[Another good post from Adnan on our internal blog. We've blogged a little bit this year about our anti-spam research -- basically, we find a lot of spam networks in the course of our malware work, and we block them for our customers as a side benefit -- and this is a good example. --C.L.]
I've been hunting fake "Canadian Pharmacy" sites since last week and managed to find thousands of unique domains associated with this scam. I have some fun points to share as part of my tips in hunting these:
- Recently, most of fake Canadian Pharmacy sites are using “medic”, “health” and “doctor” keywords in their domain names
- Among the favorite TLDs are “.RU”, “.INFO” and “.COM”
- Most of these domains are hosted on the same server, with the same IP, so performing reverse DNS lookup can help you to speed up the hunting process.
- Besides pointing to the same IPs, most of them are also using the same name server for their domains
It started when I received a spam email telling me that my Youtube video has been approved:
While I was writing this blog post, my father-in-law came and asked me on how he could determine (as a non IT-savvy guy) whether this is a legitimate pharmacy’s website or a fake one. Good question! For a quick answer for that, I would suggest that he (and you guys) use ScamAdviser.com , a free service to check for potentially “scam” websites. At Blue Coat, we are aware of these spam/scam techniques and mostly the categorizations used for the fake Canadian Pharmacy websites are “Spam”, “Suspicious” and/or “Scam/Illegal/Questionable” -- and we recommend that our customers block all of these categories.
That’s all from me for now. Till then, stay safe!