« Phony Walmart Survey Phishing | Main | Are AV Researchers Feeding the Spam/Malware Economy? »

December 08, 2009

The so-called Canadian Pharmacy spammers have a new campaign running. Here are some samples:

Subject: Please answer me

Hello, it`s your link or no? :-)
[URL removed]

Best regards,
Victoria

Subject: Please

Hello.
this is your url or no? ;-)
[URL removed]

Best regards,
Nicole

Subject: Wrong

Hi, My name is Mary,
It`s about you or no? [URL removed]
See you later ;-)

All of the links in the messages point to pages on hijacked servers around the world that use JavaScript to redirect to a Chinese site bearing the Canadian Pharmacy name. That Chinese site uses additional JavaScript to capture the referring URL and add it as an argument to an image URL. This would allow the Chinese site owner to register where the user arrived from (although there are other ways to do this directly and discreetly on the server), and possibly pay the spam sender for each redirection to the medz web site.

(Because I examined the source code of the link destinations to find the Chinese site, I was able to view that site's page source code without conveying a referrer.)

One measure of an effective spammer is how successful he is at getting recipients to open a message and (more importantly) act on the message content by clicking a link. These three sample messages have provocative Subject: lines (I'm sure there are others in this campaign) and message bodies that will certainly draw in lots of recipients who will be curious if the link destination has something mentioning the recipient. Instead, they'll be offered their choice of fake medz. The misled victims will be pissed, but the spammer may benefit from that click, and be encouraged to do more of the same.