Canadian Pharmacy Spam with Google Hangouts and WhatsApp

April 04, 2014 | by Jonathan French | canadian, Digital Degenerate, drugs, Google+, hangout, pharmacy, Spam, whatsapp

Candian Pharmacy spam has always been sort of the de facto reference for when people ask me what types of things I see throughout a normal day. We see unique campaigns all the time but there is always some sort of pharmacy spam going on somewhere. They have been so common that hopefully everyone knows about these scam sites by now and to avoid falling for them if you end up on one.They're just out to get any personal information and banking info for victims.

Normally I wouldn't write about Canadian Pharmacy emails since they usually aren't that interesting for the most part. It's almost always an email coming in saying you can buy some sort of cheap drug and a link to the site. Very straightforward. However some recent ones have been changing the tactic a little bit. They are coming in as WhatsApp emails saying you have a voicemail and to click the play button. Some are also claiming to come from Google as missed Hangout notices (hangout being Google's messaging service now). I've seen a small amount of these a few months ago but they seem to be slowly coming back in to focus.


whatsappcpharm resized 600


googhangcanada resized 600

Upon first seeing a sample, I just assumed it was going to be malware since that's been the theme with all of the recent WhatsApp blasts. There was no attachment though and just a link leading to a website. The link format was along the line of "<rand_word>.pl". All of the websites involved appear to be compromised but legitimate websites. Some of the links no longer work but many still do. The pharmacy links they end up redirecting to were two domains registered in Canada and Russia. And of course they were both that classic Canadian pharmacy site look.


candapharmsite resized 600


On a side note, usually the redirect for a compromised site is pretty straightforward with an html meta refresh line. A new thing I noticed was these used a script with hex encoded data, which seemed a little overkill at first for what they did. My best guess is this was to obfuscate the data to an admin that may look at the file on a compromised server. If they see a .pl file and it has a lot of hex in it, they may just overlook it.

canadianpharmhex resized 600


In total there were 25 of these WhatsApp/Hangout spam domains being tracked this morning, with messages totaling to be a little over 1.4 million and all of them failing spam tests. This was also just one particular Candian Pharmacy campaign. There are countless others out there always trying to get someone roped in to falling for the scam.