The Spam Omelette #27

Welcome to this week

Week in review:  May 20 – 27

Spam Omelette 27

 in Spamland

The word PRIVACY has
been identified in messages coming from notorious virtual medicine shop
Canadian Pharmacy. Most of the messages in the campaign are designed on a HTML
template from WebMD, a legitimate health news company. Please note that the
WebMD logo and other visual identity elements have been abused over time by
Canadian Pharmacy, but they are not related in any way to the online shop. As
WebMD officials state, they have a strong opt-in newsletter policy and do not
condone Canadian Pharmacy’s products or spam campaigns.

Privacy 2

As usually in Canadian
Pharmacy’s spam messages, the privacy and unsubscribe links have been tampered
with in order to lead users to the Canadian Pharmacy index page.


2. Spammers say PLEASE

Ranking second in our
weekly spam top, the word PLEASE has been identified particularly in spam
messages of an interesting flavor: the spammer uses Nigerian scam approaches
not for advance-fee purposes, but rather to collect sensitive information such
as full name, address, occupation and copies of ID cards – all of which would
subsequently used for identity theft and/or credit card fraud.

please 2

These messages are
particularly dangerous, so please make sure that you do not disclose sensitive
information about yourself to untrusted / unknown persons, especially when such
requests come by mail or phone.


here for medicine, phishing and virtual tours

The word CLICK is
undoubtedly extremely popular among spammers. It can be identified in about any
unsolicited email message out there. This week, BitDefender’s spam researchers
identified the word in multiple mail messages advertising sexual medication,
software used for panoramic tours and e-banking phishing letters.

clicks spam 2

While Canadian
Pharmacy spam and other medicine-related content is unlikely to cause security
problems to the unwary recipient, phishing attempts can dramatically impact on
their banking balance.

click spam

Please note that banks
would never contact the user by mail – when in doubt, contact your bank by
phone or directly at the nearest brick-and-mortar unit.


4.  E-MAIL  strikes back in Canadian Pharmacy uniform

Ranking fourth in this
week’s issue of the Spam Omelette, the word EMAIL (also spelled as E-MAIL) has
been detected in messages mostly coming from Canadian Pharmacy. Disguised as
newsletters from various online stores, the messages feature a centered image
linking to one of the Canadian Pharmacy websites.

email spam

This week, most of the
Canadian Pharmacy spam redirects the user via a Russian portal ( – the domain mane uses the
Cyrillic alphabet rather than the Latin one) which not only that performs the
redirect, but also keeps tab of which e-mail address has clicked on the link –
a form of email validation that allows the spammer identify which mail
addresses are being operated by a human user.


coming soon in an inbox near you

concludes this week’s spam top and has been spotted especially in messages
coming from Canadian Pharmacy and its affiliates. This specific spam wave uses
a standard, plain-text template and advertises significant discounts to all
Pfizer products. Obviously, the Pfizer brand is being abused, as most of the
Canadian Pharmacy products have not passed FDA approval and are not related to
the genuine drugs produced by Pfizer (the owner of the Viagra brand).

Drugstore spam

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.