Canadian Pharmacy

From Spamwiki
Jump to: navigation, search

NOTE: For your convenience, this article also exists as a printer-friendly downloadable PDF document that you can read offline.


Read the FDA public safety warning .

Description

Igor Anatolyevich Gusev

Acknowledged by [Spamhaus] as the Internet's worst case of criminal offending, this spam brand has the dubious distinction of being the most heavily spammed domain our staff receives. Russian authorities are pursuing Igor Anatolyevich Gusev who is thought to be the owner of the Glavmed organization promoting this fraud.

The "Canadian Pharmacy" titled sites are the most common. They may also be labeled European Pharmacy for visitors from IP addresses located outside North America. When accessed from the UK, it may be called United Pharmacy.

Other sites include "PharmSite" and "best online PHARMACY." They are riddled with identical fraudulent claims. Similarly, they are closely related to Dr.Pills and Canadian Healthcare - sharing the same titles.

For simplicity, this entry refers by default to Canadian Pharmacy, but the false claims apply equally to all of these. The exception is "Official" Canadian Pharmacy which lacks the false certification claims.

The copyright statement in the trailers for "PharmSite" and "best online PHARMACY" actually contains the words Copyright Canadian Pharmacy.

Visitors to these sites are cautioned against placing an unsecure order for any of the products advertised. With so much obvious fraud in the set up of the web site, any reasonable person would be justified in having doubts about passing identity and credit card details to such blatant criminals.


Canadian Pharmacy, April, 2007
Canadian Pharmacy, March, 2007
PharmSite, March, 2007
best online PHARMACY, June 2008
Oct 2009
"Official" Canadian Pharmacy 2010
Canadian Pharmacy, Dec 2010
Canadian Pharmacy2011
Canadian Pharmacy 2012
PharmSite trailer and copyright
Canadian Pharmacy 2013
Canadian Pharmacy Links

False Pretenses

False: Verisign secure link claim

Both sites falsely pretend to take your credit card over a secure connection, but the protocol is unsecure http, and even in their fakery, they foolishly left the padlock image unlocked!
Canadian Pharmacy secure.jpg
Here is an example from one site selected at random.

Click on the Verisign Secure Site logo [ Verisign.jpg ] and you are served a page from the same site (not Verisign), and the faked certificate states

To ensure that this is a legitimate VeriSign Secure Site, make sure that:
  1. The original URL of the site you are visiting comes from treeprovide.hk.
  2. The URL of this page is https://digitalid.verisign.com.
  3. The status of the Server ID is Valid. 

Look at the properties of this fake certificate screen, and you find that instead of https://digitalid.verisign.com, the URL is actually http://www.reasontalk.com/checker2.php (where reasontalk.com in this case is the spammed fake pharmacy site). The Verisign certificate is obviously fraudulent. Abuse of the seal can be reported to Verisign.

Canadian Pharmacy trailer.jpg



False: Claims to have "ADA" approval

The link to the American Drug Administration is also served by this fraud site itself. A Google search for "American Drug Administration" turns up only links to this scammer's sites. There appears to be no such entity, except as defined by this fraudster. In fact, it is an attempt to make it look as if the site has FDA approval. The ADA logo is a reworked version of the FDA Centennial 1906 - 2006 logo.

At the bottom is the name of the representative, Kris Thorkelson, Vancouver. Likewise he is referenced in the link to the "PharmaChecker" site, again served locally. Kris is a real person, with the right credentials, but he is not amused to find that his identity has been stolen in this way. He writes:

The is one of many web sites created by a group that has been doing a large amount of spamming. 
They copied my information and have been using it without my consent. I have no idea who they
are but as you can see all of their credentials are fake.
 
Good luck in finding out more about these people.

Kris Thorkelson
CEO of the CanadaDrugs.com Group of Companies
Canadian Pharmacy ADA.jpg

A comparison of the fake ADA logo and the genuine FDA logo shows the fraud for all to see.

Comparison
Banner Logo
Fakes ADA banner.jpg
Genuine FDA banner.jpg FDA Centennnial.jpg




False: Claims to have "Pharma Checker" approval

The fraud continues. Both sites pretend to be authenticated by Pharmacy Checker - which they are not. So they set up a link to a fake Pharma Checker instead of the genuine Pharmacy Checker. Notice the fake logos on the left, compared with the genuine ones on the right.

Pharma Checker logo.jpg Pharmacy Checker logo.jpg
The fake logo - Pharma Checker The genuine logo - Pharmacy Checker
. .
. .
Pharma Checker.jpg Pharmacy Checker.jpg
The fake seal - Pharma Checker The genuine seal - Pharmacy Checker

In 2013, they even implemented a fake version of Pharmacy Checker to award themselves a certification! Domain pharmacy-checker1.com was rapidly suspended by the registrar (April 10). They then created another domain, pharmacychecker1.com (April 15).

Fake Pharmacy Checker site, click to enlarge


Pharmacy Checker response


We do not endorse this company and they are not affiliated with PharmacyChecker.com in any manner.
The PharmacyChecker.com seal that they publish (“Pharma Checker”) is an unauthorized and adulterated copy.

Donna Miller, Customer Services

False: Claim of "CIDA Rx" approval

The link to the Canadian International Drug Association is a very interesting innovation. No such association actually exists. The criminal who designed the site hoped nobody would notice the subtle name change from the real Canadian International Pharmacy Association.

If you click the link, you see that you are invited to "Report Unauthorized Seal Use". In small print on the next line is a telling reference to "this CIPA Seal". A click on that link opens an email to info@cidarx.ca. Everyone who sends off a report is probably identifying themselves via email to the criminal. A whois lookup on cidarx.ca is surprisingly brief, but does reveal that it was registered through Canadian Internet Registration Authority (NFP) / Autorité Canadienne pour les enregistrements Internet (OSBL)

Canadian Pharmacy CIDA.jpg
CIDARx.jpg CIPARx.jpg
The fake logo - Canadian International Drug Association The genuine logo - Canadian International Pharmacy Association
Fake unauthorized seal use reports go to info@cidarx.ca Genuine unauthorized seal use reports go to info@ciparx.ca
. .
. .
CIDA seal.gif CIPA seal.gif
The fake seal - Canadian International Drug Association The genuine seal- Canadian International Pharmacy Association

False: Claim to be Canadian

Both sites have a Contact Us link that states:

Customer Support (click here to mail us sitesupport@pharmsupport.us)

The choice of ".us" is presumably to give the impression that this is registered in the USA, which is the site's target marketplace. So where is the registrant for this domain?

A WHOIS lookup on pharmsupport.us reveals where the operation is possibly located:

Domain Name:                 PHARMSUPPORT.US
Domain ID:                   D10685285-US
Sponsoring Registrar:        DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Domain Status:               ok
Registrant ID:               DI_2607867
Registrant Name:             Alex Markovich
Registrant Organization:     Be SEO
Registrant Address1:         Sadovo-spasskaya st. 15-19
Registrant City:             Moscow
Registrant State/Province:   Moskovskaya oblast
Registrant Postal Code:      125021
Registrant Country:          Russian Federation
Registrant Country Code:     RU
Registrant Phone Number:     +007.4952582102
Registrant Email:            beseo@bk.ru

Another Alex in the Russian Federation.

Fake Pharmacy License

Like Pharmacy Express, the latest version of Canadian Pharmacy displays a "Drug Reselling License" supposedly issued by the New Zealand Board of Pharmacy. Such an entity does not exist. The address of Canadian Pharmacy is given as 3 Akoranga Drive, Northcote, Auckland, New Zealand. This address does exist, and it is an outlet for a legitimate New Zealand online pharmacy, but it is not Canadian Pharmacy.

The license that can be viewed from the false Canadian Pharmacy site has obvious errors.

  1. It is issued by a New Zealand Board of Pharmacy - whereas no such Board exists (New Zealand has a "Pharmacy Council of New Zealand")
  2. It is supposedly issued to Canadian Pharmacy, but at an address which does not belong to them.
  3. It uses US English spelling for the word "license". No New Zealand certificate would use US spelling - it would be spelled "licence", because New Zealand uses UK English for official documents.
  4. No certification authority would allow grammatical errors in a document, such as The license is required by law to immediately notify the New Zealand Board of Pharmacy ...
  5. The forged certificate infringes the copyright of the legitimate owner, New Zealand's Pharmacy Express
  6. If it was truly a Canadian Pharmacy, it would neither be located nor licensed in New Zealand!

No Pharmacist Oversight

Although most of the spam for Canadian Pharmacy hawks drugs for impotence, and there are lots of controlled substances with street value advertised, their website offers a wide range of medications for serious medical illnesses as well.

These may only exist to give the impression this is a real pharmacy instead of a scam. The prices for these other drugs are significantly higher than what they are in US bricks-and-mortar pharmacies to people with prescriptions. On the other hand, there are people who do not visit their doctors or get required monitoring tests and whose doctors will stop writing prescription refills for them. Those people may be willing to pay the extra money in order to obtain drugs without prescription.

What is the rationale for requiring prescriptions for drugs that aren't narcotics, anyway?

  • They treat conditions that require medical training to diagnose
  • Medical testing/monitoring must be done to see if they are working adequately
  • They may have risks that someone without medical training would not fully understand, or risks that cannot be evaluated without medical testing.

For instance, the cholesterol drug lovastatin requires a prescription. You need a blood test to know if you have high cholesterol, you need a blood test to know if the dose you are taking is lowering your cholesterol adequately, and you need a blood test to make sure you are not one of the people who get liver damage from it. (Of course, in the case of drugs of uncertain origin, like those that may be shipped to you if you order from CPh, if your blood test shows your cholesterol is still high, even your doctor won't know whether the problem is that you need a higher dose of lovastatin or that you were shipped a batch of fake pills with no active ingredients.)

People who have ordered drugs from CPh report sometimes receiving placebo pills that mimic the appearance of real drugs, and sometimes getting drug with active ingredients, though often the dose contained is higher or lower than it is supposed to be. Many drugs require each patient's dose to be individually adjusted, and a pill whose dose is too high or low could put a patient in the toxic range or leave them at risk of their medical condition going out of control. A classic example of such a "narrow therapeutic index" drug is warfarin (Coumadin), a drug initially invented as rat poison because it is more toxic to rodents than to people. If the dose of warfarin is too high, a person may die of internal bleeding in the brain or stomach. If it is too low, he may die of blood clots in the lungs or suffer strokes due to clots to the brain. Warfarin pills come in an unusually large variety of strengths, but even so, there is so much variability in requirement from one person to another that someone could end up having to take different size pills on different days of the week to get the level to stabilize in the correct range. People must undergo frequent blood tests to check that level, as warfarin interacts with multiple drugs as well as to vitamin K in food.

It's very frightening that a drug like warfarin is being sold by CPh to people without prescriptions who may not be getting the proper monitoring. But it's even more frightening when you realize there appears to be no one involved in the operation with even the most basic knowledge of pharmacy.

Case in point is their 2009 "free Viagra" promotion. All their websites put a few free tabs of "Viagra" in every shopping cart at checkout:

Slntgjul09.jpg => Cph nitro killer.jpg


Viagra's active ingredient, sildenafil, is not dangerous to the heart itself, but there is a severe interaction with drugs in the nitrate family that can cause shock (severely low blood pressure, so low that brain, heart, and kidney damage or death can occur). Viagra is prescription only in part because drugs in that family don't always have the word "nitro" in the name, so people may not realize they are taking nitrates.

But in the example in the above image, it's not subtle. It's an order for nitroglycerin, the most famous member of the nitrate family. It's hard to imagine any pharmacist so incompetent or undeserving of a license that he/she would remain associated with a website that would even have ads promoting Viagra on the same page as an order for nitroglycerin, let alone throwing a few tabs into the shopping cart unbidden. It's more likely there are no pharmacists involved whatsoever.

If this interaction is so dangerous, why aren't we hearing of deaths? There are several possibilities

  • they don't really sell nitroglycerin and the whole ordering process is a sham to make it appear this is a real pharmacy
  • there's no real sildenafil in their fake Viagra tablets
  • even if someone did have an interaction, the interaction was mistaken for consequences of the heart disease itself. One can imagine that a man who has ordered drugs without a doctor's prescription may be using drugs for impotence without telling his partner. If he has chest pain, takes some nitroglycerin, then collapses and dies, it's likely to be attributed to death from a heart attack. No one may even know he was taking drugs he bought on line. Extensive coroner's autopsies with toxicology testing are only done when foul play is suspected. CPh could be leaving a trail of bodies with no one realizing it.



Spam Examples

French

Vous avez cache vos Pilules. Vous pouvez les obtenir rapidement et facilement. 
Il vous suffit de regarder chez nous, vous obtenez pres de nous autant de Pilules, 
comme vous avez besoin.

Regardez chez nous et achetez les meilleures Pillules, vous les connaissez. 
La meilleure Pharma en ligne, nous nous connaissons avec les Pilules, vous pouvez 
nous faire confiance. Seuls les meilleurs pour nos chers clients.
 
http://landdictionary.com

The structure and use of French (along with the multitude of errors) clearly indicates that the text was translated literally, most likely using computer software.

French spamvertized domains:

  • corncentury.com
  • repeatparent.com
  • correcttruck.com
  • severalwhole.com
  • landdictionary.com

Being that prescription drugs are available for free (or next to free depending on your mutuelle) in France, I fail to see the point of targeting this market, though it does indicate a certain desperation on the part of the spammer.

English

In July 2009, CPh spam apparently felt their spam would be more trusted if disguised as an ecard trojan:

Subject: You've received a greeting ecard 

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

http://wallmotion.com/

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!
 
VIAGRA 

If you have a problem getting or keeping an erection, your sex life can suffer.
You should know that you’re not alone. In fact, more than half of all men over 40
have difficulties getting or maintaining an erection. This issue, also called
erectile dysfunction, occurs with younger men as well!

You should know there is something you can do about it.
Join the millions of men who have already improved their sex lives with VIAGRA!

VISIT STORE ONLINE!

Dear valued member.

MyCanadianPharmacy provides a wide range of pharmaceutical products. You   
will be surprised by the selection of products available. 

Still ordering your Products in American drug stores? Try cheaper Canadian 
products of the same quality.
Don?t miss the possibility to buy the best pharmaceutical products at the 
best possible prices.

Click here and see a wide range of products to choose from
http://makesame.hk

Absolute security and confidentiality guaranteed.
You will be satisfied with the variety of drugs available.

Yours faithfully,
Ethan Crofoot


Image spam:

An example of image spam for Canadian Pharmacy, May 2007
This is nearly identical to several spams received for a variety of fake / illegal "OEM software" sites, notably Downloadable Software

It is also clear that this image is identical to that used on the Canadian Health&Care Mall site.


Another example for Canadian Pharmacy, June 2007
This one co-opted the html template for a recent legitimate email from Kraft Foods.



Canadian Pharmacy Spam from December 2007
In late 2007, Canadian Pharmacy began the unauthorized use of the Men's Health magazine brand, going so far as to claim the address of Rodale, Inc., its publisher. Needless to say, all links from the headlines for the supposed articles actually linked to Canadian Pharmacy web sites. The email appeared rather professional as spam goes, if you overlooked the photo of the topless woman.


Sponsoring Registrars

Redirections

Microsoft spaces.live.com

Each spaces.live.com URL spammed provides a web page on Microsoft's abused service that will redirect to one of a range of spam brands. Each brand represents an illegal web site that indulges in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community. Canadian Pharmacy is one of several brands targeted.

Google Groups

Redirections using Google Groups remain very common in July 2009. Google recognizes the problem and inserts a page identifying the link as possible spam, but does not shut down some very obvious frauds. For instance the link illegally using Pfizer's name

groups.google.com/group/pfizer-online

links to buybegin.com, with the continued assistance of Google.

Google Blogspot/Blogger

Google Blogspot redirections, March 2008, are listed at Blogspot. Blogspot redirections are a move to try to evade filters and complaints against the target sites. Existing reporting tools focus on the spammed URL, so the spammer hopes that the actual site will be obscured from reporting tools.

Yahoo Groups

While Yahoo does shut these down, they are being spammed at high frequency for Canadian Pharmacy and other pharma and replica scams. Example:

groups.yahoo.com/group/bykobusebonaso/message/1

redirects to sweetcould.com.

Yahoo! Geocities

Yahoo! Geocities is also used for redirections. In May, 2008, these were seen to be averaging over 600 per day as detected in spam traps and spam honey pots. The reports can be seen in the URIBL.COM Geocities abuse tracking system].

Storm Trojan

As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/

For Canadian Pharmacy, the redirection sites detected were

  • fruitlot.com
  • samevalue.com
  • lednose.com
  • discussin.com
  • wrongsame.com
  • grasschange.com
  • pathsix.com
  • writeprovide.com

Each of these in turn was running on another botnet, 20 IPs at a time in a round robin refreshing every 5 minutes.

On May 19, 2008 the redirections were seen to be

  • catsharp.com
  • followequate.com
  • lowsmell.com
  • picturewest.com
  • posestory.com
  • printlength.com
  • producemorning.com

Name Servers

October 2009

Network Solutions has taken a service contract with 'Registrant: Dvoshilin, Michail' for the name server domain NSCONTROL.COM. That domain runs these name servers, according to the WHOIS listing

Domain servers in listed order:
       NS1.NSCONTROL.COM       91.208.162.9
       NS2.NSCONTROL.COM       91.209.183.61
       NS3.NSCONTROL.COM       91.209.183.21
       NS4.NSCONTROL.COM       91.209.183.21
       NS5.NSCONTROL.COM       91.208.162.5

Those IP addresses are owned by Andrey/Andrew Smirnov of GlavMed

inetnum:        91.208.162.0 - 91.208.162.255
netname:        RUSDESIGN-NET
descr:          RusDesign Ltd
country:        RU
org:            ORG-RL57-RIPE
admin-c:        AS13070-RIPE
tech-c:         AS13070-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         RUSDESIGN-MNT
mnt-routes:     RUSDESIGN-MNT
mnt-routes:     AS2118-MNT
mnt-domains:    RUSDESIGN-MNT
source:         RIPE # Filtered

organisation:   ORG-RL57-RIPE
org-name:       RusDesign Ltd
org-type:       OTHER
address:        Krasina 5-15
address:        Moscow, Russia
e-mail:         asmirnoff73@gmail.com
mnt-ref:        RUSDESIGN-MNT
mnt-by:         RUSDESIGN-MNT
source:         RIPE # Filtered

person:         Andrey Smirnov
address:        Krasina 5-15
address:        Moscow, Russia
phone:          +7 916 9894767
nic-hdl:        AS13070-RIPE
mnt-by:         RUSDESIGN-MNT

Canadian Pharmacy sites registered with DirectNic, a company that gives its address as

Regatta Office Park
Windward 1, Suite 141
85A Lime Tree Bay Road
West Bay, Grand Cayman ---
KY
(345) 745-6022
Fax:(345) 745-6023

An example of sites using the nscontrol.com domain for name servers

online-meds1.com
online-pharm1.com
online-rx1.com
pharm-bill.com
pharm-charge.com
pharm-help.com
pharm-online1.com
pharmacy777.com
rx-charge.com

These sites in turn are registered by the same person, Andrey Smirnov, this time giving an address in Canada as part of the fraudulent Canadian impersonation of the web sites

Domain Name: RX-CHARGE.COM

Administrative Contact:
 Smirnov, Andrey whois@pharmashopsupport.com
 200-1765 West 8th Ave.
 Vancouver, British Columbia V6J 5C6 CA
 CA
 866-420-707

Additional fraud sites that use nscontrol.com for name servers are shown in the graphic.

Click to enlarge

July 2009

The prevalent name server registration method is to select a trio of systems across 2 or 3 registrars

  • ns1.clearfab.ru ns2.clearfab.ru REGRU-REG-RIPN
  • ns3.b6z.ru ns4.b6z.ru REGRU-REG-RIPN
  • ns5.lucidhere.com ns6.lucidhere.com ONLINENIC

or

  • ns1.secondwee.com ns2.secondwee.com - ALANTRON BLTD.
  • ns3.methodsister.com ns4.methodsister.com - ONLINENIC, INC.
  • ns5.houratom.ru ns6.houratom.ru - REGRU-REG-RIPN

The name servers are used to resolve access to spammed redirection sites, which are detected and listed by spam-traps, such as URIBL.COM

The redirection sites are designed to conceal the ultimate Canadian Pharmacy target sites from blacklisting. Sample redirection targets are

  • awesomepharmsline.com - ONLINENIC, INC. / Serpino Berbeto
  • storemedicalroyal.com - ONLINENIC, INC. / Serpino Berbeto
  • wheelmade.com - ONLINENIC, INC. / Serpino Berbeto

where ONLINENIC, INC. / Serpino Berbeto represents the registrar and the registrar's (rogue) authorized reseller respectively.

Xin Net [2007-2008]

Canadian Pharmacy typically registered its nameserver domains with Xin Net, and used groups of four at a time to service hundreds of domains. Examples:

ns0.piotiongandesunkdes.com
ns0.gedsactunjerion.com
ns0.chitionkdetunlionpsa.com
ns0.fionkunjerunhedase.com 
ns0.nuspharkosa.com
ns0.kopepharas.com 
ns0.mukopkufude.com 
ns0.pharokufuma.com 
ns0.likenewdesign.com
ns0.globonss.com
ns0.globohosts.com
ns0.yourpleasant.com

Recently, it has begun using Xin Net's own nameservers:

ns.xinnet.cn
ns.xinnetdns.com
ns2.xinnet.cn
ns2.xinnetdns.com

Given the Xin Net's sudden commitment to enforcing acceptable use policies, suspending thousands of fraudulent and spammy domains, the Canadian Pharmacy scammers may be concerned thousands of their domains could go down at one time if their nameservers were blackholed. Using a registrar's own nameservers prevents doing that, although it also makes it easy for the registrar of the nameservers to effectively shut down the spamvertised domains, regardless where those individual domains are registered.

Spamvertized Sites

Illegal pharmacy site Spam brand with links to information Registrar sponsoring the criminal operation
drugsea.com Drug Store ENOM, INC.
brightfutureabc.com Canadian_Pharmacy REGTIME LTD.
your-drug-store.com Drug Store ENOM, INC.
canadians-health.com Canadian_Pharmacy INTERNET NAMES WORLDWIDE
nscontrol.com Support Center NETWORK SOLUTIONS, LLC.
mens-medication.com Canadian_Pharmacy INTERNET NAMES WORLDWIDE
simple-op.com Canadian_Pharmacy ENOM, INC.
all-about-cialis.com All About Cialis DIRECTNIC, LTD
brand-generic-pills.com Canadian_Healthcare,Canadian_Pharmacy TODAYNIC.COM, INC.
alltrustedpills.com Canadian_Healthcare,Canadian_Pharmacy ENOM, INC.
medgetfarmos.com Canadian_Healthcare,Canadian_Pharmacy BIZCN.COM, INC.
onlyhighestquality.com Canadian_Healthcare,Canadian_Pharmacy DYNADOT, LLC
medicationcenter.info Canadian_Healthcare,Canadian_Pharmacy ENOM, INC.
officialmedicines.info Canadian_Healthcare,Canadian_Pharmacy DirectNIC, LTD
check-order-status.info Support Center GKG.NET, INC.
unitedpharmacysupport.info Support Center GKG.NET, INC.

InterCosmos Media Group

canadianmedsworld.com


Public Domain Registry

bestpharmstock.com

Sponsoring ISPs

IP addresses habitually used for hosting Canadian Pharmacy sites and their name servers are

  • 218.75.144.6 (abuse.cd@2118.com.cn) & (abuse.szx@2118.com.cn) Chinanet Hunan

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL75487

  • 203.93.208.86 (michael@chinaunicom.com.hk) (abuse@cnc-noc.net) China Unicom

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL74278

  • 60.191.239.150 (anti_spam@mail.jhptt.zj.cn) Jinhua Telecom

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL76119

  • 222.186.12.113 (abuse@jsinfo.net) (ip@jsinfo.net) CHINANET Jiangsu

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL71237

  • 220.248.167.126 (michael@chinaunicom.com.hk) (abuse@cnc-noc.net) China Unicom Hunan

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL74724


Hijacked Hosting Infrastructure

As of this writing (August 2007) independent investigation has shown a large number of hijacked home and business computers providing DNS and web hosting infrastructure for this operation's websites.

The typical spam run features a link to a single html page on an otherwise legitimate website which has been compromised. That html page typically performs a JavaScript redirect to another domain which is the true target of the spam run.

Typical sites in June 2007 were using four name servers - for example

ns0.chitionkdetunlionpsa.com c-71-233-121-19.hsd1.ma.comcast.net 71.233.121.19
ns0.fionkunjerunhedase.com 212.143.150.121 212.143.150.121
ns0.gedsactunjerion.com 28-196-n.ipv4.vnet.ee 85.29.196.28
ns0.piotiongandesunkdes.com 89-178-24-169.broadband.corbina.ru 89.178.24.169

When resolved to web server hosts, there would be up to 20 IP addresses found, demonstrating a round robin aka fast-flux approach of distributing the hosting over multiple hijacked host machines. These hosts are usually on systems attaching to the Internet over cable or broadband (DSL) supplier ISPs. A live example recorded June 1, 2007

 216.165.48.73 NY University
 24.152.128.81 Earthlink
 66.171.238.63 Verizon
 24.137.125.124 Eastlink
 75.17.12.41 AT&T SBC
 65.24.187.23 Road Runner
 71.130.204.142 AT&T SBC
 67.70.22.98 Bell Canada
 71.146.151.88 AT&T SBC
 66.177.73.244 Comcast
 217.211.55.49 TeliaNet,SE
 76.181.146.11 Road Runner
 68.124.63.138 AT&T SBC
 84.60.32.53 Arcor AG, DE
 87.228.41.40 Infoline, RU
 89.178.91.169 Corbina Broadband, RU
 58.227.40.221 Hanaro Telecom, KR
 217.209.21.229 TeliaNet, SE
 81.245.237.237 SkyNet, BE
 217.70.103.109 Novosibirsk, RU

These are typically hacked servers, or otherwise normal personal computers which have been compromised. It is unknown at this time how the group behind Canadian Pharmacy gains access to these servers, and the investigation is ongoing. It is assumed to be a form of botnet hosting.

Typical Fake WHOIS Contact Information

In many cases, domains used in the Canadian Pharmacy spam run will be registered to the following fake identity within the WHOIS data for the domain:

Michael Leslie mail@boxbetter.com
1-713-775-3348 fax:
2218 Ewing St
Houston TX 77004
us

Needless to say: boxbetter.com is yet another Canadian Pharmacy domain. No legitimate contact information is ever used in the registration of these domains.

How to report this spam

The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.

Related spam operations

Canadian Pharmacy exploits many different methods of redirections to try to escape detection.

Canadian Pharmacy, PharmSite and Nature Medicines share many common functions, leading to the conclusion they come from the same perpetrator

  • same registrars
  • same name servers
  • same online support number - +1 210 80 PHARM
  • same email support address - sitesupport@pharmsupport.us
  • same false claims


Dionpills.org is advertised in forum comment spam, such as on YouTube. Their phone number, 210-787-1711, has also been used by Canadian Pharmacy. Although that is a Texas area code, the company controlling 210-787-1xxx numbers provides voice-over-internet, so no assumptions can be made about the location of a company with that number. Dionpills.org uses the same scam of having the fake endorsement logos on their webpage link to other pages on the same website, when real logos would link to the sites for the endorsing agencies. But their claim to fame is their "testimonials" page, where supposed customers praise them. It's one of the funniest pages on any spamvertised site:

 Sam, 28
 Acclaim to Viagra! I could not help self but feel inspired both a long long time. 
 Now, I am over the world, I am travel, I am very happy I saved my family me children 
 and my wife. Thanks this site Dionpills.ORG ... 
 RENE, 24
 Recently and had tried Viagra gently into account the difference, it really works, 
 and nothing helped me before. Trust him. Dionpills.org the Best. It acts more 
 quickly and allows them to improve the situation asked: Behold what they need - and 
 speed! 
 Barbara, 45
 I do not believe in drugs, who can reduce their weight and remain small and reduce, 
 but actually there. Since the beginning of the adoption of Phentermine culinary 
 herbs once or twice a day before meals, I think brilliantly: my appetite decreased, 
 began to judge that filled me and not think further into the food! i am very like 
 Dionpills.Org 
 Gulia, 23
 I am not only Hoodia which helped lower my extra kilogramms, but their impact is 
 great and have ingredients. Since trust told me he lost a lot, I never thought that 
 the fact that it can help. In addition Hoodia Gordonii gives me so much energy that 
 I lost weight, not only because I have no more hunger, but my work becomes 
 tremendous. Thanks for Dionpills.org 
 Kent, 26
 Cialis and PS no longer live together! Men must understand what I mean. With Cialis, 
 I stopped thinking about the problem and had relations with his wife, which is so 
 costly me, and what I wanted to divorce his wife but to take Cialis. Now, we are as 
 happy as it 10-15 years. 

(Men: Do you understand what he means?)

And last but not least, a comment from someone whose name is presumably supposed to be "Phil Mahoney:"

 Fill Mahouny, 33
 Buspar inherited my life 2 months ago! He had changed: I do not feel well passionnan 
 but after having worked for 10 hours and my real help before going to bed: Awakened 
 costs and the desire to work, working and travel. I have the best to live 

People who have ordered from that site or from Canadian Pharmacy have listed their complaints on this site that rates businesses based on their phone numbers.


Penis Enlarge Patch, Canadian Pharmacy and Soft Eden software piracy sites run on the same botnet of hijacked hosts, for example:

See: Glavmed

Related brands

October/November 2009 showed a new trend. Canadian Pharmacy sites contain a "Best sellers" section, which in turn link through to an Online Pharmacy site.

Canadian Pharmacy with "Best seller" links
links to
Online Pharmacy target from link

The title line at the top of the site's web page is randomly selected from a list of titles. Some examples -

  • We Always Have Special Offers In Our Online-Drugstore
  • We Always Have Special Offers In Our Pharmacy Store
  • We Always Have The Best Offers for Viagra, Cialis and Levitra
  • We Always Have The Best Offers In Our Online Pharmacy Store
  • We Always Have The Best Pharmacy Offers
  • We Always Have The Best Pharmacy Online-Offers
  • We Always Have The Cheapest Offers In Our Online-Drugstore
  • We Always Have The Cheapest Offers In Our Pharmacy Store

These titles are also used for Dr.Pills. Random selection of titles from a list is also a method adopted by Canadian Healthcare.


Mailien-options.jpg

Refer to the captured screen image. In 2011, spammer affiliates who registered with the Mailien spamming program were presented with pharmacy operations to select from. These included

Spamit (the underground sponsor affiliate program related to Glavmed) is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.

Further Reading

Cyber-criminals cashing in with online pharmacies November 28, 2009 Cyber-criminals from Russia are taking advantage of Canada's reputation for quality health care, bombarding the Internet with unwanted e-mail advertising counterfeit and potentially lethal male-enhancement drugs and painkillers, according to online security experts.

Thanks to great researchers: James McQuaid and Dancho Danchev
They show that other RBN folks:
Alexander Boykov
Andrey Smirnov
Were both directly involved in using their RBN resources in the DDOS against Georgia

RUSSIAN BUSINESS NETWORK

The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia - but senior operatives in positions of responsibility with vast background knowledge.

Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely `hacktivism.' Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.

.. The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.

.. 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes.

To peek into the world of rogue online pharmacies, our class decided to become a customer. We purchased drugs without a prescription in the hope of uncovering who might be running this transnational trade. Tracing that purchase took us on a far-flung world tour as we followed how the drugs — and our money — crisscrossed the globe.