Drug Store (actually they use several names) is yet another in the long line of illegal online pharmacy operations believed to be attributed to the Yambo Financials group of spammers and sponsors. There also appear to be similarities to previously seen sites for Canadian Pharmacy and US Pharmacy, notably in terms of their contact forms and their order processing forms. Since the bold header featuring the name of the site is not an image, they can call it whatever they like. Most of the recent spam for these sites just used the name "Drug Store."
 Basic Summary
 Sample Spam
Good Day, we are happy to announce that our store has been updated: - Our physicians are now U.S licensed - More brands & products - New order tracking system - Dedicated Support 24/7 - Faster delivery Best Regards, https://stybnryunmtyum.cn -- In her anxiety over her unexpected pregnancy, Julie would have gone to Melissa for advice and comfort, talking so late into the night that Melissa would have invited her to sleep over. Knots of women, children, old folks. Jeff's road leads to a country very much like the one I believe you once had.
 False Claims
As with virtually all spammed pharmacy websites of this type, literally all of the claims made on the site are a complete fabrication and have no truthful basis whatsoever.
This includes all their typical "endorsement" icons along the bottom of every page:
Note that the url is https, indicating that the site is secure, using an SSL certificate. You'll find that you get several warnings about this certificate. That's because it is (of course) fake, and being used fraudulently. Here are the details on the "certificate" in use at stybnryunmtyum.cn:
Version: Version 3 Serial Number: 00 Certificate Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: E = root @ localhost.localdomain CN = localhost.localdomain OU = SomeOrganizationalUnit O = SomeOrganization L = SomeCity ST = SomeState C = -- Validity: Not before 2/4/2008 9:41:21 AM GMT Not After 2/3/2009 9:41:21 AM GMT Subject (same as issuer information) Subject's Public Key: Size: 140 Bytes / 1120 Bits 30 81 89 02 81 81 00 97 cb fc da 7d 2a 8e d1 c3 92 bc b1 25 36 c9 6c a1 2e 87 cb 0c ff 5e 35 c8 36 60 11 76 08 0b 6b 57 50 9b e7 18 92 3d 9f 08 b5 c5 ba 2d ea 1c 3f c0 f9 1a 96 0b f0 9c e6 8f 0c a2 cd 5c 01 03 89 09 64 4e 1a 03 2b 94 1e 1b b4 77 b2 df b5 43 a1 e6 e4 cf fc 88 65 75 4c 6f 09 3f 6d 43 17 7a 7c 63 1c dc a5 b7 c2 4a 70 25 f6 63 82 56 13 3e db 9e fb 69 98 a8 09 e6 b9 3e d5 93 9e 43 a1 c5 43 02 03 01 00 01 Certificate Subject Key ID: Size: 20 Bytes / 160 Bits a4 09 b3 e7 51 fe d9 a0 fe e4 b3 3f 25 8b 40 a0 54 c6 cf 2c Certificate Signature Value: Size: 128 Bytes / 1024 Bits 18 ed 0c 6e 52 73 3c 64 c4 1a 34 13 63 50 fa 64 58 e8 57 e8 aa da 20 9f bb e3 d9 ac 72 04 6a 81 18 de 57 c2 cf 91 3e de fd 51 94 89 cc 48 d8 fe a3 b3 be 59 a7 ab 1f f8 4c 21 40 03 3f bf 6a ae 00 69 5e 95 ef be 4e b0 3a 7d 27 8a c0 77 dc 49 82 48 72 df b1 7d 7d e8 77 44 f2 d0 9c 7c 60 d8 a6 a2 df 41 04 78 3e 29 f8 80 d7 51 5c 04 16 84 df bd ac 01 16 34 00 d3 39 4d 08 41 65 4f 81 89
Accepting that certificate (you'll notice that in Firefox you get three distinct warnings stating that the certificate is invalid) will still make your browser show the "secure" settings we all expect from a genuine certificate. This is particularly troubling, since the general public will still assume the site is secure when in reality it most certainly is not.
 Credit Cards Accepted
Unlike most other spammed illegal pharmacy websites of this type, "Drug Store" appears to accept the widest variety of credit cards, and isn't merely lying about doing so as was the case with US Pharmacy. Card types accepted include: VISA, MasterCard, American Express, Diners Club, and JCB. They also accept eCheck, and feature a functioning eCheck form when that option is selected. This is in stark contrast to most other illegal pharmacy websites.
 Domain Names
Whoever is behind this operation is using obfuscated methods to disguise the registrant information for the domain. The example domain stybnryunmtyum.cn features the following WHOIS data:
Domain Name: stybnryunmtyum.cn ROID: 20080206s10001s55379980-cn Domain Status: ok Registrant Organization: sawers Registrant Name: BelovDmitriy Administrative Email: email@example.com Sponsoring Registrar: åŽ¦é—¨åŽå•†ç››ä¸–ç½‘ç»œæœ‰é™å…¬å¸ Name Server:ns1.bulkaffilliate.cn Name Server:ns2.bulkaffilliate.cn Registration Date: 2008-02-06 05:59 Expiration Date: 2009-02-06 05:59
That hides the fact that Todaynic is the actual authorizing registrar. As usual that email address will not respond to repeated requests for verification of the registrant's identity. (But unlike most of these sites, at least it is a genuine email address.)
The domains can be reported using Complainterator.
 Name servers
In the above example domain (stybnryunmtyum.cn), both the web server and both of the supporting name server domains (ns1.bulkaffilliate.cn and ns2.bulkaffilliate.cn) are all hosted on the same IP address: 184.108.40.206, which is hosted in Turkey, at turkey-colo.net.
 How to Report this Spam
You will notice that for all of these sites, there is an email listed for questions regarding your order: firstname.lastname@example.org. This same email address has been associated with numerous other pharmacy operations, usually those with the highest public outcry regarding orders which were placed and charged, but never received. Examples can be seen here, here and here. This underscores how important it is to verify the legality and propriety of a website before you give them your personal data, especially credit card data.
The spammed domain name can be reported using the Complainterator which will direct an email both to the registrar of the site, and the registrar of the domain name servers that act as the gateway to the sites.
 Related Spams
 US Pharmacy