Pharma Shop

From Spamwiki

Jump to: navigation, search

Contents

[edit] Description

Conscious that intelligent customers do not buy from unlicenced pharmacies, many fake Internet pharmacies display a forged Pharmacy Licence. Pharma Shop avoids this problem completely. They omit all references to any licence at all.

Again, most experienced Internet customers know better than to provide sensitive credit card details over an unsecure link. Experience has taught users to look for the "https" sign, or the closed padlock symbol, indicating that a web page is secure before entering such sensitive information. In their Privacy and Security section, Pharma shop states 

To protect your privacy, highly secure order processing is used.
Your order is entered using  a secure server with 128bit encryption
and sensitive information is transferred internally using the most
powerful encryption available.

But a typical Pharma Shop checkout page is at URL http://globuskostenlos.info/index.php?mod=pay9 (not https) - showing that what they promise is not what they deliver.

A wary user should expect the same result upon placing an order - what you order is not what they deliver.

In August/September 2007, Pharma Shop adopted a two tiered approach. Spammed URLs took the form xxxxx.domain.com where the xxxx prfix was used to select a redirection to another web site.

For example, kjaz.kkroomin.com redirects to web site r2.rx-shop.biz, where the redirector is hosted on a fast-flux botnet of illegally hijacked servers 

host kkroomin.com
kkroomin.com has address 210.97.186.121
kkroomin.com has address 67.180.178.85
kkroomin.com has address 76.211.143.74
kkroomin.com has address 81.13.44.214
kkroomin.com has address 81.198.6.160
kkroomin.com has address 84.112.124.98
kkroomin.com has address 89.110.18.184
kkroomin.com has address 89.215.106.176
Image:phshop.jpg

[edit] Nameservers

This spam frequently uses sets of 5 nameservers based on the same domain name that are registered with fake whois information. In the case of planetcosmos.info: 

ns1.rabbitandtiger.net 68.53.150.240
ns2.rabbitandtiger.net 71.94.129.68
ns3.rabbitandtiger.net 71.234.48.234
ns4.rabbitandtiger.net 68.46.176.193
ns5.rabbitandtiger.net 68.62.214.149

In these cases, the e-mail address of the domain name's contacts is also often fake (test e-mails sent by spamtrackers.eu to the address listed in the whois are bounced back). Therefore, spamtrackers.eu recommends sending a complaint to the registrar of the nameserver.

Also note that Pharma Shop nameservers are hosted on hijacked hosts, sometimes as many as 5 at a time running in parallel. It is thus a good idea to inform the owners of the machines that they have been compromised.

[edit] Samples of the spam

Want to get the best
on all M e D s. You
can now go direct and
get what you need.
Best Service/Best Price
http://r2.rx-shop.biz/

disintegrate agueweed
Xylia Brinigh

Get the best for less.
Order all M E D S at
75 percent off.
ED specials for MAY!

http://r2.rx-shop.biz/

[edit] History

First noticed in September 2006, Pharma Shop was seen to be using sexually explicit domain names that redirected to its site. Sample URLs included

  • BreatheDryer.info
  • TeenSexBlow.info
  • BreatheCum.info

These all redirected to a site called greatwallbar.info

Through September, these were all shut down by the registrars, including a series of "royal" site names like

  • therealprince.info
  • leaderprince.info
  • georgeroyal.info
  • theblueprince.info

These were all shut down by registrars eNom and Tucows. At their peak they used 5 revolving name servers on hijacked hosts, and web sites spread over 5 hijacked hosts.

[edit] How to Report this Spam

The Complainterator is configured to report this spam to the registrars.

Sites to report, active in December, 2007

paprince.com pbthreatened.com pctosue.com pdandother.com phfor.com raandimage.org rbbutby.org rctargeting.org rdfansites.org sjthenational.com skchampion.com slshiphope.com

[edit] Related Scams: Fake "Russian Wives" Fraud

Starting in mid-2006, several users began receiving emails purporting to have found their email address on "the dating site" and featuring reply email addresses whose base domains turned out to be Pharma Shop sites as well. An example from March, 2007: 

Do not ignore me please,
I found your email somewhere and now decided to write you.
Let me know if you do not mind. If you want I can send you some pictures of me.
I am a nice pretty girl. Don't reply to this email. 
Email me direclty at dcandice777@highfindme.info

Visiting the domain: highfindme.info reveals a Pharma Shop website. This ties this particular illegal pharmacy to the more serious crimes of fraud and identity theft.

[edit] Related Spams

Where

  • kjaz.kkroomin.com redirects to Pharma Shop web site r2.rx-shop.biz

so

and

The same name servers resolve domains that land on

  • Herbal King (removed Oct/Nov 2007)
  • Pharma Shop
  • Reliable Pharmacy (removed Nov 2007)
  • Global Pharmacy
  • SwissWatchesDirect
  • Fashion Clothes
  • NaturaSlim Hoodia
  • Online Replica Collection,handbags,Watches,shoes,pens..
  • WonderCum
  • SizeUp
  • ManXL

[edit] Redirections

As at February 2008

This brand is a target site of many spammed site redirections. The current formula is a redirection based on the first character to the subdomain name:


  • a*.domain.tld: pdandotherb.com (shut down)
  • b*.domain.tld: ageshell.com (Canadian Pharmacy)
  • c*.domain.tld: wehelpyounow.com/clothes/ (shut down)
  • d*.domain.tld: wehelpyounow.com/freepenispill/ (shut down)
  • g*.domain.tld: fqa34s2.com (US Pharmacy)
  • h*.domain.tld: diet350.info (100% Pure Hoodia Gordonii Pills)
  • i*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
  • k*.domain.tld: ideaexciting.com (US Pharmacy)
  • p*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
  • r*.domain.tld: keogbw.net (Swiss Watches Direct)
  • s*.domain.tld: parpower.com (VPXL) affiliate ID 2515592000
  • t*.domain.tld: flutteoi.com (Replica Store) affiliate ID 3508239664
  • v*.domain.tld: wehelpyounow.com/vm/ (shut down)


Before February 2008

Spammed sites:

  • bbdw.oewarming.com
  • bzvun.oewarming.com
  • bhcisf.oewarming.com
  • dqpl.oewarming.com
  • djtwd.oewarming.com
  • kpwi.oewarming.com
  • kmfvnu.oewarming.com
  • kkqg.opreflected.com
  • rhlybg.oewarming.com
  • rxtm.oewarming.com
  • rutdkl.oewarming.com
  • ss2vr.oewarming.com

This one domain redirects to multiple different scams.

  1. Prefix letter A = Elite Herbals on saverxp.org which was not operational from Sept 2007. In December it redirected to samolsen.com
  2. Prefix letter B = Reliable Pharmacy redirected to onlinequalitypills.com [Beijing dns.com.cn], subsequently to jumewa.com - Global Pharmacy
  3. Prefix letter C = redirected to hoodiastoresale.com - Naturaslim Hoodia - 100% Pure Hoodia Gordonii Diet Pills , subsequently to Dolce & Gabbana .. Designer Fashion Clothing
  4. Prefix letter D = Herbal King redirected to samsege.com [CSL / Joker], subsequently to wehelpyounow.com/freepenispill/ - ManXL
  5. Prefix letter K = Pharma Shop redirected to r2.rx-shop.biz subsequently to r2.pharm-shop.biz [GMO INTERNET]
  6. Prefix letter R = SwissWatchesDirect redirected to einison.net or pornogh.net or azfuek.net [INTERNET.BS CORP]
  7. Prefix letter S = Wondercum redirected to fozip.com subsequently to parpower.com
  8. Prefix letter T = redirected to getthasteppin.com which was not operational as at Sept 2007, subsequently in December to wehelpyounow.com/su/ SizeUp.
  9. Prefix letter V = redirected to wehelpyounow.com/vm/ Vigramax

The switching is achieved on a redirector that announces itself upon connection thus 

HTTP/1.1 302 Found
Date: Tue, 03 Dec 2007 20:17:21 GMT
Server: Apache/2.0.59 (FreeBSD) PHP/4.4.7 with Suhosin-Patch
X-Powered-By: PHP/4.4.7

and a redirection in the form 

Location: http://wehelpyounow.com/su/
Retrieved from "http://spamtrackers.eu/wiki/index.php/Pharma_Shop"
Personal tools