Wednesday, June 17, 2009

Swine Flu Pandemic (H1N1 Influenza) Leads to Increased Tamiflu Spam

We received a media query yesterday about how the announcement by the World Health Organization that we are now at "Full Pandemic" with H1N1 Influenza had impacted the type of spam scams we had seen.

I was among the many who believed that as soon as we went Pandemic, the spam would light up with malware lures using the Pandemic as bait, but so far we haven't seen any wide-spread or long-lasting malware campaigns based on the flu.

I ran some queries in the UAB Spam Data Mine this morning looking for information about the spam we've seen about swine flu, H1N1 influenza, or similar things, and the truth is that the biggest trend is that illegal pharmacy sites have begun including "Tamiflu" in their spam subjects.

Ever since the Swine Flu scare started, pill sites have begun to include the sales of Tamiflu on their sites. For instance, the Graphic URL Attachment spam that we've been seeing hosted on the Superman Internet Cafe in China sells Tamiflu in addition to their sex-enhancement pills.


(screen shot from "7594.org" website)

The Canadian Pharmacy group, run by affiliate program GlavMed pays their spammers a 40% commission for every pill sales. Let's see, that's a minimum of $70 per bottle of Tamiflu. Too bad its all fake.




We've seen 49 different domain names advertised with the word Tamiflu in the subject line of the email so far this year.

From January through April there were zero emails that used Tamiflu in the subject line.

The first batch came May 8th and May 9th with this group of domains:

baswodek.cn
qelribak.cn
dokkelar.cn
vinlajoy.cn
fajbopim.cn
nuhkolim.cn
femkasug.cn
bajsovez.cn
vaclicak.cn
luctedid.cn
tucroqov.cn
cinmayad.cn
roybapew.cn
pofzirap.cn
cebnufew.cn
wojhoyub.cn
nezjobur.cn
fidzopaf.cn
yaggeraj.cn
lejsigev.cn
naqcuxuy.cn
waxhuyam.cn
niwkacuy.cn
ceynofos.cn
suvrijuw.cn
borbupad.cn
dasvitaw.cn
duqjamex.cn
lenteniq.cn

(He's got HUNDREDS of other spam domains for his pill sites, see more at the end of this article...)

That batch used a mix of subject lines such as:

Buy Tamiflu cheaper!
Tamiflu on low prices
Tamiflu on discounts!
Tamiflu. Discreet shipping
Flu attacks! Buy Tamiflu
Tamiflu on -40% prices
Fast shipping of Tamiflu

There was another tiny run on May 20th with two domains used:

narsusun.cn
roommeaningful.com

A funny email subject from this group:
"Opera Says - Stay Healthy this Season Get Tamiflu"

(dear spammer, please spell Oprah correctly or we won't buy your crap!)


A bit of German language spam used this domain starting June 7th:

keptbox.com


And now we have a VERY big spam blast which began late on June 10th, and has run continuously since, using these domains:

naqresus.cn - first Jun 10
bampiqid.cn - Jun 10
niwjogur.cn - Jun 10
totbagix.cn - Jun 11
mazgiged.cn - Jun 11
mumragix.cn - Jun 11
wekziyow.cn - Jun 12
kegpocaw.cn - Jun 12
luxmukiw.cn - Jun 12
sitkibot.cn - Jun 13
simjuwep.cn - Jun 14
zupdefem.cn - Jun 14
senhivar.cn - Jun 15
vasvokuz.cn - Jun 15
roljahuv.cn - Jun 16
pudludil.cn - Jun 16

This group is sending heavy volume, using spam subjects that primarily look like these:

2009 WORLD BEST #1 Internet Drugstore: Tamiflu (H1N1), FemaleCialix, FemaleViagra, Phentermin,(Viagra10ਦꖋᵴ꾊 10=$119) mfebea n42
2009 World No.1 Internet Drugstore $1.00/pill: Viagrਦꖋᾋ竸, Tamiflu (H1N1), Phentermin, FemaleCialix, FemaleViagra umcpzj e6

Random characters at the end of each subject line make each occurrence unique, which the spammers believe makes it harder to block the emails. That's also the reason we see foreign characters mixed in to the spelling of the word "Viagra", since many spam filters just block everything with the word "Viagra" in the subject automatically.

Each of those websites has redirected to websites from this group:

Bestdrugs.net.cn
Cheap-meds.cn
Cheap-pill.cn
Cheapdrugs.com.cn
Coolagree.cn
Discountpills.cn
Drugsdirectmoral.com
Lovecanadianpower.com
Lowpricepills.cn
Medsbestone.com.cn
Medstoresome.com.cn
Newmedslofty.com
Newpharmthe.com.cn
Pharmacyonlinefound.com
Pharmssitefarm.com.cn
Pillsiteadd.com.cn
Placepharmacygentle.com
Ridestone.com
Siterxmoral.com
Smartdrugtell.com.cn
Storemedburn.com.cn
Thosefuns.com
Topdrugalive.com
Topmedsraise.com
Toppharmlike.com.cn
Toppilldrink.com.cn
Wholesaledrugsand.com.cn
Wholesalepharmsfirst.com

These sites have a Tamiflu page that looks like this:


Probably worth noting that the price is exactly the same from Canadian Healthcare as it is from Canadian Pharmacy. Most of the descriptive text is the same as well, including the self-dosing recommendations:

"To treat flu symptoms: Take Tamiflu every 12 hours for 5 days.
To prevent flu symptoms: Take Tamiflu every 24 hours for 10 days or as prescribed. Follow your doctor's instructions."

The reason for the forwarding pages is for plausible deniability within the affiliate group. These spam messages are coming from a spammer who is being paid to generate drug sales leads. The affiliate program has rules which say they will deny payment from any website which used spam email to generate their sales. Now the affiliate can say "I've never advertised any of the sites selling my drugs with spam", which would be a true statement. The spam advertises the sites in the top group, which then FORWARDS to the sites in the bottom group, which is where the drug sales occur.

All of the sites in the bottom group are in Beijing China, currently on the IP address - 119.39.238.2


=================================
Here are the IP addresses of computers which are sending the current Tamiflu campaign:

IP Address, Country Code, ASN, Organization
201.235.219.91 , AR ,10318, CABLEVISION S.A.
190.193.10.190 , AR ,10481, Prima S.A.
200.81.207.105 , AR ,17401, ERTACH S.A.
186.13.216.5 , AR ,19037, CTI Compania de Telefonas del Interior S.A.
190.173.196.121 , AR ,22927, Telefonica de Argentina
190.173.21.54 , AR ,22927, Telefonica de Argentina
190.173.8.216 , AR ,22927, Telefonica de Argentina
190.174.159.53 , AR ,22927, Telefonica de Argentina
190.176.14.126 , AR ,22927, Telefonica de Argentina
190.176.227.108 , AR ,22927, Telefonica de Argentina
190.179.166.201 , AR ,22927, Telefonica de Argentina
190.50.96.179 , AR ,22927, Telefonica de Argentina
190.51.174.251 , AR ,22927, Telefonica de Argentina
190.51.254.122 , AR ,22927, Telefonica de Argentina
201.255.125.35 , AR ,22927, Telefonica de Argentina
201.255.51.164 , AR ,22927, Telefonica de Argentina
190.55.237.125 , AR ,27747, Telecentro S.A.
124.191.20.111 , AU ,1221, ASN-TELSTRA Telstra Pty Ltd
83.97.69.112 , BG ,25206, UNACS-AS-BG UNACS Ltd
187.13.54.42 , BR ,7738, Telecomunicacoes da Bahia S.A.
187.40.244.118 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.13.134.190 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.70.109.220 , BR ,7738, Telecomunicacoes da Bahia S.A.
189.71.143.137 , BR ,7738, Telecomunicacoes da Bahia S.A.
200.149.106.220 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.4.23.138 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.58.144.150 , BR ,7738, Telecomunicacoes da Bahia S.A.
201.35.226.155 , BR ,8167, TELESC - Telecomunicacoes de Santa Catarina SA
189.41.160.159 , BR ,16735, Companhia de Telecomunicacoes do Brasil Central
201.74.149.48 , BR ,19090, Canbras Net Ltda.
201.74.39.225 , BR ,19090, Canbras Net Ltda.
201.75.200.86 , BR ,19090, Canbras Net Ltda.
187.24.154.39 , BR ,22085, Telet S.A.
189.92.202.175 , BR ,22085, Telet S.A.
201.54.82.33 , BR ,22689, Internet By Sercomtel Ltda
189.66.66.197 , BR ,26615, Tim Brasil S.A.
187.35.248.54 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
187.35.251.247 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.110.208.157 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.68.190.7 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
189.78.215.98 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.153.152.161 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.171.241.129 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
200.204.50.105 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
201.27.76.104 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
201.92.160.128 , BR ,27699, TELECOMUNICACOES DE SAO PAULO S/A - TELESP
187.22.100.26 , BR ,28573, NET Servicos de Comunicao S.A.
189.121.148.49 , BR ,28573, NET Servicos de Comunicao S.A.
189.123.228.3 , BR ,28573, NET Servicos de Comunicao S.A.
189.6.70.129 , BR ,28573, NET Servicos de Comunicao S.A.
201.80.177.83 , BR ,28573, NET Servicos de Comunicao S.A.
201.83.113.238 , BR ,28573, NET Servicos de Comunicao S.A.
189.39.150.199 , BR ,28611, 614 TVC INTERIOR S/A
190.208.89.187 , CL ,6535, Telmex Servicios Empresariales S.A.
190.22.151.126 , CL ,7418, Terra Networks Chile S.A.
190.22.18.170 , CL ,7418, Terra Networks Chile S.A.
190.82.45.114 , CL ,7418, Terra Networks Chile S.A.
201.223.129.114 , CL ,7418, Terra Networks Chile S.A.
190.95.76.233 , CL ,14117, Telefonica del Sur S.A.
190.100.255.123 , CL ,22047, VTR BANDA ANCHA S.A.
190.161.117.160 , CL ,22047, VTR BANDA ANCHA S.A.
190.164.133.118 , CL ,22047, VTR BANDA ANCHA S.A.
190.46.210.84 , CL ,22047, VTR BANDA ANCHA S.A.
190.47.35.247 , CL ,22047, VTR BANDA ANCHA S.A.
201.241.174.27 , CL ,22047, VTR BANDA ANCHA S.A.
190.29.129.228 , CO ,8065, EPM Telecomunicaciones S.A. E.S.P.
186.80.139.211 , CO ,10620, TV Cable S.A.
186.81.7.191 , CO ,10620, TV Cable S.A.
190.156.211.10 , CO ,10620, TV Cable S.A.
190.9.91.114 , CO ,11581, TRANSTEL S.A.
190.249.0.103 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.114.161 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.2.92 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.71.4.95 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
200.116.134.14 , CO ,13489, EPM Telecomunicaciones S.A. E.S.P.
190.93.128.20 , CO ,19429, ETB - Colombia
186.15.49.166 , CR ,3790, RADIGRAFICA COSTARRICENSE
190.80.220.41 , DO ,6400, Compa\195\177\195\173a Dominicana de Tel\195\169fonos, C. por A. - CODETEL
201.229.183.162 , DO ,6400, Compa\195\177\195\173a Dominicana de Tel\195\169fonos, C. por A. - CODETEL
190.131.8.2 , EC ,27738, Ecuadortelecom S.A.
62.43.185.72 , ES ,6739, ONO-AS Cableuropa - ONO
84.121.179.227 , ES ,6739, ONO-AS Cableuropa - ONO
85.57.205.231 , ES ,12479, UNI2-AS Uni2 Autonomous System
80.174.181.153 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
85.155.9.240 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
217.217.129.206 , ES ,16338, AUNA_TELECOM-AS Cableuropa - ONO
210.7.6.236 , FJ ,9241, FINTEL-FJ Fiji International Telecomunications Ltd
212.198.181.98 , FR ,6678, ASN-NOOS NUMERICABLE is a cable operator,
86.20.85.64 , GB ,5089, NTL NTL Group Limited
92.13.85.34 , GB ,13285, OPALTELECOM-AS Opal Telecom
221.124.212.200 , HK ,9304, HUTCHISON-AS-AP Hutchison Global Communications
221.126.9.43 , HK ,9304, HUTCHISON-AS-AP Hutchison Global Communications
202.138.225.150 , ID ,9657, MELSANET-ID-AP Melsa-i-net AS
117.198.163.112 , IN ,9829, BSNL-NIB National Internet Backbone
58.68.100.157 , IN ,10201, DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless
60.243.7.52 , IN ,17488, HATHWAY-NET-AP Hathway IP Over Cable Internet
121.247.170.127 , IN ,17908, TCISL Tata Communications
121.148.152.77 , KR ,4766, KIXS-AS-KR Korea Telecom
125.248.61.6 , KR ,9316, DACOM-PUBNETPLUS-AS-KR DACOM PUBNETPLUS
123.212.105.100 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
211.117.88.251 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
218.55.52.231 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
219.240.61.169 , KR ,9318, HANARO-AS Hanaro Telecom Inc.
125.178.105.177 , KR ,17858, KRNIC-ASBLOCK-AP KRNIC
89.218.9.59 , KZ ,9198, KAZTELECOM-AS Kazakhtelecom Corporate Sales Administration
196.217.194.169 , MA ,6713, IAM-AS
95.86.34.156 , MK ,49056, INEL-AS-MK INEL-MKD Autonomous System
88.203.61.226 , MT ,12709, MELITACABLE Melita Cable plc
189.162.125.193 , MX ,8151, Uninet S.A. de C.V.
189.162.208.237 , MX ,8151, Uninet S.A. de C.V.
189.179.142.252 , MX ,8151, Uninet S.A. de C.V.
201.173.159.200 , MX ,11888, Television Internacional S.A. de C.V.
190.141.55.9 , PA ,18809, Cable Onda
201.230.170.238 , PE ,6147, Telefonica del Peru S.A.A.
79.184.238.236 , PL ,5617, TPNET Polish Telecom_s commercial IP network
79.186.140.217 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.20.189.138 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.25.18.106 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.27.119.39 , PL ,5617, TPNET Polish Telecom_s commercial IP network
83.5.73.244 , PL ,5617, TPNET Polish Telecom_s commercial IP network
89.77.43.92 , PL ,9141, AS9141 UPC Poland
89.79.102.220 , PL ,9141, AS9141 UPC Poland
77.254.51.3 , PL ,12741, INTERNETIA-AS Netia SA
87.116.230.230 , PL ,21021, MULTIMEDIA-AS Multimedia Polska Sp.z o.o.
79.163.194.181 , PL ,43447, PTK-CENTERTEL-DSL-AS PTK Centertel Sp. z o.o.
85.240.190.23 , PT ,3243, TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
93.102.74.245 , PT ,24698, OPTIMUS-AS Optimus Portugal
85.186.104.105 , RO ,6746, ASTRAL UPC Romania Srl, Romania
195.190.121.194 , RU ,3216, SOVAM-AS Golden Telecom, Moscow, Russia
80.234.42.161 , RU ,15500, Samara Telegraph
93.124.17.218 , RU ,24612, PENZA-SVIAZINFORM-AS JSC Volgatelecom, Penza branch
81.23.116.222 , RU ,24739, SEVEREN-TELECOM Severen-Telecom Autonomous System
95.165.92.251 , RU ,25513, ASN-MGTS-USPD OJS Moscow city telephone network Moscow Russia
95.73.1.188 , RU ,25515, CTCNET-AS Joint-Stock Central Telecommunication Company Autonomous System
94.19.139.90 , RU ,35807, SKYNET-SPB-AS SkyNet LLC AS
92.127.7.33 , RU ,41440, SIBIRTELECOM-AS Sibirtelecom backbone AS
95.78.90.102 , RU ,42116, ERTH-NCHLN-AS ZAO _Telemax_ Company_ Naberejnye Chelny ISP AS
213.160.184.188 , SK ,6855, SK SLOVAK TELECOM, AS6855
58.137.9.158 , TH ,4750, CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.
78.159.43.105 , UA ,34143, IHOME-AS iHome, Kiev, Ukraine
99.206.61.157 , US ,1239, SPRINTLINK - Sprint
12.99.46.251 , US ,7018, ATT-INTERNET4 - AT&T WorldNet Services
66.57.174.14 , US ,11426, SCRR-11426 - Road Runner HoldCo LLC
66.9.62.186 , US ,16440, ISPACE - Wave2Wave Communications, Inc
24.136.76.34 , US ,20001, ROADRUNNER-WEST - Road Runner HoldCo LLC
65.30.208.77 , US ,20231, ROADRUNNER-CENTRAL - Road Runner HoldCo LLC
209.124.126.41 , US ,20299, Newcom Limited
67.59.46.64 , US ,26554, US-SIGNAL - US Signal Corporation
190.200.41.2 , VE ,8048, CANTV Servicios, Venezuela
201.211.221.122 , VE ,8048, CANTV Servicios, Venezuela

So, of the 149 spam senders in the current group we've seen:

86 - lacnic (Latin American)
38 - ripencc (European)
17 - apnic (Asia Pacific)
8 - arin (North American)
1 - afrinic (Africa)

That's VERY unusual to have such a high percentage of a spam campaign come from South America! The botnet herder whose botnet is being used in this case could possibly have used a Spanish language bait to help spread his malware.

=================================
More spam pill domains from the May 8th Tamiflu spammer, which can all be found at the Superman Internet Cafe . . .

bejgiruv.cn
bewwozep.cn
bidwigeq.cn
bipcarol.cn
bothefic.cn
buvgujus.cn
buxvogeb.cn
cabziqis.cn
cawmonef.cn
ceghuxoq.cn
cejgebav.cn
cezhiqid.cn
ciggecop.cn
cilrowsq.cn
cipsigoy.cn
ciskoyal.cn
ciypohaw.cn
cokyipuf.cn
connibim.cn
cotqoxaq.cn
dantowur.cn
dirjawan.cn
dirzinoq.cn
dosfiyav.cn
dudyosih.cn
dugquqit.cn
fawqaneq.cn
fefbebav.cn
fipmojuf.cn
fipsojes.cn
fivqudex.cn
fodwukuz.cn
fofbadeg.cn
fohqelam.cn
fomxiyay.cn
fubzapox.cn
fujleyil.cn
gacyufoc.cn
gagyinop.cn
gajkiyuy.cn
gatsifoh.cn
gawbesiz.cn
gazkiwog.cn
germopew.cn
gewvamiy.cn
gilqufuc.cn
goyfemiv.cn
gumbawow.cn
guptugap.cn
habdulac.cn
hajcikon.cn
hesdanum.cn
hewmawem.cn
hexpadix.cn
higbijid.cn
hihnuwak.cn
hipnobus.cn
hiqwonis.cn
howtigac.cn
hujneyed.cn
hupmizit.cn
jafnaluf.cn
jirwuxat.cn
jofginis.cn
jokgacoh.cn
jovmuhil.cn
kamnufik.cn
kejxiwut.cn
kimbipok.cn
kirkewut.cn
kisfibes.cn
kizreyat.cn
koptudaf.cn
koygosuf.cn
kucdawep.cn
kukxibak.cn
lebgivub.cn
letjucun.cn
libxamen.cn
lijwituc.cn
lintuten.cn
loctekiq.cn
lohqonir.cn
loqbaxuc.cn
losvukey.cn
lugqubix.cn
lulfapaf.cn
mafcixiz.cn
mapzugeq.cn
marfeber.cn
mecqulez.cn
mejhewav.cn
mihparol.cn
mivxadey.cn
moblasiw.cn
modqopoh.cn
mohkumaf.cn
mowfovet.cn
mozcudan.cn
muksedis.cn
mutcuqid.cn
muzworop.cn
nabpulef.cn
namxugug.cn
neklajok.cn
nimwasur.cn
niydabiv.cn
novmegey.cn
nuhxituz.cn
nulkedas.cn
nuttidal.cn
nuvsigoy.cn
pajtacip.cn
pefvecox.cn
pekzariy.cn
pesjapuf.cn
pezzigef.cn
pixbozeq.cn
porvegim.cn
poxgivid.cn
puzxugus.cn
qihqohil.cn
qilfadek.cn
qoczipik.cn
qogzizoj.cn
qolxofor.cn
qonnebor.cn
rarmatem.cn
rebnahik.cn
recragas.cn
ridrufex.cn
rintayuq.cn
ritvukef.cn
rizfinim.cn
sdgjifoc.cn
sevbujoz.cn
sewtatad.cn
sihpiwoh.cn
sijfopik.cn
soldikom.cn
soxzados.cn
subnakoz.cn
sugqowik.cn
suhhenuv.cn
supyeneq.cn
suxrifuc.cn
talluket.cn
tapfehoz.cn
taypesag.cn
tevfaquh.cn
tikgepij.cn
tiqmifix.cn
tonsagon.cn
tovzulum.cn
toztipax.cn
tujmeqom.cn
tumxagul.cn
vefgefev.cn
vivwiwef.cn
vuhmudey.cn
vujxekuj.cn
vupsogib.cn
waffawew.cn
wawmoxul.cn
wiffofep.cn
witlulap.cn
wivwiqap.cn
wokmeyad.cn
wollehoc.cn
worxezej.cn
wovnuput.cn
xasmomub.cn
xecgohuq.cn
ximvopuk.cn
xiyjucoc.cn
xiysuqiv.cn
xumlodob.cn
yakquyeq.cn
yamniqoz.cn
yanyifej.cn
yatsanak.cn
yawceqel.cn
yebmakuz.cn
yelsecuk.cn
yesonlynoun.com
yikdoyov.cn
yikxuzom.cn
yimpegog.cn
yiwwesap.cn
yodrocak.cn
zabzogaj.cn
zaqzerup.cn
zekxuney.cn
zespudup.cn
zexbenav.cn
zifkevic.cn
zikmigob.cn
zikvupul.cn
zojvapus.cn

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.