Canadian Health&Care Mall

From Spamwiki

[edit] Description

Our online ordering system uses the latest in Secure Encryption Technology.
All personal and credit card information is submitted with the highest level
of security and precautions.

Each domain name resolves to an IP address of a hijacked host. Images loaded into web pages, as is common with Bulker.biz hijacked servers, are pulled down from a variety of other hijacked hosts. Each name server used to resolve the domain name to the IP address is also run on yet another hijacked host.

[edit] Fake License

Note the false information: It claims to be "Canadian", yet its alleged head office is in Monroe, Louisiana. The first sentence in the license is "State of Minnesota". A look-up of the "company" in the Minnesota Board of Pharmacy database yields no results. Note the obvious typos and grammatical errors which would not occur on a real license: "...licensed by Minnesota Board..." (missing "the") no space after the comma after "...chapter 151" "...reported in the Application.immediately notify..." (no space after the period, and a lower-case "i" starting the following sentence.

The actual Minnesota Board of Pharmacy has stated clearly that the license on this site is a fake, and pointed out all of the discrepancies in it.

Comment from the Minnesota Board of Pharmacy:

We are very much aware of this issue. It has been an ongoing issue for
over a year. I have turned over information to our state's attorney
general office and have had conversations with FDA investigators. The
problem, as you are probably aware, is that it appears that whoever is
behind this is operating outside the United States.

The fake "license" shows clear indications that it is not valid. There
are misspellings, sentences run together, Board of Pharmacy is not
capitalized.

Anyone who did some comparison shopping would also find that the
websites charge several times more for drugs than legitimate websites.
For example, tramdol sells for $0.64 on Walgreens.com but $2.17 on
bestusdrugs.com.

I will consider putting a statement on our website. Not sure what good
it will do because I have a hunch that many people who actually try to
purchase drugs from these websites already know they aren't legitimate -
and don't care. As long as there are people willing to respond to spam
that they know is illegimate, the spammers will keep operating.

Cody Wiberg, Pharm.D., R.Ph.
Executive Director
Minnesota Board of Pharmacy

[edit] Fake Doctors

Canadian Health&Care Mall started as a multistore based in 
Toronto and Ottawa in early 90s. Operating not just as a 
family pharmacy but also as a store of so- called "useful 
things" Health&Care chain store system grew from year to 
year and resulted in current online project. We tried to 
make use of our previous experience and to create a really 
competing online resource for absolutely any customer. 
Though the idea is standard you may be absolutely sure
that the filling is unique and has no analogues all over 
the Internet. We would like to admit that our online store 
is operating independently from the offline store system.

The site lists its medical staff as "Dr. Edward B. Armington" and "Dr. William Grant," both with impressive resumés. Apparently they and their team also have time on the side for modeling, as gettyimages.com is selling some of the same stock photos:

www.gettyimages.com image #: 200354730-001 [1]	www.gettyimages.com image #: 200335242-004 [2]

These same fake credentials are found on the "Global Canadian Online" spam brand.

This is a common trait across most of the Yambo Financials sites. My Canadian Pharmacy also uses stock photos as portraits of their so-called "physicians" and "staff."

[edit] Fake Offices

The "contacts" page includes addresses for offices in Ontario, Louisiana, and New Delhi, as well as photos of the buildings they claim to occupy at those locations. They even offer to provide a "face to face audience" with one of their managers to anyone who wishes to visit them on site.

But comparing the buildings in the photos to Google Maps satellite images of those addresses shows residential areas with no sign of large buildings like these:

"2110 Oak Aly, Monroe LA"	"2110 Oak St., Monroe LA" (although, admittedly Oak St. does appear to terminate at 21st St., so perhaps this could be called "Oak Alley." But not "Oak Aly." Please.

"121 Hawkswood, Kitchener Waterloo, Ontario, Canada"	"121 Hawkswood Dr, Kitchener, ON N2K, Canada"

The third location, an address in New Delhi, is too inexact for Google maps to locate it; it is unclear if such an address actually exists.

[edit] Fake Registration

Like other Yambo family sites, CH&CM uses identity theft to register its sites. Victims whose personal information has been used to register one of these sites should follow the steps outlined here.

[edit] Sample Spam

Hi there, this is your chance to Heal your healt!
We have various medicament that will assistance you
For the real men we have our special proposal Just CLICK here!
Come on start a new life with our medicament!!!

As our customer you have a chance to check out first to anybody our new page!
Only primal high-grade pharmaceutics at a price you can afford!!
20% guaranteed reduction is for you only!!!

Take notice what said our pleased clients:
From: Brian Zalewski
Subject: Simply Thank you!
"Thank you very much you rendered me festal rebates &
your special offers that preserve time and greens,
offering only medicinal agents of highest quality.
You're of my minions,
I shall tell about your drugstore without fail all my buddies!"

Note some more testimonials at our site!

[edit] History

History of the Spam - followed on from My Canadian Pharmacy

Uses the same process of running its name servers, web site servers and image servers on hijacked hosts.

For example, examining the html source of a sample web page at any one time will find

src="http://82.240.202.162:8080/e/ch/images/spacer.gif"
src="http://201.28.121.171:8080/e/ch/images/aw_verisign.gif"
src="http://217.6.21.195:8080/e/ch/images/aw_fda.gif"
src="http://148.223.209.19:8080/e/ch/images/aw_cpa.gif"
src="http://142.217.131.166:8080/e/ch/images/aw_aq.gif"

for a web site running on 222.161.21.110

The four name servers are meanwhile running on 200.62.226.85 and 80.191.123.206

In total there are 8 different IP addresses involved, all running a trojan proxy name server or web server without their owners' consent.

[edit] Look-alike sites

MycanadarxStore appeared in late October 2007. Its "about us" section is highly similar to that of Canadian Health&Care Mall, including the photos of "Dr. Edward B. Armington" and "Dr. William Grant." However, it differs from the other Yambo sites in that it does not share the image server IP address(es) they all use. It shares its nameservers with Prestige Replicas, not any Yambo sites. So this appears to be a case of plagiarism rather than affiliation.

[edit] How to Report this Spam

The Complainterator is configured to report this spam to the registrars. It performs a "whois" lookup on the domain names used by the name servers that resolve access to the web site. It discovers the registrars that are sponsoring the access to the web site. It prepares a complaint to the sponsoring registrars.

Removal instructions - the registrar needs to set the status of each of the name server domains to

• clientHold
• clientUpdateProhibited
• clientDeleteProhibited
• clientTransferProhibited

To remove them as name servers, the Address records for ns1 and ns2 need to be changed to a non-routable address, such as 0.0.0.0 or a blackhole address within their own address space.

[edit] Sponsor Organization

Bulker.biz is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.

[edit] Related spam operations

See: Category:Yambo family