Posts Tagged: RX-Partners


24
Apr 20

Unproven Coronavirus Therapy Proves Cash Cow for Shadow Pharmacies

Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

A Google Trends graph depicting the incidence of Web searches for “chloroquine” over the past 90 days.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Muskbegan suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

Recent 30-day sales figures from the pharmacy affiliate program PharmCash.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

An ad promoting various unproven remedies for COVID-19, from the pharmacy affiliate program Rx-Partners.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program. Continue reading →


20
Aug 12

Inside the Grum Botnet

KrebsOnSecurity has obtained an exclusive look inside the back-end operations of the recently-destroyed Grum spam botnet. It appears that this crime machine was larger and more complex than many experts had imagined. It also looks like my previous research into the identity of the Grum botmaster was right on target.

The “Stats” page from a Grum botnet control panel show more than 193,000 systems were infected with the malware.

A source in the ISP community who asked to remain anonymous shared a copy of a Web server installation that was used as a controller for the Grum botnet. That controller contained several years’ worth of data on the botnet’s operations, as well as detailed stats on the spam machine’s size just prior to its takedown.

At the time of Grum’s demise in mid-July 2012, it was responsible for sending roughly one in every six spams delivered worldwide, and capable of blasting 18 billion spam emails per day. Anti-spam activists at Spamhaus.org estimated that there were about 136,000 Internet addresses seen sending spam for Grum.

But according to the database maintained on this Grum control server prior to its disconnection in mid-July, more than 193,000 systems were infected with one of three versions of the Grum code, malware that turned host systems into spam-spewing zombies. The system seems to have kept track of infected machines not by Internet address but with a unique identifier for each PC, although it’s not immediately clear how the Grum botnet system derived or verified those identifying fingerprints.

Some of Grum’s email lists. Most lists contained upwards of 20 million addresses.

The Web interface used to control the botnet was called “Zagruska Systems,” (“zagruska” is a transliteration of the Russian word “загрузка,” which means “download”). The HTML code on the server includes the message “Spam Service Coded by -= ( Spiderman).”

The password used to administer the botnet’s Web-based interface was “a28fe103a93d6705d1ce6720dbeb5779”; that’s an MD5 hash of the password “megerasss”. Interestingly, this master password contains the name Gera, which I determined in an earlier investigative story was the nickname used by the Grum botmaster. The name Gera also is used as a title for one of several classes of forged email headers that the botnet had available to send junk mail; other titles for falsified header types included the names “Chase,” “eBay” and “Wachovia,” suggesting a possible phishing angle.

Continue reading →


3
Jul 12

Who Says Email Is Eating at Postal Revenues?

Shadowy online businesses that sell knockoff prescription drugs through spam and other dodgy advertising practices have begun relying more heavily on the U.S. Postal Service to deliver prescription drugs to buyers in the United States direct from warehouses or mules within the U.S. The shift comes as rogue online pill shops are seeking ways to lower shipping costs, a major loss leader for most of these operations.

An ad for Rx-Parners pill shop that ships from the US.

Traditionally, a majority of the counterfeit pills advertised and sold to Americans online have shipped from India. But the process of getting the pills from India to customers in the United States is so expensive and fraught with complications that it has proved to be a big cost center for the largest rogue pharmaceutical operations, according to a study I wrote about last month.

“One of the surprising things we found was that shipping dominates program costs,” said Stefan Savage, one of the lead authors on the study, and a professor in the systems and networking group at the University of California San Diego.

The researchers discovered that most rogue pharmacy operations spend between 11 to 12 percent of their annual revenue on shipping costs. Part of the reason for the high cost is that pill shipments from India and elsewhere outside of the United States frequently get delayed or confiscated by U.S. Customs officials. This forces the rogue pharmacies to either refund the customer’s money, or to eat the costs of re-shipping the pills.

Increasingly, however, some of the largest spam affiliate programs are delivering some of their most popular drugs — including erectile dysfunction pills and everything from Accutane to Cipro and Diflucan and Plavix — direct to U.S. buyers from shipping locations within the United States.

“This is why you see pharmacy outfits like RX-Partners, Mailien and Stimulcash picking the most popular drugs and warehousing them in the United States so they can do USPS shipping through mules,” Savage said.

Continue reading →