Posted on behalf of Yuriko Kako-Batt, Junior Data Analyst, Symantec Hosted Services
MessageLabs Intelligence has been monitoring the activities of two pharmaceutical spam gangs: Gang1 and Gang2. These are the two biggest pharmaceutical gangs which are sending spam all over the world as mentioned in the March post, 'Pharmacy Spam; Pharmaceutical WEBSITES Fall into Two Distinct Operations' and in also in this April post, ‘New Pharmacy Spam Brand Spotted’.
Gang 1:
Canadian Pharmacy- United Pharmacy
- European Pharmacy
- Canadian HealthCare
- Online Pharmacy
Gang 2:
Toronto Drug Store- Indian Pharmacy
- Canadian HealthCare Mall
- Canadian Pharmacy Network
- My Canadian Pharmacy
- Mexican Pharmacy
- CVSPharmacy
In our measurement, almost all of the pharmaceutical spam belongs to the above two gangs except for localized pharmaceutical spam and most of the websites have been the same. But in May, MessageLabs Intelligence found another pharmaceutical website, which hadn’t been in use for quite some time and didn’t appear to relate to Gang1 or Gang2, “Canadian RX Drugs”. In June, we saw the return of another long lost brand, “Pharmacy Express” and one completely new brand, “RX Savers”.
1) “Canadian RX Drugs”
<Screenshot of “Canadian RX Drugs” website>
Above is the new site we spotted in May. Usually, when a new pharmacy brand website is discovered, it is connected to Gang2, and the new brand appears in volumes similar to the existing brands. But “Canadian RX Drugs,” which has been used in spam before, but not recently, exploded onto the spam scene surprising us with the sudden large volumes of spam related to this brand.
Here are some examples of some spam leading to “Canadian RX Drugs”:
<email samples of “Canadian RX Drugs”>
According to spamwiki (http://spamtrackers.eu/wiki/index.php/Canadian_RX_Drugs), “Canadian RX Drugs” have eight related brands and the group has been in existence since 2007. So they are not NEW brand of websites.
However, they have lain dormant for a while. Several days after discovering the return of “Canadian RX Drugs,” MessageLabs Intelligence came across a URL that led to a different brand website, “The US Drugs,” one of the other eight related websites.
<Screenshot of “The US Drugs” website>
And in June, two other brands of websites appeared.
2) “Pharmacy Express”
<Screenshot of “Pharmacy Express” website>
Here is the second pharmaceutical website which seen for the first time in June and the spam email sample below. 
<Spam Email sample of “Pharmacy Express”>
The text of the email says, ‘New outstanding store!’ but according to spamwiki (http://spamtrackers.eu/wiki/index.php/Pharmacy_Express) , this site existed in 2004. Like Example One above, this is not a new brand. Also there was no similarity with other pharmaceutical websites including Gang1, Gang2 and “Canadian RX Drugs/The US Drugs”. Compared with the number of spam emails of “Canadian RX Drugs,” we could find only small volumes of spam for “Pharmacy Express”.
3) “RX-Savers”
< Screen shot of “RX-Savers” Website >
< Spam Email sample of “RX-Savers >
Our domains test started to receive large volumes of this spam, like “Canadian RX Drugs”. These “RX-Savers” spam emails were from one of the most famous botnets: Storm. This one also seems different from other gangs discussed above. A check of spamwiki revealed that this new website appeared in May 2010 (http://spamtrackers.eu/wiki/index.php/RX-Savers), although the website claims it has been around for longer – stating “RightRx Ltd 2004-2010” on the front page, shown below.
<Another Screen shot of “RX-Savers” Website >
Those three fake pharmaceutical spam Examples One and Two (returning) and Three (new) appeared almost at the same time in our test domains. According to spamwiki, “Canadian RX Drugs” and “Pharmacy Express” are not brand new, but they have appeared relatively inactive during the last year. It is possible the gangs behind these sites have been concentrating on other projects, and recently, perhaps because times are tough, decided to resurrect these old brands and drum up some fresh trade.
Interestingly, although there are no obvious connections between the two resurrected pharmaceutical brands (Examples One and Two), and the look of the websites and prices for products differ, spam for these brands started to be sent again almost at the same time. Is this coincidence or is there some connection between the two? It’s difficult to be certain, but we have seen a number of returning brands in May/June, not only pharmaceutical, but also fake software. Whatever the reason for this, it’s possible that this is down to the activity of a single gang. Assuming it is one gang, this leaves us with the following possible new gangs:
Gang3 (thanks to http://spamtrackers.eu/wiki/index.php/Canadian_RX_Drugs)
Canadian RX Drugs- Canadian Online Pharmacy
- HealthRefill
- Medsleader
- MedrugsPlus
- The US Drugs (different from the Bulker.biz brand US Drugs)
- Internet Drugs Pedia
- Trusted Meds Online
- Men Drugs Shop
- + Pharmacy Express?? (We are uncertain as to whether this brand is part of Gang3 based on the website but its spam was sent at an identical time to that of the above brands)
Gang4
RX-Saver (can find no relation to Gang1, Gang2, or Gang3)
Comparative product prices between Gang1 and Gang2: 
< Price of “Blue Pill/per” in various pharmaceutical brand websites >
Comparing prices in the various pharmaceutical brand websites, related brand websites show the same prices for each group in Gang1 and Gang2. “Canadian RX Drugs” sells the same product with the cheapest price as it says in their website. “Pharmacy Express” and “RX-Saver” show completely different prices as well.
<”Lowest online prices” advertisement in “Canadian RX Drugs” website >
And the design of websites and emails for the brands shown in Examples One, Two and Three above look very different from Gang1 and Gang2 as well.
<Spam sample of Gang2. The link connected to “My Canadian Pharmacy” >
No relation with Gang1 or Gang2, means there are other gang groups which are also operating pharmaceutical brands. And if they send plenty of pharmaceutical spam constantly in the future, they could become one of the major pharmaceutical gangs like Gang1 and Gang2. Will they continue to send spam emails and operate their brand websites, or disappear again? MessageLabs will continue to monitor those pharmaceutical brands and will provide more information in this blog in the near future.