By Ryan Singel
Computers inside pharmaceutical giant Pfizer's network are spamming the
internet with e-mails touting the company's flagship
erectile-enhancement drug Viagra, along with ads for knockoff Rolexes
and shady junk stocks.
But the e-mails are not part of Pfizer's official marketing efforts.
Pfizer's computers appear to have been infected with malware that has
transformed them into zombie computers sending spam at the behest of a
hacker. Oddly enough, they are spamming the public's inboxes with ads
for the company's own product.
"There is a disaster inside this company, and they don't know it," says
Rick Wesson, CEO of Support Intelligence -- a small San Francisco-based
security company that alerted Wired News to the problem.
Wesson says Pfizer computers have been spamming inboxes for the last six
months and that he's kept 600 spam messages sent from company computers.
He says 138 different Pfizer IP addresses have been blacklisted by
various groups, but adds that he can't estimate the number of infected
machines without more information or installing monitoring equipment on
the edge of Pfizer's networks.
To illustrate what might be going on, Wesson says that when his company
found a similar situation at an international shipping company that
employs about 150,000 people, that company's subsequent audit found
2,500 infected computers. Support Intelligence claims to have found
similar spam bots at Bank of America and Toshiba.
However, Pfizer appears to be unaware of the situation, despite several
warnings from Support Intelligence.
"If they (were aware), they would have taken care of the problem,"
Much of the spam originating from Pfizer's machines pretends to be sent
from Gmail accounts, says Wesson. Products hocked include
penis-enlargement products with the names "Mandik" and "Manster," as
well as pharmaceuticals like Viagra, the sleep drug Ambien and the
sedative Valium. The spam also includes ads for Cialis, a Viagra
competitor made by Eli Lilly.
On Tuesday morning between 7 a.m. and 10 a.m., Pfizer's network sent at
least 20 messages about sex and penises, according to Wesson.
The number of infected machines is impossible to determine, because much
of the traffic comes from behind a firewall that obscures the machines'
internal IP addresses.
Support Intelligence tracks spam by monitoring inboxes at 250,000
website domains that it owns -- opening those to allow any and all
e-mail and tracking what they get. It also monitors communications to
and from command-and-control centers, the computers hackers use to give
instructions to a network of zombie computers known as a botnet.
Paul Ferguson works to fight botnets as a network architect for security
giant Trend Micro. He says Support Intelligence does "great work" and
acts responsibly in disclosing security problems.
"They harvest valuable intelligence and share it with the security
community," Ferguson says. "They also do 'due diligence' showing that
even large corporations are subject to security problems, and only do so
when they exhaust other attempts at communicating to them that they have
Support Intelligence says they've seen connections between botnet
controllers and computers inside Pfizer's network.
"Pfizer sticks out like a glaring downed jet in a haystack," Wesson
says. "They constantly send us the most egregious spam. When there is
this much smoke, there is a hell of a fire going on."
Pfizer did not respond to requests for comments.
The flood of spam adds to Pfizer's recent computer security woes. This
summer, the company revealed that it had suffered three breaches of
sensitive data, cumulatively affecting more than 50,000 individuals.
In one breach, a Pfizer employee exposed personal information on 17,000
employees after installing peer-to-peer software on a laptop. In another
breach, confirmed Tuesday, a former employee downloaded sensitive data,
including social security numbers and credit-card information for about
34,000 Pfizer employees.
Wesson says Support Intelligence has warned Pfizer numerous times that
its computers were infected.
In March, Support Intelligence chief operating officer Adam Waters
penned a report about Pfizer's infection, telling the company "an
alarming amount of bot spam has been observed exiting the Pfizer network
indicating multiple system infections." The report included detailed
information about which machines were sending the rogue e-mails.
Though the report was sent to the company at the end of March, none of
the identified problems has been fixed, according to Waters and Wesson.
Support Intelligence has also informed Pfizer of the problem during
sales calls, where the security company unsuccessfully tried to sell the
company network-cleansing-and-monitoring service.
There's no consensus estimate of the number of zombie botnet machines on
the internet, but computer-security experts agree that millions of PCs
are likely to be infected. Hackers use the computers for numerous
nefarious purposes, from sending spam to extorting money from businesses
through denial-of-service attacks.
The malicious power of botnets was displayed in April when Russian
attackers launched sustained denial-of-service attacks against thousands
of government and commercial websites in the small European republic of
Estonia, to retaliate for Estonia's relocation of a World War II
memorial statue of a Soviet soldier.
Hackers build botnets by infesting computers through booby-trapped web
pages and spam infested with attachments or worms that travel from
computer to computer. Most computer users have no idea they are
infected, because the remotely controlled malware often uses a small
fraction of the infected machine's computing power and has no effect on
day-to-day computer usage. To fight this, savvy users often share tips
and tricks for protecting personal computers.
Visit the InfoSec News Bookstore