The Return of Pharmacy-Themed Spam

Hackers tend to be on the cutting edge of technology. But sometimes that stick with things that have a proven track record. Pharmaceutical-themed spam campaigns are  one of those things. 

Bad actors continue to use pharmaceutical drugs—both as lures and as part of their spam content—in phishing campaigns targeting individuals and organizations, particularly in the healthcare and pharmaceutical sectors.

In recent weeks, we observed one of the related emails in our email cloud telemetry. Fig. 1 shows the spam email below:

Fig. 1 - Spam email
 

Attackers send emails to dozens of recipients, exposing a range of public and corporate addresses in the “TO” field, likely as part of a bulk spam campaign.

Spoofed Identity:

Based on Fig. 1 above, the sender appears as "Men's America" using the email address Men’[email protected]. The domain used does not appear related to the sender’s name in any clear way, suggesting that the sender is not legitimate. Attackers often rotate or spoof domains to evade detection, and the domain devoxytechnocrats[.]com is one such likely candidate. In many cases, these emails are signed by DKIM (Domain Key Identified Mail), which uses the envelope sender to validate whether the email is legitimate. 

Figure 2 shows that DKIM signature in the email header points to devoxytechnocrats[.]com, but the envelope sender is from cloud[.]sparrowhost[.]net. This mismatch can raise concerns about the legitimacy of the email, making it likely that the sender is attempting to spoof the domain. The limitation of DKIM is that it only proves the email was signed by the domain owner which is this case spammer. If the domain itself belongs to a spammer, or was compromised, then the DKIM doesn't validate trustworthiness.

Fig. 2 - Email signed by domain owner

Compromised Infrastructure:

It seems that the email is sent from the server e.g cloud[.]sparrowhost[.]net with username as “pracharw” as shown in Figure 3:

Fig. 3 - Received-from pracharw by cloud[.]sparrowhost[.]net.jpg
 

This is likely to be VPS – Virtual Private Server or shared hosting, which is often used for sending spam. It is resolved to an IP address: 142[.]132[.]133[.]246, which is reported as bad. 

Upon further analysis, it is observed that the email is sent via a server-side script, not a standard webmail client as illustrated in Fig 4. This is evidenced by the presence of the X-PHP-Script header, which appears as follows:

Fig. 4 Supicious PHP script
 

This header indicates possible server compromise (devoxytechnocrats[.]com) running a vulnerable/malicious PHP script in an unauthorized location (wp-includes) to send email to multiple recipients. The PHP script may vary across different emails. At the time of analysis, the content of the PHP script in question was not accessible for deeper inspection. 

However, by examining similar emails, we identified different PHP scripts in use, along with their corresponding responses, as outlined below:

• akamwenhuuganda[.]org/wp-content/plugins/wp-coordinate-dewey/index[.]php

Fig. 4.5 - Observed response

From the observed responses, we infer that the script is likely serving a ZIP file dynamically. The rest is gibberish, likely to be encoded filename or path with fake extensions to confuse file scanners. It can also be an obfuscated script or loader. The tags may be used for unique identifier or tracking info. 

Malicious Link

The email includes a deceptive link labelled (varies across different emails) “Click here to apply your 10% discount.” The actual URL behind this text is hxxps://www[.]inpick[.]net/application/view[.]html, though this may vary across different emails. This link ultimately redirects users to a fraudulent website (Fig. 7) posing as a Canadian pharmacy i.e hxxps://lastonlinesale[.]com/?cp=mc1wsr7s, which attempts to impersonate the legitimate site (Fig. 8) i.e hxxps://www[.]canadapharmacy[.]com/. 

Before reaching the fake pharmacy page, users are shown a "security verification" screen (Fig. 5) designed to build trust and make the site appear authentic.

Fig. 5 - Simulate verification step Press & Hold button

Below is “security check” deceptive page content snippet hosted on lastonlinesale[.]com

Fig. 6 - Security check - Deceptive page content

Fig. 7 - Fake site

Fig. 8  - Real site

Conclusion:

Pharmacy-themed spam emails continue to be a common trick used by scammers. These emails often look like real offers from trusted pharmacies, but they hide harmful links. Clicking on them can lead to fake websites or even malware. The goal is to trick as many people as possible. To stay safe, always check the sender’s address, avoid clicking unknown links, and stay informed about common scams. Being alert is your best defence.

Protection Statement:

Forcepoint customers are protected against this threat at the following stages of attack:

• Stage 1 (Reconnaissance) – Emails are blocked by one of the email security analytics. Attackers’ addresses are blocked too.
• Stage 3 (Redirect) – Weaponized URLs are redirected to a security check deceptive page, which is blocked by real time security scanner.

Top 10 Subject Lines in past week:

Top 10 Attacker Addresses

Top Hosting Servers and their Geolocation: 

IOCs: