At the end of this Russia Today article the author suggests "Glavmed partners are preparing to join a new pharmaceutical partnership program if the current one is shut down. Then it will be business as usual."
Where might they be going? Based on what we are seeing in the spam there are a few obvious choices. Most of the spam we have been receiving at the end of last week and through the weekend - more than 20% of our total spam volume - points us to domains that look like this:
Although "US Drugs" has had many look and feels, the thing that ties together this affiliate program is the phone number (800) 998-7978
This phone number is on many different pharma websites, some of which have harder narcotics, such as Vicodin, Percocet, and Hydrocodone such as "buy--viagra.net". These websites are often hosted on a Russian ASN belonging to Galant Ltd, but one of the spam campaigns is currently on Moldovan site AS49544, Complife, which we have seen hosting 1,783 distinct spammed pharmaceutical domains since October 19th on the IP 194.0.221.4 (click for list).
Another of the pharm sites that also uses the telephone (800) 998-7978 looks like this:
This group is currently hosted in Romania, on the IP address 86.55.211.152 (click for list) which has hosted 641 pharma domains since October 26th! prior to that, 2,271 times these domain names were hosted on 86.55.243.102 (click for list).
That leading group is followed by a close second, also almost 20% of our spam volume - for Pharmacy Express:
One of the main locations of this spam campaign's websites has been 188.95.159.61 (click for list) which has hosted 1,060 pharma domains since September 21st! Going back further, there were OEM Software sites and Casino spam sites hosted on the same IP.
Those two prominent spam affiliate programs are followed by a host of also-rans, including:
MediTrust
Acai News
0 comments:
Post a Comment