Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Researchers Link Storm Botnet to Illegal Pharmaceutical Sales

Prescription drug spammers are bankrolling botnet's growth, IronPort study says

Botnets are hopped up on Viagra.

That's the conclusion of a new report being issued by researchers at IronPort, Cisco Systems's email security unit, who have identified a link between originators of malware, such as the Storm botnet, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting Viagra and many other prescription drugs on their Websites.

By converting spam into high-value pharmaceutical purchases, IronPort says, these supply chain enterprises allow the "monetization" of spamming botnets, providing an enormous profit motivation for botnet attacks.

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy Websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow.

"Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of $150 million per year."

In fact, the "Canadian Pharmacy" Website, which many Storm emails promote, is estimated to have sales of $150 million per year by itself, the report says. The site offers a customer service phone number that goes into voice mail and buyers usually do receive the drugs -- but the shipments include counterfeit pharmaceuticals from China and India, rather than brand-name drugs from Canada, IronPort says.

IronPort's research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands. This spam is sent by millions of consumers' PCs, which have been infected by the Storm worm via a multitude of sophisticated social engineering tricks and Web-based exploits. Further investigation revealed that spam templates, "spamvertized" URLs, Website designs, credit card processing, product fulfillment, and customer support were being provided by a Russian criminal organization that operates in conjunction with Storm, IronPort says.

This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy Websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing, and customer support services.

However, IronPort-sponsored pharmacological testing revealed that two thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, the researchers say.

The report offers a broad look at Storm and its evolution, including some of the latest tricks used to recruit bots. Storm increasingly is using a captcha-breaking method that enables it to create free Webmail accounts that can be used to promulgate spam, IronPort says. The botnet is also using Google exploits and iFrame injection attacks, as has been previously reported. (See Sophos: Iframe Worm No. 1 in December.)

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • IronPort Systems

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Florida Town Pays $600K to Ransomware Operators
    Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
    Pledges to Not Pay Ransomware Hit Reality
    Robert Lemos, Contributing Writer,  6/21/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-12280
    PUBLISHED: 2019-06-25
    PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
    CVE-2019-3961
    PUBLISHED: 2019-06-25
    Nessus versions 8.4.0 and earlier were found to contain a reflected XSS vulnerability due to improper validation of user-supplied input. An unauthenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a users browse...
    CVE-2019-9836
    PUBLISHED: 2019-06-25
    Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.
    CVE-2019-6328
    PUBLISHED: 2019-06-25
    HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
    CVE-2019-6329
    PUBLISHED: 2019-06-25
    HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.