosting companies’ Abuse teams may not be easy.

As always, be vigilant when following links you receive in email. The risk to your computer and to your financial health is extremely high if you are not very careful. And never, ever order from an online pharmacy unless you know it to be legitimate and operating within the law.

A robust examination of the Canadian Health & Care Mall can be found at SpamTrackers.eu.

Registration:

• 8:30AM – 12:30AM session
• 1:00PM – 5:00PM session

Description: Too often, “Cyber security” is seen as a technical matter and the purview solely of IT professionals. Unfortunately, it is both the machines and the users which are under attack. In Cyber Safety 101: An Introduction to Cyber Threats and Internet Risk, students are exposed in friendly, non-technical terms to the basic workings of the Internet and how criminals, scammers, adversaries, hackers and spies exploit those technologies, systems and, most of all, the users themselves in the insecure Cyber universe.

Learning from professionals with years of experience tracking and monitoring the “dark underbelly” of Cyberspace, you will learn how bad actors use the Internet to steal, impersonate, compromise and hijack not just funds and identities but entire networks and sensitive data.

From the teenage “script kiddy” draining Paypal accounts to the state-sponsored adversaries threatening our national security, you will see the scope, breadth, variety and sophistication of today’s online enemies, and learn how to protect yourself, your agency or enterprise, its data and its mission from the dark forces at work on the Internet.

When students leave this course they will:

• Have a solid understanding of how the Internet actually works, and the inherent vulnerabilities and weaknesses in the system we all rely on every day

• Understand the sophistication of today’s online threats, and be much more adept at recognizing, stopping and avoiding those

• Be better equipped to protect themselves, their hardware, and the data, systems and mission of the agencies and enterprises for which they work

Who Should Take This Course?

This course is invaluable education for every federal or commercial knowledge worker whose PC, laptop, PDA or cell phone is connected to the Internet. As more and more systems and devices are permanently online, and as more agencies and enterprises incorporate Internet technologies into critical systems, the risks to these systems and the agencies and enterprises commensurately increase.

Today, every employee working online is a potential target. Every connected device is a potential entry point for a criminal, adversary or enemy of the country. And the risks are so new, so numerous and so sophisticated that education is absolutely vital to helping your staff safeguard your systems, data and business or mission.