Trend Micro Senior Threat Researchers Paul Ferguson, David Sancho, and Feike Hacquebord discovered a spammed email message containing a link to the fake Canadian Pharmacy Web site. Below is the email message body and screenshot of the said site that appears upon clicking the link:

Best online drugstore since 1996. Your Coupon #SQzYB. Save 86% Visit us.
alaric dexter

Sancho deduced that the site rides on a fast-flux network that most likely belongs to the Storm botnet owners. “Storm has been sending ads for the Canadian Pharmacy since end of January. They use a limited pool of domains hosted by (certain) sites that always redirect to a nicely formatted Canadian Pharmacy Web page. They seem to have a similar strategy as the hohoho2008.com domains back on Christmas.” He added the domain that housed the fake site and the following domains share a root DNS server:

• angerfollow.com
• beautybegan.com
• byoperate.com
• chickher.com
• elementgrand.com
• instantsilent.com
• interestquiet.com
• roundtoward.com
• twoinstant.com

Further studies show that, in contrast to known Storm fast-flux networks that were found to have no evident backends after all, the fast-flux on which the fake Canadian Pharmacy Web site rides is different from Storm’s. He noted, however, that spam messages carrying the link were sent through the Storm network.

Hacquebord also mentioned that the DNS used as backend of this fast-flux network was also found to be the DNS backend for casino spam sites.

Trend Micro detected and blocked these domains and others that were also found during the week. Users are advised to refrain from clicking links contained in emails that come from untrusted sources. Keeping spam filter patterns updated also remains a must to counter this kind of threat.