Just blame Canada: lessons to be learned from a Viagra botnet

When it comes to the scourge of Canadian pharmacy spam emails, it’s tempting to blame Canada. After all, Canada is already to blame for Nickelback, Howie Mandel and Mike Meyers’ works ranging from The Love Guru to Donkey’s Christmas Shrektacular.

As with all botnet-related endeavors, however, what these emails appear to be are far from what they actually are. A dive taken by an online security company Incapsula into the depths of a botnet behind Viagra spam emails revealed a major problem, one that seemingly has no ties to the polite maple syrup lovers of the north.

Botnet business

A botnet is a group of internet-connected devices that have been hijacked and infected with malware in order to allow them to be controlled remotely. This all typically occurs without the owner of a device ever knowing their device has been compromised.

By amassing a botnet, a botnet assembler gives him or herself access to the impressive collective computing resources of all the devices in the botnet. Botnets can be used to spread malware, perpetrate click fraud, mine Bitcoin and steal data, among other malicious and illicitly profitable activities. Two of the most well-known botnet activities are perpetrating DDoS attacks, and conducting spam campaigns like the one conducted by the so-called Viagra botnet.

Two-pronged attack

When Incapsula intercepted encoded communications from a botnet, they found themselves with the opportunity to take a behind the scenes look at the botnet’s operations. What they found was a botnet consisting of 85,000+ infected devices, most of which seemed to be computers or other devices with internet browsing capabilities.

When it comes to its dirty deeds, this botnet has a two-pronged attack, targeting websites for two different but related reasons. Firstly, it infects websites with malware in order to use the domains to send spam emails advertising discount medications, primarily Viagra and Cialis, available from an online “Canadian pharmacy.”

Secondly, it infects other websites in order to take nonexistent URLs on the victim site and turn them into pages that reroute anyone who clicks on the link in the spam emails to the “Canadian pharmacy,” which is an online store that sells counterfeit drugs.

Not so Canadian

This Canadian pharmacy, it turns out, is actually 51 different websites being used to sell counterfeit drugs, mainly located in China, Vietnam, Malaysia, Russia, Ukraine, France, Romania, Taiwan and Indonesia. This botnet also lays claim to roughly 1,000 domains that are used to send the spam emails.

While it may be tempting to shrug off the idea of spam emails, they have been and continue to be a major issue, especially the kind that are coming from this Viagra botnet which have been designed to bypass spam detection that relies on reputation filtering using its wide variety of sender domains.

Spam campaigns like this one make money off email users who click the links and then purchase “medication” from the fake Canadian pharmacies. The World Health Organization has estimated that 50% of these fake online pharmacies are selling counterfeit drugs that can contain ingredients such as rat poison, brick dust, inkjet and paint materials. All told, this is a $431 billion per year industry with known ties to organized crime in the Ukraine and Russia that is putting human lives at risk.

Lessons to be learned

$431 billion aside, this is obviously not an industry you want to have any part in, not directly by clicking links and making purchases or tangentially by having your device or website involved in a botnet. Avoiding spam links may seem easy enough, but it bears repeating: if you can’t be certain about where an email originated and you have any reason to distrust the apparent sender, don’t open it, and if you open it, don’t click any links.

Securing your computer against involvement in a botnet requires using an anti-malware, anti-virus and anti-spyware program, keeping that program as well as all software up to date and patched, not accepting any downloads you didn’t request, being careful about links you click from emails or on social media, even if they’re seemingly coming from people you trust, and having your firewall set to a high level of security.

Securing your website against the bots working on behalf of botnets is difficult. Bad bots are designed to be sneaky, circumventing all kinds of security measures. The number of ways malicious bots can access the restricted areas of a website could never be counted. To protect against malicious bots and botnets, a website needs bot access control security that analyzes and classifies all incoming traffic, first distinguishing between human and bot traffic, and then further distinguishing between good bots and bad bots using granular traffic inspection.

Canadian absolution

So it turns out Canada can’t be blamed for the many ills of the Viagra botnet. When you consider that Howie Mandel gives a lot of money to charity and Mike Meyers is the reason the world has Wayne’s World, it almost becomes difficult to blame Canada for anything. Luckily Nickelback is still indefensible.

Regardless of who is to blame for these dangerous botnets, the most important takeaway has to be the security measures that will protect devices and websites alike from this contagious and devastating problem that isn’t going anywhere anytime soon.