FortiGuard Analysis
Canadian Pharmacy The concept of utilizing a pharmacy site as a scam is not new, and there are plenty of them around. Just this year in August, the alleged mastermind behind the "Xpress Pharmacy" ring, Christopher Smith (aka Rizler) was nailed with a 30-year prison sentence. Authorities seized $4.2 million in assets, and claimed that "Xpress Pharmacy" had already generated $18 million in revenue half way through 2007 - an annual revenue potential in excess of $30 million. Meanwhile, a recent report from Gartner states that $3.2 billion USD were lost to phishing in 2007. While the jail sentence truly serves justice, it is clear that, when weighed in with the huge figures of cold hard cash, it is not enough to demotivate cyber criminals. While the business models of these pharmacy scams may vary, they all resolve into the same endpoint - financials. Smith was alleged to be selling pharmaceuticals without a license. In the case of Canadian Pharmacy, there have been lots of consumers' complaints sent into the void, getting no answer. This indicates a phish, as they set up the front to proceed to a transaction, in which details they are seeking are disclosed. In December, the Fortinet Global Security Research team discovered e-mails reminding the fact that it was holiday season, and that by following the provided link users would be led to a shopping paradise of presents for themselves and family members. The new holiday links actually first targeted a geocities page, which then redirected to one of the thousands of domains hosting the illegitimate pharmacy site. Simultaneously, many other spams have been flooding in, directly pointing to the domains. No doubt this is the result of an aggressive campaign to drive traffic to the site. This, combined with the fact that the site looks legitimate at first glance, highlights the social engineering scheme which has been evolving over time. Not only are these guys scamming consumers of their cash, should they ever ship any pills to consumers, a major health risk may appear. To help prevent such cases, Fortinet protects consumers from this scam using the detection name "HTML/CanadianPharmacy!phish". Now, let's look into the details of what allows this pharmacy ring to maintain effective operations. Spanning Nations: Network Automation The first phase of deployment is to set up a shop by activating a network in which fraudulent links via spam, blogs, etc. will point to. The Fortinet Global Security Research team observed and monitored five networks belonging to the Canadian Pharmacy ring, as detailed below. One fresh network has just surfaced, created on December 17th, 2007, showing that these guys do not intend to tear down their shop anytime soon. There may be more active networks currently in the wild. The five monitored networks (labeled A-E) appeared in chronological order, the first being registered on July 12th, 2007 and the latest on November 11th, 2007. Between all networks, there are trends to be observed and evidence interlinking all networks to one botnet army. This essentially renders the five networks as a resource pool, which is used at will by spam engines and bots when crafting the links used in their social engineering scheme. The network setup involves creating or compromising nameservers which will be used to hand out IP addresses that point to zombies within their botnet army. These nameservers are elected (and registered) through a selected process by using registrars which give them more flexibility. This flexibility consists of being able to change the IP addresses of the nameservers and allowing longevity since the registrars are lax in taking down the sites despite complaints. The five networks we monitored used just two specific registrars, both located in China, for their network setup operation. It is interesting to point out that chronologically, the newest networks have shifted to a new registrar - most likely in case the first registrar decides to get strict and start taking down their previous networks. The second part of the network setup was to register a large amount of domains that utilize these nameservers, so that when a DNS query is done on one of these domains, the resulting IP is that of a Canadian Pharmacy zombie. The domains are registered frequently, and automatically, which is key to their resistance. The automation process will register new domains on a daily basis, and seemingly randomly assign those domains to the network resource pool. That is to say, new domains are registered to both old and new networks. This expands their operation and enhances resistance to take-down. Selective names are used during registration for admin and contact information, which overlap throughout the domains and nameservers. All domains have common registration information, while network nameservers have common information that is not common to the domains. This suggests that while the network setup and domain registration are part of the same grand plan, they are done in a separate process. On another note, the new networks using a new registrar also have changed the fraudulent information they are filling in during registration, showcasing the evolution of their automation tool. The core operation is then set up: various networks are set up using controlled nameservers, and many domains are registered to these networks. The next step is to broaden the scale of their operation by creating a global zombie botnet that can be referenced when querying the domain names (aka clicking on the links spammed out). Command and Resist: Botnet Flux As a means of evading the good guys and keeping operations running smoothly, the bad guys are constantly evolving and refining their process. A large scale operation that targets a large audience, typically using a massive spam campaign, can be quickly put into the spotlight. In order to divert this attention, more network schemes are switching to fast flux. This technique has been around for a while in the spammer's toolkit, and is now being more adopted as blended attacks increase. The problem is that after a campaign succeeds in attracting a high amount of traffic to their website operation, efforts will be made to shut them down. In order to avoid easy take down, single and double fast flux are more commonly used. A single fast flux scheme is one which returns several (if not thousands) of different IP addresses for one given domain. To make it more effective, as Canadian Pharmacy has done, thousands of domains are registered to do this. The fast flux is done by using a short TTL (time to live) value, a round robin scheme to cycle IP's, and an algorithm which replaces certain IP's frequently with fresh ones. Basically, this means that if you surf to one domain twice within a period of say five minutes, you will actually be surfing to different computers (hosting the website), even though the end product displayed in your browser may look the same. This is really good news for cyber criminals, since it means that the computers hosting their illegal operations may be distributed across the world - more importantly in geographic areas in which pursuing legal action is difficult. Canadian Pharmacy has registered thousands of domains, which are mostly involved in the fast flux scheme. This means that the thousands domains (which are found seeded in blogs and spam) will always point to various zombies hosting their product. Each one of the zombies part of the botnet is essentially called to battle when used in the fast flux scheme, and is then flushed out from the front lines once replaced with a new zombie shortly after. Figures 1a and 1b below show the single fast flux scheme of Canadian Pharmacy in action. A single domain belonging to the operation is queried in Figure 1a, with a list of IP's returned. Note that by issuing a second query, the IP's will be cycled in a round robin fashion. Further, notice the value "300" center-left; this is the TTL value in seconds, translated to five minutes. After the TTL has expired, another query is performed in Figure 1b, clearly demonstrating that five new zombies have been recruited to replace the old ones, indicated with superimposed red dots in the image.  Figure 1a: Domain of one of the registered fast flux networks, note the 300s TTL  Figure 1b: Domain query shortly after TTL expiration, the single flux is indicated by red dots By using an algorithm to selectively replace a small portion of the zombies, presumably ones which are responsive and ready for battle, it is difficult to uncover the entire botnet army, explains Fortinet security research engineer Derek Manky. This is intentional, and further makes the botnet resistant to take down. The first network monitored was created in July 2007, and is still very active late December 2007. Interestingly, the Fortinet Global Security Research team monitored the pace at which IP's were replaced, and found consistent patterns. There is a 12-hour period in which high deltas (the amount of new zombies placed into the fast flux replacement algorithm) are present, from 02:00 PST to 14:00 PST. On an hourly basis, there is a range of 15-30 new zombies being cycled during that time frame. For the remainder of the day (15:00 PST to 01:00 PST), there is a lower range of 1-10 zombies cycled. To enhance an already robust model, a second phase is introduced known as a double fast flux. The IP's in the single flux are returned by the nameservers being used by the registered domain. That exposes a weakness, as nameservers themselves may be shut down putting the network at risk (since the IP's to the botnet will never be able to be returned). To counter this, the IP addresses of the nameservers are also switched, although at a less frequent (and most likely more selective) rate. Figures 2a and 2b below demonstrate this, as the queried nameservers for a domain belonging to Canadian Pharmacy produce different results within a short timeframe, typically every twenty minutes as opposed to five for the single flux domains. The red dot in Figure 2b indicates the double flux, which is the IP address of the nameserver changing. Interestingly, the yellow dots indicate IP's which belong to the zombie botnet, meaning that they were also returned in the first single flux phase (Figures 1a/b above). This indicates that these machines are serving a dual role purpose - to host web content, and to also act as a nameserver to dish out IP's of other zombies in their army.  Figure 2a: Nameservers of one of the registered fast flux networks, yellow dots indicate overlap to single flux IP's in Figures 1a/b  Figure 2b: Nameservers query 20 minutes later, the double flux is indicated by the red dot But how do they maintain so many websites and nameservers? They need a way to do that easily , so that the entire botnet will reflect up to date material - from website content to addresses of fresh zombies added to their network. To do so, they add in another ingredient to the already thickening double flux: proxies. The zombies, in their dual roles as webserver and nameserver, will proxy requests to a master server. These proxy requests may be chained throughout other zombies to make tracing even more difficult. The benefits (to the cyber criminals) of this model is that it makes their network more robust and dynamic. They can essentially update thousands of zombies to reflect new material on demand, as they have done during the holiday season by throwing in Christmas cheers. Likewise, they can maintain their army by replying to DNS proxy requests and choosing which new zombies they want to utilize and dispense to the unsuspecting user. When connecting to the website, using a domain name is required because the criminals rely on this domain name to forge certificates which are used in their social engineering scheme as we will discuss later. By directly connecting using an IP, a proxy error is displayed on most sites. Interestingly, on some sites, a curious message is displayed most likely as a result of a refining effort for their latest plans. Figures 3a and 3b below show these effects.  Figure 3a: Directly connecting to the IP will never render the proxied content, and sometimes will display a message uncovering their proxy mechanism  Figure 3b: Sometimes directly connecting to the IP will display a message from the crooks themselves, changing code to refine their process Laying the Bait What good is a network without victims? Like any marketing ploy to generate attention and revenue, the pharmacy ring needs to herd victims from around the globe. Spam has always been a mainstream infection vector, and just in time for the holidays, the Fortinet Global Security Research Team noticed emails crafted to bring holiday cheers. An effective social engineering tactic when combined with the theme of their holiday pill page, as shown in Figures 4 and 7a below. The idea is to obtain high traffic, through a high CTR (click through rate). Since spam CTR has drastically fallen thanks to effective spam filtering and increased user education, CTR efficiency has naturally decreased. Thus, the spam strategy employed by the pharmacy ring is to spam in high volumes, using a variety of templates and domains. Not all templates are as effective or legitimate at first glance, as you can see in the template figures shown below.  Figure 4: Fraudulent holiday cheers with a geocities link that redirects to the Canadian Pharmacy botnet army The spam links vary from direct links to a domain belonging to one of the five monitored networks of the pharmacy ring, to links hosted on geocities which in turn redirect to a Canadian Pharmacy domain (as shown above in Figure 4). The redirects help avoid detection from automated tools which intend to flag domains belonging to the pharmacy ring upon spam receipt. Since spam CTR is decreasing, the pharmacy operation is using other methods to seed their links, one of which involves flooding blogs with messages and links to their crafted page. This is also a SEO technique, which combined with their spam campaign, increases the drive of overall traffic to their website. Figure 5 below shows an example of such a blog post. Likewise, the blog links will point to a domain from any one of the five monitored networks - again using the networks as a resource pool to seemingly randomly pick domains to dispose.  Figure 5: Bot-posted comments to blogspot, Canadian Pharmacy link highlighted in red Various spam templates have been observed containing links to the pharmacy domain, which is an obvious effort from the group to enhance their CTR. On top of the recent holiday theme template, the Fortinet Global Security Research team has observed a new sophisticated template which represents an excerpt from Mens Health magazine. In tradition with their web site, the spam template appears to be legitimate and professional, containing advertisement and current world health issues. Figure 6 below shows this spam template, with every highlighted link including images pointing to different domains belonging to any one of the monitored five networks. These three tactics show the evolving campaign driven by the pharmacy ring, and the innovative methods they forge in order to drive more traffic to their illegitimate business. Of course, any educated users should be wary when noticing a link such as "MensHealth.com" actually pointing to www.{otherdomain}.com.  Figure 6: Fresh and elaborate spam, every link pointing to different domains within the Canadian Pharmacy ring Meanwhile at Headquarters ... The first objective is to drive traffic to a zombie residing in their network pool that is hosting their web content. Once this objective is achieved, the pharmacy ring operators may do what they wish on demand. During December, they were driving a Christmas theme campaign which was also combined with spam templates mentioned above. At any point in time, they may switch their web content on the fly to reflect current events and make their social engineering tactics more effective. This is exactly what has happened at the end of December. They updated their thousands of zombies (really just the master server, since proxies are used) to push celebrations for the new year. Figures 7a and 7b below show this process, and showcases just how much flexibility the pharmacy ring has.  Figure 7a: Merry Phishmas! Seedy holiday cheers from the crooks behind this pharmacy ring  Figure 7b: Look familiar? Canadian Pharmacy moves on to a Happy New Year Apart from the discussed holiday theme, it is obvious on first glance that these guys have spent a considerable amount of time creating a website, which casts a legitimate image. Figure 8 below shows just that, with a support representative posing ready to answer any questions consumers might have. Realistically, the support representative is non-existent and even if they did exist, they would most likely quit their day job quite soon due to the massive amount of complaints that flood in. Other items found in Figure 8 below include their fake wares and illegitimate awards.  Figure 8: A professional looking scam page, complete with FAQ's, illegitimate awards and a non-existent support center The proxy scheme is used with awards and certifications. When clicking on any one of these awards, the resulting page will display a template for the certificate, which includes the domain name that the end user has connected to. Again, that domain name is one of the thousands registered belonging to one of their networks. This is another reason why the direct IP connection is refused in Figures 3a/3b above, as they require the domain name in the initial HTTP request in order to inject it into these certificates on the fly while proxying. Figure 9 below shows one of the certificates, with the domain name blacked out. As you can observe, the domain name has been injected on the fly in the header, as well as the "name" and "common name" fields.  Figure 9: "VeriSign Secured - Not!" ... Proxy to master server has injected the domain name (blacked out) into the fake certificate The minds behind Canadian Pharmacy left a couple of holes unpatched here. First of all, the source of the certificate is actually just a local php page which is pulled from the zombie / proxy. Second, for this example of VeriSign, the certificate they display explicitly says to ensure that the URL source is https://digitalid.verisign.com. Of course, it is not and should immediately trigger a red flag. To date, the Fortinet Global Security Research team has discovered over 7,700 zombie PC's belonging to the Canadian Pharmacy botnet. That number continues to rise as new faces are uncovered when brought to the battle front via fast flux. For the double fast flux scheme, over 800 nameservers were cycled, all of which also belonged to the zombie botnet proving that some zombies are being used in a dual role. Thousands of domains belonging to five monitored networks are also used, along with at least one master server hosting their web content. As boxes are shut down, connectivity is lost and thus more potential traffic to their pharmacy ring also falls into the void. As a result, zombie status fluctuates as to whether or not they are dead or alive. When querying the zombies in the fast flux networks over a period of two weeks, 54.37% of the queries yielded no response meaning that the zombie was down. On the other hand, 45.63% of the queries yielded an active response. This shows that, while it may not be perfect, many zombies are still out in the wild and active at a given point in time. All nameservers for the monitored networks used two specific registrars. The first registrar used was Xin Net Technology, up until Network D. Network E and newer are now using the second registrar, Beijing Innovative Linking Technology. Both registrars are ICANN accredited and reside in the People's Republic of China. All of the domains belonging to the five monitored networks use one of four registrars (see Figure 10), all of them again in the People's Republic of China. This is no doubt because of their success they have had operating under such registrars, in terms of keeping their networks alive and well. What's even more concerning is that one of the networks is not using fast flux, and resides under the block of Abdallah Internet, which is known to have ties with the Russian Business Network. This non-fast flux network B has hundreds of domains using one single IP to host Canadian Pharmacy. Even without fast flux, this network has managed to stay alive for five months since its inception. Figure 10 below shows the flow and modules of the Canadian Pharmacy operation, including the five monitored networks A-E. Keep in mind that there may be more than one master server and that proxy requests may be bounced through several zombies before hitting the master.  Figure 10: Canadian Pharmacy Operations in Scope Putting it all together, a picture can be painted of an operation with a successfully deployed a robust network that has proven to be resistant to take-down. Even worse, they keep adding and building to their stronghold by adding new networks and militia to their zombie botnet. By using a fast flux scheme with a selective algorithm, commanding a large volume of zombies, flexibility and scalability, this pharmacy ring will become larger and even more profitable if action is not taken. By using a blended protection solution such as Fortinet's, consumers will be protected from spam to actual web content. The registrars responsible for these networks should also investigate and begin to take steps to shut down these malicious operations before more consumers get hurt. In the meantime, Fortinet will continue to monitor and protect against the evolving pharmacy ring. Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. About Fortinet ( www.fortinet.com ): Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California. |
