With the underground economy still thriving, cybercriminals will surely use any method such as Canadian pharma spam runs to facilitate their information theft operations.
Canadian pharmacy sites are known to be used by scammers to sell a wide range of fake medicines usually for impotence and other serious medical conditions at much lower prices compared with regular pharmacies. These sites employ various techniques to fool users into believing that their sites are legitimate and secure. For instance, when you purchase from their site, they claim to take your credit card information on a secure connection. However, this is not exactly the case.
For cybercriminals, this is another opportunity to profit and steal personal information from users. This is why pharma site scams have also been associated with big malware campaigns, including the infamous Storm worm a couple of years back.
At present, there is still a very high demand for user information in the underground economy because of the amount of money that cybercriminals can make from it. Trend Micro advanced threats researcher Joey Costoya has been monitoring underground activities and reports that email addresses can range from US$7–30 per bulk, depending on the mail servers used. Another report shows a much higher rate than that.
Recently, cybercriminals have once again been seen targeting customers of antivirus firms by using the name and reputation of antivirus companies in their social engineering ploys. We received reports of a spoofed Trend Micro notification that redirected users to a Canadian pharmacy website. As in previous spam runs, cybercriminals sent spammed messages to target recipients, claiming to be from a legitimate source. In this case, these claimed to be from an administrator of Trend Micro.
The email messages notified recipients that their accounts have been hacked and were thus temporarily inaccessible. These then advised users to open the .HTML file that came attached to the email for instructions on how to enable their accounts. Opening the attachment, of course, redirected users to a Canadian pharmacy website.
Trend Micro detects the file attachment as JS_REDIR.VIAG. Through email and Web reputation services, Trend Micro™ Smart Protection Network™ protects users from this threat by blocking the spammed messages along with user access to the spam sites. Smart Protection Network also detects and deletes files detected as JS_REDIR.VIAG via the file reputation service.
This is not the first time that Trend Micro has been used in Web attacks. In fact, in 2007, a fake Trend Micro website was used to phish sensitive information from customers. Customers and users alike are thus advised to be very wary of email notifications and to ensure the authenticity of the emails they receive and the websites they visit before giving out any information. Note that Trend Micro does not send unsolicited emails to its customers, especially ones that redirect users to suspicious-looking sites.
As cybercriminals continue performing attacks like these, they increase their chances of successfully stealing information by sending such an email to people they know who are from Trend Micro. Such is the nature of threats today—they are getting more personal and thus more “real.”
Special thanks to Anti-Spam Research Engineer Mary Aquino for initially reporting this incident.
This particular campaign is not limited to fake notifications. The ongoing “World Cup” is being used as well.