arrow-left-endarrow-right-end

News & Updates

The Latest on Internet Pharmacies, Supplements, Designer Drugs, and Other High-Risk Merchants

Russian rogue Internet pharmacy hacks US government website

As rogue Internet pharmacy networks become more sophisticated, even US government websites are at risk. Today, we’re taking a look at how a rogue Internet pharmacy linked to a criminal network operating out of Russia and Eastern Europe has hacked into a US government website.

The Millennium Challenge Corporation, a US foreign aid agency, utilizes a “.gov” top-level domain, which is assigned to the control of the US government. Domain names ending in .gov are typically administered by the General Services Administration.

A quick visit to mcc.gov indicates that all seems well from the home page. However, a search for drugs like Viagra or Cialis, pharmaceuticals that are frequent targets of counterfeit drug Internet pharmacies, shows results for a no-prescription-required “Canadian” Internet pharmacy (actually run out of Russia) within mcc.gov itself.

Two of the illicit results are located within a folder called “/blog/” that either already existed, or was illicitly uploaded to the mcc.gov server. (The genuine MMC blog is within a folder called /pages/ on the server, not /blog/.) Within this folder are links such as these:

The Video clip code illicitly uploaded to mcc.gov automatically redirects Internet users to therxdrugs.net, a rogue Internet pharmacy that is an affiliate of Russian affiliate network GlavMed, a notorious spam and fraud organization headquartered in Russia. GlavMed is well-known to top Internet security researchers. Here, it is important to differentiate between a blog comment with a hyperlink to an illicit pharmaceutical website (which would not typically constitute hacking), and the automatic redirection of the mcc.gov website itself, which indicates that code has been surreptitiously uploaded to the government server.

As for the rogue Internet pharmacy therxdrugs.net, it is registered to one Alexey M. Arkhipov, with an address in Shilovo, a few hundred miles southeast of Moscow. The domain name registration is via a Chinese Registrar (TodayNIC), and the content is hosted in Germany.

Why would a rogue Internet pharmacy do this? The reasons are found partly in the search algorithms utilized by Google and other search engines, which are thought to give particularly high rankings to .gov websites, or websites linked to by .gov websites. (This is believe to be because .gov domains, like .edu domains, denote credibility.)

The reason for concern here should be clear.

  • First, the security of .gov websites is important. If rogue Internet pharmacies can infiltrate one .gov website, it’s reasonable to ask whether others can be infiltrated as well.
  • Second, GlavMed is not a run-of-the-mill website operated by a small-time prescription drug dealer. GlavMed is arguably the leading rogue Internet pharmacy network in the world, behind copious amounts of unregulated pharmaceuticals, spam, and no-prescription-required sales via the Internet.
  • Third, if a Russian organized crime network (an accurate description for GlavMed) can upload content from a .gov website, then they can download it as well, potentially acquiring sensitive information.

Yet more cause for concern: therxdrugs.net is co-located with a Chinese website, googbot.cn. Googbot was a worm noted by Symantec as “opening a back door on the compromised computer.” To put this in perspective, there are only seven domains utilizing that particular IP address; therxdrugs.net and googbot.cn are two. (Four other are rogue Internet pharmacies; the fifth is yahbot.cn, another Chinese website.) It’s reasonable to view therxdrugs.net and googbot.cn as having a meaningful connection.

Drilling down further, even though there is no obvious content on the home page for googbot.cn, the malicious code remains at googbot.cn/php/example/pharm.txt, which may be the code inserted into the .gov website, as well as others. Indeed, that precise code is uploaded to the website of Baptist Bible College (bbc.edu), within the faculty page of KCCheng, specifically at the URL faculty.bbc.edu/kccheng/?pp=340 as well as faculty.bbc.edu/kccheng/?pp=2201.

With respect to the infiltration of .gov sites by rogue Internet pharmacies run out of China and Russia, the problem is this: if .gov websites are not secure from rogue Internet pharmacies, it’s legitimate to be concerned as to their security from other organized criminal elements that do not have the United States’ best interests at heart.