Security Street Knowledge
  • SCAM ALERT: Canadian Health & Care Mall – Email Fraud
  • Update: April 6, 2011

    I wanted to update you on others that have experienced this same Email Fraudster sending SPAM messages from a compromised account.  It appears that the fraudster responsible may have been identified.  Their intention may be to steal credit card numbers.  You will never receive the product you ordered.  It is still unclear how they gain access to the compromised email accounts such as Yahoo Mail and Hotmail.  I have not personally seen messages from Gmail, yet!

    THIS POST IS OPEN FOR COMMENTS.

    Spam Trackers

    http://spamtrackers.eu/wiki/index.php/Canadian_Health%26Care_Mall

    Canadian Health & Care Mall Complaints – Email Fraud

    http://www.complaintsboard.com/complaints/canadian-health-amp-care-mall-c300872.html

    ScamFraud Alert Blog

    http://scamfraudalert.wordpress.com/2009/07/03/canadian-health-care-mall/comment-page-2/#comments

    Gmail Spam Leads Users to Scam Sites Posing as a Canadian Pharmacy

    http://www.cyveillanceblog.com/general-cyberintel/gmail-online-pharmacy-spam

    —————————————————

    Original Post: 3/19/2010

    MOLDOVA HACKER: Case of the Hacked Hotmail

    1. The attacker probably gained access to a Hotmail account via an admittedly “weak password”.

    2. The e-mail below was sent by the attacker while the owner was on Spring Break vacation 3/19/2010:

     

    Phishing Attack from HotMail

     

    3. The Link http://srprojects.co.in/Hannah.html is a compromised webserver in INDIA which includes the following in its source page:

    ————————————————————————–

    SRC=”http://94.102.63.151/~barcas/eva/”

    ————————————————————————–

    4. When the above SRC or source link is decoded by the browser, it translates to:

    http:// 94.102.63.151/~barcas/eva/  (To decode URLs use: http://urldecoderonline.com/ )

    5. Google Safe Browsing claims the last time suspicious content was found on site was on 2010-03-20.  http://www.google.com/safebrowsing/diagnostic?site=94.102.63.151/&hl=en

    6. …and the final destination a Canadian Health&Care Mall in Chisinau, Moldova selling Viagra?

     

     

     

    Using GeoIP, a Wireshark plug-in, allows me to see the locations I visit by Country when browsing to a suspicious site.  (GeoIP Link).  Interestingly, when visiting the malicious link, there were HTTP REQUESTS going to a system in the Republic of Moldova.  Moldova is located between Romania to the west and Ukraine to the north, east and south.  Moldova was recently in the news for an arrest of indicted resident, Oleg Covelin, aka “DoZ”, of Chisinau, Moldova.  Oleg Covelin, along with other unidentified individuals, have been indicted by a federal grand jury on charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft in an elaborate scheme to steal over $9.4 Million from credit card processor “RBS WorldPay”. [SOURCE: FBI ATLANTA]

    SUMMARY:
    1.   A Hotmail account most likely hacked via a “weak password” or via usage of a public computer while on vacation
    2.   An e-mail phishing attack was sent
    3.   A link to a  compromised system located in INDIA
    4.   An embedded and encoded URL
    5.   A confirmation by Google that this site has served malicious content
    6.   And finally an HTTP REDIRECT ending at a site selling Canadian VIAGRA from Moldova

     

     

     

    Maybe, juuuust maybe, this attack was setup to steal credit card information?  😉  Tell me, what do you think?


  • Comments: No Category: Uncategorized
  • Tags: , , , , , , , , , , , , , , , , , , , ,

Leave a Reply

cyber3.jpg