Category: General Cyber Intel

When technology and policy move forward they have the opportunity to make healthcare more efficient. But we must be prepared for the hijacking of legitimate healthcare efforts online by cyber criminals.

Two recent news articles feature topics that will quickly be abused by marketers for illegal pharmacies trying to make a buck.

• This May post New DEA rule touted as boost for e-prescribing from HealthCareITNews covered “the electronic prescription, also known as ‘e-prescribing’ of controlled substances”.
• On Sunday the New York Times discussed telemedicine in their article The Doctor Will See You Now. Please Log On. The piece describes communication using “face-to-face telemedicine, connecting doctors and patients by two-way video”.

Knowing that consumers will be searching more for terms like e-prescription and telemedicine as they become more commonplace, criminals will increasingly attempt to attract searchers to their sites. Their expertise in diverting traffic will mean that unknowing consumers will find themselves on sites where they can buy prescription medications with no prescription, some of which are not even approved by the FDA.

Cyveillance is hopeful about the increased efficiencies that technology can bring to medicine, however consumer education will be necessary as criminals will be eager to hijack the messaging around terms like ‘e-prescribing’ and telemedicine to further their rogue online pharmacy efforts. Organizations like the Food and Drug Administration and American Medical Association should increase their education efforts aimed at informing consumers about safe ways to take advantage of the internet for healthcare.

Earlier this week the Partnership for Safe Medicines posted an interesting piece detailing how a sales affiliate of a known rogue pharmacy is using twitter to promote its offerings. That account is of course disturbing not only because it promotes a website which allows consumers to buy medicines like accutane without a prescription, but each posting on that twitter account appears to have been made in an automated fashion via twitter’s API. This suggests a level of sophistication above that of the average webmaster’s.

As troubling as these reports are, we should not be surprised. When there is money to be made, criminals will take the steps necessary to gain every advantage possible. A Russian online pharmacy network called RX Partners (also known as StimulCash) has been publishing content using social media formats for some time. Note the examples of the RX Partners blog, forum, wiki, and twitter account below.

As of this writing, there are 1,165 subscribers to their blog according to Feedburner.

The RX Partners blog offers professional advice on how to market an online pharmacy using black hat search engine optimization techniques, general advice for online pharmacy webmasters, and of course, announces their upcoming retreat for their affiliates in on the mediterranean: a four day vacation in a five star hotel in the Turkish port Antalya.

The RX Partners online forum offers English, Russian, and Spanish sections for its affiliates.

The busy, closed forum allows online pharmacy webmasters to share techniques and has over 1,300 registered users.

If you are an affiliate in the RX Partners network with technical expertise, you can contribute on their wiki.

Learn how to integrate illegal online pharmacy sales into one’s WordPress using this wiki example.

And of course, RX-Partners has its own twitter page as well. At the time of this writing they have 1,071 followers.

Don’t think their use of social media is meant only to spread information among their sales affiliates. The modern online pharmacy template from this crew encourages visitors to take advantage of social media sites to spread the word about the pharmacy itself, promoting the sale of products that have not been approved by the US Food and Drug Administration like chewable or “soft” Viagra.

Visitors to this online pharmacy are encouraged to share it with friends using Facebook, Twitter, StumbleUpon, Digg, and other popular sites.

Cyveillance endorses the Partnership for Safe Medicine’s call for internet companies to do a better job of removing unlawful content from their sites. Content like online pharmacy marketing on popular social media sites endangers a public that may be easily deceived by slick marketing but delivers a host of dangers, like counterfeit, stolen, and unapproved medicines.

Reports continue to come out about social media users who unknowingly access malware through online advertisements and/or applications. Facebook’s Farm Town is a recent example, where people who clicked on a banner ad in the game, were told that they had multiple viruses on their computer, but could eradicate them by clicking on an anti-virus link. Those people who clicked the link were exposed to a malware download and installation.

While reports like this are not new, users continue to fall victim to traps on trusted social media sites. It is time for these sites to realize the serious impact that attacks have on user confidence and make the necessary adjustments to proactively protect their users from dangerous links and ads resting on their pages.

For example, Cyveillance works with customers who use their data feeds to ensure the protection of advertiser’s brands online. These organizations understand the importance of staying one step ahead of the dangers on the Internet and utilize Cyveillance’s real-time content monitoring to deliver early warnings of potential violations. In doing so, advertisers are aware of any brand misuse online, which helps to keep Internet users protected against rogue links that may be falsely associated with the company, thus providing a safer online environment.

As malware continues to plague social media sites, it is time for these Websites to take action. A proactive security approach will not only create a safer online environment, but also generate greater user confidence among the growing social media sites.

Spam originating in Gmail accounts that routed recipients to what appears to be a Canadian pharmacy this week has created quite a stir online. According to reports:

…the Gmail spam is hardly sophisticated. It’s being used to flog Canadian pharmaceutical Web sites that promise to send cheap drugs to U.S. customers

Although the spam component may not be very sophisticated, a more detailed analysis shows the attack is more complex. The fulfillment of the scam is relatively complicated and like many websites which sell prescription drugs over the internet, Canadian Health & Care Mall has no real connection to our neighbors above the border at all. In fact the websites to which Cyveillance has seen internet users routed in this scam are hosted in countries like Thailand, Iran, and China, and registered to individuals in Russia.

Canadian Health & Care Mall

When recipients of the spam coming from compromised Gmail accounts click the link in the email, they are sent to various legitimate websites around the world. Unfortunately these sites have been hacked by cyber criminals and visiting certain links on them will redirect the web surfer to websites that look like the one pictured above.

At first glance, this fake online pharmacy site’s efforts to appear legitimate are impressive. The cyber criminals have fabricated Verisign certificates and even included a digitally altered seal of approval from the United States Food and Drug Administration.

The certificate, dated 2001, reads:

All the drugs sold at Canadian Health&Care Mall are considered to be FDA approved.

The FDA is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, our nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and food more effective, safer, and more affordable; and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.

A little digging shows the inaccuracies in the website’s claims. Their Contacts page lists their USA headquarters’ address at “2723, Guadalupe St, Austin, TX, USA”. A look in Google Maps shows a Taco Bell and Chinese restaurant at that location.

This building is not found at the USA address provided on the fake online pharmacy.

Another red flag – how often is your credit card number required simply to submit an inquiry on a web form?

Despite the small lock icon next to the credit card field, no security measures appeared in place on this page.

The scam shows how elaborate fraud campaigns on the internet can be today. Consumers’ hacked email accounts were used to distribute the spam. Compromised web servers redirect their visits to illegitimate pharmacy websites. These destination websites where the fraud is actually perpetrated are located on servers in far off lands where interactions with hosting companies’ Abuse teams may not be easy.

As always, be vigilant when following links you receive in email. The risk to your computer and to your financial health is extremely high if you are not very careful. And never, ever order from an online pharmacy unless you know it to be legitimate and operating within the law.

A robust examination of the Canadian Health & Care Mall can be found at SpamTrackers.eu.

Here at Cyveillance we spend a lot of time educating our customers about threats to their business online. When time allows we also post information about such risks here on the Cyveillance Blog. As part of this effort to educate users about the risky online environment that exists out there, we are especially excited about our upcoming, in-person classes that will be offered on January 19 in Reston, Virginia. Details are below. Hope to see you there!

Registration:

• 8:30AM – 12:30AM session
• 1:00PM – 5:00PM session

Description: Too often, “Cyber security” is seen as a technical matter and the purview solely of IT professionals. Unfortunately, it is both the machines and the users which are under attack. In Cyber Safety 101: An Introduction to Cyber Threats and Internet Risk, students are exposed in friendly, non-technical terms to the basic workings of the Internet and how criminals, scammers, adversaries, hackers and spies exploit those technologies, systems and, most of all, the users themselves in the insecure Cyber universe.

Learning from professionals with years of experience tracking and monitoring the “dark underbelly” of Cyberspace, you will learn how bad actors use the Internet to steal, impersonate, compromise and hijack not just funds and identities but entire networks and sensitive data.

From the teenage “script kiddy” draining Paypal accounts to the state-sponsored adversaries threatening our national security, you will see the scope, breadth, variety and sophistication of today’s online enemies, and learn how to protect yourself, your agency or enterprise, its data and its mission from the dark forces at work on the Internet.

When students leave this course they will:

• Have a solid understanding of how the Internet actually works, and the inherent vulnerabilities and weaknesses in the system we all rely on every day

• Understand the sophistication of today’s online threats, and be much more adept at recognizing, stopping and avoiding those

• Be better equipped to protect themselves, their hardware, and the data, systems and mission of the agencies and enterprises for which they work

Who Should Take This Course?

This course is invaluable education for every federal or commercial knowledge worker whose PC, laptop, PDA or cell phone is connected to the Internet. As more and more systems and devices are permanently online, and as more agencies and enterprises incorporate Internet technologies into critical systems, the risks to these systems and the agencies and enterprises commensurately increase.

Today, every employee working online is a potential target. Every connected device is a potential entry point for a criminal, adversary or enemy of the country. And the risks are so new, so numerous and so sophisticated that education is absolutely vital to helping your staff safeguard your systems, data and business or mission.

There has never been greater focus on the threat posed by attacks on our nation’s infrastructure. The Obama administration has prioritized defending the United States from cyber attack by online criminals and other countries. Indeed, in May the President noted that cybersecurity would be designated as one of his key management priorities.

In their role as protectors of private and public sector infrastructure, companies in the information security industry bear witness to intimate details of the attacks against critical resources we all rely on. Appropriately sharing such knowledge and data about these attacks is an important step in preventing future attacks.

The United States Secret Service’s Electronic Crimes Task Forces were created to facilitate opportunities for such information sharing. Mandated by federal law signed by President Bush in 2001, the Electronic Crimes Task Force Initiative originally created ECTFs in eight metropolitan regions but has now grown to twenty-four task forces.

The Electronic Crimes Task Forces hold meetings on a quarterly basis where law enforcement of all levels, academia and the private sector gather to discuss trends and share information about recent threats and attacks.

As President Obama stated in his remarks in May, “This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.” Cyveillance encourages its colleagues, customers, and partners in the information security industries to participate in initiatives like the ECTF.

Earlier today, Cyveillance detected attacks targeting Web hosting companies and their customers. As part of one of the attacks, the email below is sent to users:

As you can see, the email asks the user to “confirm your FTP details”. The user is instructed to click on the link in the email that routes him or her to the fake administrator’s Website below:

On the fake Website, the user is asked to provide login credentials. If the credentials are entered, then the user would basically hand over access to every Website controlled by that specific login. Users can avoid falling victim to this attack by never clicking on the link within the emails and only accessing online applications directly through known Web sites and pages.

Tactic Used to Spread Malware Now Observed Hijacking Users, Pushing Them to Illegal Online Pharmacies

Less than three weeks ago, Cyveillance shared its discovery of Google search results that lead users directly to malware. In that exploit, cyber criminals infected websites and placed blog software on them that automatically posted pages that Google would later find, index, and include in its search results. Users that clicked the links in Google’s search results were redirected to other sites that attempted to install malware on users’ computers.

Cyveillance has now observed the same tactic being used to drive traffic to illegal online pharmacies. Similar to before, cyber criminals have inserted blogging software on compromised pre-existing websites. The blog software automatically generates content like that found in the following image.

The rogue blog posts content laden with references to the erectile dysfunction drug Cialis.

The rogue blog software notifies Google that new content is available, and Google’s crawlers visit the new content for inclusion in the search results it presents to users.

Sites that are unknowingly hosting this version of the rogue blog software can be found with the Google search allinurl:.store/cialis-online/index.

If a user were to click on any of the results shown above or any other search results from the directory where the rogue blog is found on the compromised sites, they would be redirected to a site like traffic-analytics.net, which in turn would redirect them to an online pharmacy like the one below.

Those who click on the poisoned results will be ultimately delivered to ultimatepharmsgather.com.

Enter Glavmed, the Notorious Illegal Pharmacy Ring

The site where these search results lead, ultimatepharmsgather.com, is part of the long-standing illegal online pharmacy network called Glavmed. Believed to be related to the Russian Business Network (RBN), Glavmed is a long-standing Russia-based organization that relies on affiliates to market counterfeit pharmaceuticals.

While Glavmed is perhaps best known for spam related to erectile dysfunction drugs like Viagra, Cialis, and Levitra, their sites sell medications for body-building and heavy duty painkillers.

What’s New This Time?

In our earlier report a user could avoid being redirected to the malware drop site by not clicking on the link in the Google search results and simply typing in the address of the link into their browser’s navigation bar. This time, typing in the link will still result in the user being redirected to the online pharmacy. This makes it harder for users to avoid being hijacked by the cyber criminals.

Further, last time it appeared that the middleman site that would perform the initial redirect to the malware drop site would change on a regular basis, almost daily. Since discovering the Google search results that lead to the online pharmacy, Cyveillance has observed the same redirector middleman site (traffic-analytics.net) and the same final destination (ultimatepharmsgather.com). Overall, this is a simpler scheme than before and should be easier to remove for the safety of internet users.

Closing Thoughts

The number of websites found that are unknowingly hosting these rogue blogs is relatively low at the moment. However, as described in our original post a few weeks ago, it would be naive to believe that those presented here are the only sites where this tactic is used by cyber criminals. Internet users should remember to exercise extreme caution when ordering medications online. The US Food and Drug Administration lists steps consumers should take when considering purchasing drugs online. Additionally, never order medications online from Glavmed.

Cyveillance saw a significant spike in phishing threats on Thanksgiving Day, representing more than a 100 percent jump in attacks compared to the average number of phishing attacks seen the in the previous weeks. This one day spike in the number of phishing attacks is a tactic used by criminals around long holiday weekends, targeting a variety of organizations ranging from major corporations to smaller businesses and credit unions.

The trend of phishers launching increased number attacks around Thanksgiving Day or Weekend is in line with trends of previous years. During the holiday season, users should practice extra caution when shopping and conducting business online. The potential for falling victim to phishing attacks can be minimized by never clicking on links within emails and only accessing online applications through known Web sites and pages.

This past October, Cyveillance reported that cyber criminals were exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses were spoofed, the bogus messages were sent to addresses of the organizations’ personnel. The messages asked the recipients to click on a link in order to change the security settings. Once clicked, the users were routed to a fake Web site and if a user clicked on the link to the executable file on the site, then malware was downloaded to his or her computer. More info at: /general-cyberintel/a-dangerous-blend-of-phishing-methods

Unfortunately, cyber criminals are encountering success with this attack method because similar attacks continue today. Over the weekend, both Cyveillance and its customers received multiple emails similar to the one below:

Like in the attack illustrated in our October posting, the email requests the user to click on a link to false Web page. The Web page instructs the user to download a file that contained malware. The malware in the attack above was downloaded and analyzed by the Cyveillance Security Lab. Once installed, the malware made several communication attempts to URLs at 193.104.27.42/livs/rec.php and 193.104.27.42/lcc/ip2.gif. The first URL received encrypted data from the infected host making it difficult for security researchers to analyze while the 2nd URL was a Zeus Binary used to capture banking credentials.

The lab also observed additional attempted TCP connections to 66.199.251.242 on hundreds of different port destinations. It appears that the infected host was scanning the IP address for other services that may be running. The scan was of low intensity to avoid IDS detection. In summary, it appears that server located at 193.104.27.42 is the command and control server, which instructed this infected host to port scan 66.199.251.242 for known services and report back with the collected data; a dangerous, but effective combination of attack methods.

IT departments should continue to monitor for suspicious activity related to the attack described above as well as educate their users on the latest threats that plague the Internet. Users can minimize the potential for falling victim to email and Web-based attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.