Threat Research

Spam 2.0 leads Facebook users to Canadian Pharmacy ring

By Guillaume Lovet | May 04, 2009

Our sensors (i.e. our digital media person, a rabid fan of Facebook) caught today some interesting Facebook private messages. One of such, sent by a "Friend" to about 100 contacts of hers, merely consisted in a domain name, as can be seen below:

Mass Private Message

Fortunately for Daniel, he did not know what to do with it (or he knew, but did not want to); yet other recipients may have recognized a domain name, and entered it in their browser's address bar, out of curiosity. After all, that's from Martha, and she usually sends rather funny links.

female_cialisOf course, the link was not actually from Martha, but rather from a cyber criminal having compromised her account. Fortunately, unlike Martha feared (but one is never too careful, and Martha is wise), the link did not lead to a virus-loaded page, but to a "pharmacy shop" belonging to the infamous "Canadian Pharmacy Ring", and registered at "Directi Internet Solutions" (the new name of the infamous EST Domains registrar). In a nutshell, a typical case of spam 2.0. But while spamvertizement has happened before on Facebook Walls, and worms such as Koobface did leverage Facebook Private Messages to propagate, to our knowledge it's the first instance of spam being distributed via Facebook Messages.

Another point worth mentioning is that while to Daniel's eyes (if we assume his reply was ironic), was obviously a domain name, it was not at all the case to Facebook filters. We have shown in a previous post how Facebook wraps all urls featured in messages, so as to retain control on the "clicks" performed by recipients, even if those recipients read the message from their regular email account. This one obviously went under the radar, most likely because it did not feature 'http://', 'www', and used a domain extension (.in) that is also a (very) common word.

The consequence is that although Facebook did react fast, deleting the messages in the Facebook boxes, those which have already reached the regular mailboxes of recipients (most people do have the "forward messages to my email" option enabled), are still there, unwrapped, so Facebook cannot deny access to the link. The downside for criminals, of course, is that it is not clickable.

Join the Discussion