Shoot the Messenger

Spammer controlled boxes are performing double duty. This is not surprising given the volume of spam out there these days. These compromised machines, sometimes called botnets are doing both the job of sending you the message with the website address and acting as the proxy that loads that website – should you be curious enough to click on that link. Taking a closer look at a typical ‘meds’ or ‘pharmacy’ campaign it was noticed that they were loading quite slowly. This proved to be because the domain itself actually pointed to dozens of compromised machines none of which had the content itself but acted as a relay for the text and images of the web-page. Spammers and hackers use compromised machines to avoid detection or avoid having a trail that can be traced back to them. These can be any old machine on the Internet, yours, mine… ok, maybe not mine, I’m running Sophos AntiVirus. Now if you’re going to run a spam campaign with one website and very many relays/proxies it’s impractical to load that content on each of these machines. That’s why they serve as proxies; spammers can change content centrally without having to update any of the compromised computers.

In one particular case a domain with the .hk suffix (for Hong Kong) was pointing to 20 distict machines.  All of these compromised systems appeared to be running windows and seemed to be residential adsl or cable connections.  To give an idea of the real world ditribution of these, here a few examples: was a machine in Los Angeles, California, USA was a machine in Esslingen, Baden-Wurttemberg, Germany was a machine in Sweden was a machine in Russia

On a more personal note (at least for those of us here in SophosLabs Vancouver, British Columbia) the footers of the website in question include a very professional looking bit saying “Licensed by The College of Pharmacists of British Columbia”. If you’re wondering, this is indeed a real institution and the address given for it is correct (not far from our offices either), however the number you are asked to call should you have any questions is prefixed with a Texas area code.

spam site with canadian address