On Monday morning, I woke up and started my weekly routine by looking through the spam captured by our traps over the weekend. It feels as though I am still dreaming, because the most notorious pharmacy affiliate program, Spamit, seems to have made good on its threat of closing its doors. Brian Krebs blogged about this last week, citing that “Spamit administrators blamed the impending closure on increased public attention to its program.” So far, we have seen no sign of spam advertising “Canadian Pharmacy” and our SenderBase and SpamCop services are both showing a significant decrease in global spam volumes.
Sun Tzu famously said, “Keep your friends close, and your enemies closer.” Spamit, along with the rest of the fake online pharmacy community, has been very near and dear to us at Cisco Security Intelligence Operations (SIO) for several years. We visited the Subway restaurant in Toronto, Canada supposedly occupied by “My Canadian Pharmacy,” an affiliate program run by bulker.biz, Spamit’s main competitor.
These affiliate programs solve an interesting problem faced by criminal spammers. It is difficult to accept payments and deliver a physical product while also competing with computer security professionals who are blocking spam email and shutting down websites. The affiliate programs serve the spammers by designing website templates, operating hidden back-end order fulfillment servers, processing credit card payments, shipping and tracking the physical goods and ultimately paying a substantial commission to the spammer.
In order to better understand the structure of these affiliate programs, we broke out our credit cards and went to the source. We placed an order for $84.95 worth of Viagra from My Canadian Pharmacy and tracked it at every step of the way.
The affiliate program provided us with a link to a common support website hosted in San Francisco, California. Shortly thereafter, we received a delivery notice from the US Postal Service for a banged-up, padded envelope that had been shipped to us from Mumbai, India.
Inside this package, we found a plastic baggie full of eight anonymous blue pills and a poorly written instruction card. Having established that you do get a physical product, we questioned whether or not the pills were actually what we had ordered and sent them to Toxicology Associates Inc. for analysis. The pills were fake. “Substances found are typical tablet Matrix (i.e. Palmitic acid, Stearic acid, Etc.). No other drugs, pharmaceutical or Controlled substances found.” We were obviously not the only ones who noticed. When we repeated the experiment a few months later, we were delivered tablets containing the active ingredient, this time shipped from Shanghai, China. The affiliate program had discovered the fraud and replaced their supplier.
Knowing where the drugs came from wasn’t enough. We had to prove that the affiliates of these programs were actually spamming. Cisco SIO studied the Storm botnet throughout 2007 and 2008 and discovered a smoking gun relating the botnet to the Spamit affiliate program and proving that the affiliate program itself was complicit in spam. Pharma spam sent by Storm was supposed to look like this:
A random subject line and body were appended with a randomized link to a pharmacy website whose domain name would be rotated rapidly over time in an attempt to outpace the reputation systems that protect mailboxes from spam. Internally, a Storm bot would download a text file of domain names from its controller and include one at random in the email. Unfortunately for Spamit, there was a problem with their software.
Storm was so active that it overloaded the back-end system serving up the list of fresh domain names. Instead of returning a few domain names, the back-end would spit out an error message that said “The system is temporary busy, try to access it later. No data can be lost” and “Copyright Spamit.com, 2007.” The Storm bot would then include the error message verbatim in the spam it sent out instead of the URL, proving that the two were linked and that Spamit was providing more than just fulfillment services for its affiliates.
I am hesitant as I write this blog post. It almost seems too good to be true that Spamit would voluntarily cease its operation and one can’t help but wonder if the tales of its demise are greatly exaggerated. The staff at Cisco Security Intelligence Operations will be glad to see such a destructive operation go away, but find it unfortunate that the criminals behind this operation have not been brought to justice in the process.