Cheap Drugs Online Store
From Spamwiki
Contents |
[edit] Description
This spamvertised pharma brand was first observed March 2008. Its websites claim that Cheap Drugs is located at the same bogus address as US_Drugs. However, it does not share the same nameservers and image servers as US Drugs and other Yambo sites, so it may be a case of plagiarism rather than affiliation. Instead, Cheap Drugs shares nameservers with some porn sites. (Regarding those porn sites, if you know what "coprophagia" means, you should have serious doubts about ordering medication from this operation, even if it being promoted through spam and having a bogus address wasn't enough to give you pause.)
Both the spamvertised websites and their nameservers operate on fast flux botnets. The websites themselves run on 10 different servers simultaneously:
Name: PHARMAPILLSFORU.COM Addresses: 76.20.182.207, 76.107.162.80, 24.125.202.70, 99.137.194.170, 68.120.81.6, 98.197.209.23, 67.163.104.124, 203.232.238.121, 24.155.23.95, 71.132.192.40
Reverse lookup on those ten IP addresses shows an assortment of DSL and cable customers in the US as well as one Korean university:
c-76-20-182-207.hsd1.mi.comcast.net c-76-107-162-80.hsd1.ms.comcast.net c-24-125-202-70.hsd1.va.comcast.net adsl-99-137-194-170.dsl.scrm01.sbcglobal.net adsl-68-120-81-6.dsl.irvnca.pacbell.net c-98-197-209-23.hsd1.tx.comcast.net c-67-163-104-124.hsd1.va.comcast.net 203.232.238.0-203.232.238.255 HANKUK UNIVERSITY OF FOREIGN STUDIES, Korea 24-155-23-95.dyn.grandenetworks.net adsl-71-132-192-40.dsl.pltn13.pacbell.net
And rechecking just a few minutes later shows the website isn't even on the same ten hijacked computers:
Name: PHARMAPILLSFORU.COM Addresses: 68.120.81.6, 69.133.14.108, 76.211.90.190, 71.193.56.213, 24.125.202.70, 70.114.19.152, 24.126.156.103, 216.74.217.203, 72.40.35.185, 76.113.49.146
[edit] Samples of Spam
Subject: Be happy!Be really healthy! Agree to be sick! Noway! http://ihaytj.pharmapillsforu.com
Subject: All weapons for battle against diseases! Be too hot to resist! http://ikjj.pharmapillsforu.com
[edit] Fake Addresses
Like US Drugs, Cheap Drugs claims to have its headquarters at "6362 Lakeshore Road NY." That's hard to disprove, since they forgot to include a city or zip code. There is a 6362 Lakeshore Road in Cicero NY (the only suggestion Google Maps could come up with) but it is clearly no larger than a private residence on satellite view:
Most likely, it is pure coincidence that there is even one 6362 Lakeshore Rd. anywhere in the state of New York; it's obviously a completely fabricated business address.
The second company address shown below, is
ICS International Certified Stocks Kamdhenu Complex Opp. Bombay, India
For some reason the scammer has taken part of the address of the Stock Exchange which is located in the Kamdhenu Complex building in the Indian city of Ahmedabad, then taken the abbreviation for "opposite" but omitted the name of any landmark that it is actually opposite. Next,he has relocated the city of Ahmedabad into Mumbai, which he has mistakenly renamed to its former title, Bombay. This demonstration of geographical ignorance and cultural indifference is typical of scamming operations.
[edit] Fake Endorsements
As is typical with spamvertised pharma sites, they attempt to reassure the wary by including logos claiming endorsement by legitimate organizations. Since those organizations would never endorse a site like this, the logos either have no link or else have a fake link that does not actually lead to the website of the outside organization. In the case of Cheap Drugs Online Store, there are no links. Some of the images themselves are also identical to those on US Drugs sites. Not only are the business addresses identical, they are both images of the addresses rather than text. At least the Cheap Drugs spammer looked up the spelling of "copyright:"
Cheap Drugs logos:
US Drugs logos:
[edit] How to Report this Spam
The spammed domain name can be reported using the Complainterator, which will direct an email both to the registrar of the site, and the registrar of the domain name servers that act as the gateway to the sites.
Hijacked computers which are part of the botnet hosting this site are reported in bulk via the Botnet Reporting and Termination (BRAT) project; it is not recommended that other spam recipients duplicate this reporting.
