Spammers Claim Wikipedia for Pharma Fakes

Last year, phishers targeted Wikipedia with a large number of spam emails that directed unsuspecting users to a fraudulent Wikipedia website. Currently, we are observing a new spam tactic being used, which targets the Wikipedia name for the promotion of fake pharmaceutical products.

In the last couple of days, we have observed various spam email messages that use a wiki template to promote bogus online pharmacies. The “Subject” line in these attacks has a lot of randomization. The “From” header is either fake or a hijacked ISP account that gives a personalized look to the email.

Below are some subject lines that were observed in the spam samples:

Subject: wWIKIp
Subject: kWIKIx
Subject: yWIKIg
Subject: hWikiPharmacyl
Subject: oWikiPharmacyp
Subject: uWikiPharmacym

 

In the image shown above, spammers are promoting pharmacy products at a discounted price using a wiki-style layout. The Web page pretends to be that of “WikiPharmacy”. The volume of spam in this latest attack is quite high. Needless to say is that Wikipedia’s popularity is being exploited here, considering its vast knowledge base and popularity. In this case, users have to be very careful not to enter and personal details on these fake sites.

Here are some of the URL patterns seen in these samples:

http://sucullu.[removed].net/wiki14.html
http://cinar. [removed].org.tr/wiki14.html
http://jmleml. [removed].com/wiki14.html
http:// [removed].com.br/wiki15.html
http:// [removed].com/wiki15.html    
http://web164892.web23. [removed].net/wiki15.html

A careful look at the “Subject” line is sufficient to identify this type of spam. However, don’t throw caution to the wind when performing online transactions. Beware of prowling predators who are waiting to pounce on casual netizens. Update your antivirus signatures regularly—Symantec’s antispam technologies identify all such tricks and protect users from such annoying spam emails.

Note: My thanks to Anand Muralidharan and Amit Kulkarni for their contributions to this blog.