TurningPointonWaronSpam pdf

(1)

Spam after “My

Canadian Pharmacy”

(2)

(3)

(4)

(5)

•

Leading pharmaceutical

affiliate program,

SpamIt.com, shuts down

abruptly. Rustock botnet

simultaneously ceases

activity.

•

“Al Capone”-style takedown

by Russian police.

•

Kommersant: Despmedia

netted $120m since 2007.

Owner, Gusev, received $2m

in revenues.

The New York Times, “E-Mail

Spam Falls After Russian

(6)

•

Spammers

Botnets: Reactor Mailer, Rustock, Storm/Waledac, Mega-D, Grum, Lethic

Deliver messages to massive address lists.

Purchase domain names and host landing pages.

•

Affiliate Programs

GlavMed (SpamIt.com), RX-Promotion (Chronopay), SanCash, Bulker.biz

Host back-end order processing systems.

Provide customer support.

Pay high commissions to spammers.

•

Fulfillment

Based in India and China.

(7)

Bulker.biz - MyCanadianPharmacy

•

This investigation begins with a massive spam attack for

“MyCanadianPharmacy” and tracks the spam back through the

pharma supply chain

GlavMed - Storm Botnet and SpamIt.com

This investigation begins with the Storm botnet and its

“Canadian Pharmacy” spam and traces the botnet and spam

back to GlavMed, the supply chain organization.

Bonus: Reactor Mailer Botnet

(8)

(9)

(10)

“Advertisement”

Call to Action URL Advertising

Pharmaceutical Web Site

(11)

•

20 Billion Spam Attack in Two Weeks

1.5 billion messages per day

•

Spam Trickery

2000 unique spam content mutations

New Content every 12 minutes

1500 unique domains used

(12)

Rank

Network Owner

Country

Count%

1

Telefonica de Espana

Spain

6.7%

2

France Telecom

France

4.3%

3

Proxad

France

3.4%

4

Telecom Italia

Italy

2.6%

5

Deutsche Telekom AG

Germany

2.2%

6

Cableuropa - ONO

Spain

2.2%

7

Telemar Norte Leste S.A.

Brazil

1.8%

8

Wanadoo France

France

1.7%

9

Telefonica de Espana SAU

Spain

1.7%

10

TELECOMUNICACOES DE SAO PAULO S.A.

Brazil

1.7%

Zombie Population

by Country

Zombie Population by

Network

(13)

•

Pharma Sites (9)

My Canadian Pharmacy

International Legal RX

US Drugs

Super Viagra

Viagra Pro

Generic Viagra

Cialis Soft Tabs

Viagra Soft Tabs

Maxaman



Other Sites (6)

Virility Patch

Super HGH (flash)

SpermaMax

My Replica Rolex

(14)

(15)

(16)

(17)

(18)

(19)



18 more fraudulent elements including

Fake Certificate

"All orders are received via a secure server” - No HTTPS

Fake Verisign Logo

Fake BBB Logo

Fake Pharmacy Checker Rating

Fake Canadian International Pharmacy (CIPA) License Number

(20)

DNSstuff.com

Mastercard

Latin American and Caribbean IP address Regional Registry

New World Network

University of CA San Diego

Compass Communications, Inc.

Korax Online Inc.

Verizon Internet Services Inc.

IronPort Systems, Inc.

SuperNews

The Internet Channel

MOREnet

CrystalTech Web Hosting Inc.

HickoryTech Corporation

AT&T WorldNet Services

VISA INTERNATIONAL

Level 3 Communications, Inc.

US Dept of Justice

NTT America, Inc.

FBI Criminal Justice Information Systems

FBI Academy

XO Communications

Pfizer Inc.

Level 3 Communications, Inc.

Savvis

American Digital Network

(21)

1.

Registered domain

bigamousetract.info

Registered with 1-877namebid.com

Registered by Tobyann Ellis in Longview, WA

+68 phone number

dublin.com email

2.

DNS servers

„NS‟ Records point to DNS servers in Taiwan, Spain, US, Brazil

„A‟ Record for web server points to Korean Telecom IP

3.

Web server

bigamousetract.info

server on Korean Telecom network

Web site images from Brazil, Slovenia, France, Greece, Netherlands

Spammers obfuscate web site connection using redirectors, framing, scripting, zombie

proxies

4.

Using “

Fast Flux

”

(22)

Sorry, but we can‟t process your credit card right

now. Sales manager will contact you in 24 hours.

(23)

(24)

•

Messages from hosting company Intercage.com

•

Intercage located at:

1955 Monument, #236

Concord, CA, USA

•

Long history of spam and malware support

250 domains hosting “CoolWebSearch” Exploits

WMF exploit hosting

(25)

(26)

(27)

(28)

(29)

(30)

(31)

“

Substances found are typical tablet Matrix

(i.e. Palmitic acid, Stearic acid, Etc.). No other drugs,

pharmaceutical or Controlled substances found.

”

(32)

(33)

(34)

•

Investigated credit card merchant account

Unable to obtain any details

$84.95 refunded to my credit card

•

Second order placed

Received 10 Pfizer-branded pills from Shanghai, China

New shipping and packing method

(35)

•

Estimated at $150M/year

•

Monitored “Zombie Proxy” and counted number of credit card

transactions per hour

•

Comparables - Christopher Smith (rizler) profits > $20M

(36)

(37)

Presentation_ID

37

Spam Engines

(SMTP)

Landing pages

(HTTP)

3.School

5. Super

Node

4. Job: Spamming

(38)

(39)

•

Storm has sent a number of spam

campaigns including

Phishing financial institutions

Mule Recruitment Spam

Pump and Dump stock market manipulation image spam

Pump and Dump stock market manipulation MP3 audio spam

Pharma spam for Canadian Pharmacy

•

The vast majority of Storm spam has

(40)

(41)

(42)

•

Many theories about the relationship between storm and pharma spam

(43)

•

Spamit.com service manages spam domains and fulfillment

Registers spamvertized domain, creates DNS records, NS servers, websites

Botnet owners using Spamit service receive feed of live spam sites

•

The Storm botnet retrieved a list of domains but received

•

Storm used this string and other website boilerplate in the spam

•

Proven link between Storm, SpamIt.com and Canadian Pharmacy

(44)

(45)

Documentation excerpt for

configuring web sites

(46)

From Joe Stewart, SecureWorks

(47)

•

Modeled after distributed computing.

•

Spam as a Service.

•

Web user interface made bot spamming accessible to anyone.

•

Responsible for 50-60% of global spam.

•

McColo black-hat data centre in San Jose office building.

•

Strong ties to SpamIt.com.

(48)

(49)

(50)

0

50

100

150

200

250

300

350

400

(51)

•

The botnet formerly known as

Storm.

•

Notorious SpamIt.com

affiliate.

(52)

•

Database leaked to law enforcement, industry.

•

Ceased operations on October 1, 2010.

(53)

•

Ceased spamming between September 20 and 23.

•

Shutdown coincided with SpamIt.com shutdown notice.

(54)

•

Operated by Georg

Avanesov.

•

Arrested in Armenia in

October 2010.

(55)

•

Operated by Oleg

Nikolaenko.

•

Alleged SpamIt and SanCash

affiliate.

•

Arrested in Las Vegas on

November 4, 2010.

•

Charged with felony

CAN-SPAM violations and mail

fraud.

(56)

Source: IronPort‟s Spam Collection and SenderBase.org

0

50

100

150

200

250

300

350

Jun-06

Jul-06

Aug-06

Sep-06

Oct-06

Nov-06

(57)

(58)

•

2 pharma affiliates remain.

•

Grum and Lethic

Last two major botnets sending pharma and replica spam.

•

Cutwail

Focused on social engineering-based viral attacks.

(59)

•

High-volume spam will soon end.

•

Delivered spam volumes will not change.

•

Botnets monetized in more subtle ways.

•

Fake anti-virus software.

•

Rockphish/Avalanche gang gave up phishing for Zeus.

•

Email attacks are becoming more targeted.

(60)