Microsoft IP Addresses Hijacked by Illegal Online Pharmacies

A group of Russian criminals have been using internet addresses belonging to Microsoft to re-route consumers to more than 1,000 sites, including a number of illegal online pharmacies that may be selling counterfeit drugs, according to The Register.

The news source reports search results from Microsoft’s own servers show that since at least September 22, 1,025 unique websites with names like "seizemed" and "yourrulers" have been using one of two Microsoft IP addresses to host their official domain name system (DNS) servers.

Researcher Ronald F. Guilmette made the discovery and the news source said that it had independently verified his findings.

The Register along with a number of researchers who specialize in DNS and the take-down of criminal websites and botnets were able to determine that the two Microsoft IP addresses, 131.107.202.197 and 131.107.202.198, are housing dozens of DNS servers that "convert the pharmacy domain names into the numerical IP addresses that host the sites."

The researchers said that most probably a machine at Microsoft's campus has been programmed to convert these addresses after it became infected with malware.

Randal Vaughn, a professor of information systems at Baylor University, said that there are a number of possible explanations for how the Microsoft addresses became hijacked.

"The important part seems to be some sort of compromise appears to be in play," he told the news source. "It could be an NS compromise, an OS compromise, a rogue customer machine, or something else entirely. In order to get the DNS zones entered in there, they must have pwned [electronically compromised] the box."

Vaughn also suggested that servers connected to the Microsoft IPs might be part of a lure that's deliberately hosting the name servers so that researchers can secretly monitor the gang's operations. Another possibility is that the pharmacy operators have subscribed to some sort of managed service offered by Microsoft, said the source.

Microsoft is investigating the findings.

Guilmette, the California-based researcher that initially uncovered the issue, said that he's convinced that Microsoft's system has been compromised by the incident.

Canadian Health&Care Mall is allegedly run by a group known as bulker.biz, Eva Pharmacy, or Yambo Financials, according to Spamtrackers.eu, a site that monitors online scams. The operation, which researchers say also engages in child pornography, identity theft, and rampant spamming, specializes in maintaining websites and name servers that run on infected hosts without the owners' knowledge, the website says. Members are known to infect Linux and Unix machines with custom-written binaries that act as proxy web hosts, according to The Register.

The running websites and DNS servers on infected machines drastically reduces the cost of the illegal operation, reduces the effectiveness of spam filters by using IP addresses from organizations with good reputations, said a researcher who goes by the pseudonym Jart Armin. 

Consumers can verify the legitimacy of their online pharmacy by checking with the National Association of Boards of Pharmacy, nabp.net.