I’ve been hunting fake “Canadian Pharmacy” sites since last week and managed to find thousands of unique domains associated with this scam. I have some fun points to share as part of my tips in hunting these:
- Recently, most of fake Canadian Pharmacy sites are using “medic”, “health” and “doctor” keywords in their domain names
- Among the favorite TLDs are “.RU”, “.INFO” and “.COM”
- Most of these domains are hosted on the same server, with the same IP, so performing reverse DNS lookup can help you to speed up the hunting process.
- Besides pointing to the same IPs, most of them are also using the same name server for their domains
Okay, enough with the hunting tips. Let’s talk about the JavaScript obfuscation I’ve found in one of the fake Canadian Pharmacy’s redirector yesterday.
It started when I received a spam email telling me that my Youtube video has been approved:
The link appears to be legitimate and pointing to Youtube, but of course with basic HTML “A HREF” kung-fu, we see that the link is pointing somewhere else; in this case, it is pointing to the following site, whose page is hosting some obfuscated JavaScript:
At first, I was thinking it is an exploit kit redirector script. But after performing JavaScript deobfuscation on the code, it was just a fake Canadian Pharmacy’s redirector page:
Let the JavaScript execut, and the page redirects. Here we go, a fake Canadian Pharmacy website:
While I was writing this blog post, my father-in-law came and asked me on how he could determine (as a non IT-savvy guy) whether this is a legitimate pharmacy’s website or a fake one. Good question! For a quick answer for that, I would suggest that he (and you guys) use ScamAdviser.com , a free service to check for potentially “scam” websites. At Blue Coat, we are aware of these spam/scam techniques and mostly the categorizations used for the fake Canadian Pharmacy websites are “Spam”, “Suspicious” and/or “Scam/Illegal/Questionable” — and we recommend that our customers block all of these categories.
That’s all from me for now. Till then, stay safe!
–Adnan Shukor
@xanda
Leave a reply
