Analysis of an Illegal Online Pharmacy

The economic model of spammers is partly based on online stores for drugs purchase - such as the famous Viagra - but also replicas of luxury items. These shops are obviously illegal: copyright violations, submitting fake certificates and fake certifications...

Some stores send the purchased goods with particularly high health risks related to drugs. Others simply cash the payment and do not send the goods.

More than half of global spam traffic is estimated to redirect to one of these online stores, a few dozen at most. It is for example the case for this online pharmacy called "Canadian Neighbor Pharmacy", which we will analyze further. This shop is part of a nebula of online pharmacies with, among others, "My Canadian Pharmacy" and "Canadian Health & Care Mall".

 

If sending spam relies on a decentralized and therefore difficult to identify model, it is quite different for online shops which are limited in numbers and can be identified and analyzed by the laboratories of the various actors of messaging security.

To counter these analyzes, spammers implement various mechanisms. The last identified mechanism is the use of the "image spam" technique to replace the HTML document constituting the online shop: the content of the document is presented only as images. The goal here is to confuse the work of laboratories: textual analysis of online stores is complicated, and it may be necessary to use alternative techniques such as OCR (Optical Character Recognition), which turns out to be much more costly in terms of computation time and less accurate.

In the studied spam campaign, the e-mail sent is a classic "image spam" and it is in this case the "Canadian Neighbor Pharmacy" shop represented as an image.

 

We find in this picture a discreet text in small print of a dozen lines with absolutely no connection with the subject of the e-mail. Here below are the first lines of this text:

the place where the knights still maintained their conflict, and boldly stepped between the two. "Tell me, I pray you," he said, "what benefit will accrue to him who shall get the better in this contest? The object you are contending for is already disposed of; for the Paladin Orlando, without effort and without opposition, is now carrying away the princess Angelica to Paris. You had better pursue them promptly; for if they reach Paris you will never see her again." 

This text comes from a book by Thomas Bulfinch, "Legends of Charlemagne", a famous book of classic American literature.

This is a well-established technique to bypass statistical filters - such as Bayesian filters - which are based on an analysis of the text to search for suspect keywords.

The user will focus his attention on the image, while a statistical filter will primarily work on the text, for the reasons mentioned above. In this case, a text referring to the Middle Ages is not likely to catch the attention of a statistical filter.

By clicking on the image, we are directly redirected towards the website of the online shop, whose image is identical to the one in the e-mail. When looking at the document source, we see that it is a mosaic of 64 small images, displayed with a HTML <table> element. Here below are the first two lines of the mosaic.

The aim is similar to the one of the "image spam": making the document analysis more complex, complicating the counter measures, and optimizing the ROI of the spammer.

Clicking anywhere on the page will redirect us towards the URL defined in the HTML HREF attribute: this is the URL of the online store, which is visually identical to the previous image.

 

Looking at the document source, we notice that it is no more a mosaic of images, but rather an online store.

We can also see notice the professionalism with which the website has been developed when browsing it: a structured presentation, application of a visual identity guide, management of a cart ...

We can even make a secure purchase with HTTPS, for which the certificate is issued by the company GeoTrust, Inc.

It is surprising that a certificate issued by a major player such as GeoTrust, Inc. is used to conduct illegal operations. It should be reminded that HTTPS - HTTP over SSL or TLS - only ensures the integrity, the authentication and the data privacy: it does not ensure the good reputation of the certificate holder at all.
Spammers have demonstrated growing ingenuity and professionalism, and it is therefore essential to study how they operate on a day-to-day basis in order to improve the mechanisms of spam filtering.

Sébastien GOUTAL
Filter Lab Manager