Reliable Pharmacy
From Spamwiki
Contents |
[edit] Description
| Reliable Pharmacy is another fake pharmacy scam.
|  |
Although it claims to use encryption to protect the customer,
What Are Your Security Policies?
Our on-line ordering system uses the latest in Secure Encryption Technology. All personal and credit card information is submitted with the highest level of security and precautions with Verisign.
the check-out page where you enter your ID and credit card details is obviously not encrypted. As you can see, it uses non-secure http not secure https.
[edit] Registrant
The registrant claims to be Charles Lindbergh
Domain Name.......... onlinequalitypills.com Creation Date........ 2007-07-06 21:18:11 Registration Date.... 2007-07-06 21:18:11 Expiry Date.......... 2008-07-06 21:18:11 Organisation Name.... Charles Lindbergh Organisation Address. 62 Rue Miollis Room 346 Organisation Address. Organisation Address. Paris Organisation Address. 750150 Organisation Address. WG Organisation Address. FR
This address is false in many ways.
To begin with, postal codes in Paris begin with 75(0) and end with the number of the "arrondissement". In the case of rue Miollis, that would be the 15th arrondissement. Therefore, the real postal code is 75015 and not 750150, which is invalid.
This being said, even if the postal code was correct, Mr. Charles Lindbergh would be difficult to find, as rue Miollis only has 40 addresses - there is no 62 rue Miollis.
The street ends at a T intersection with the last two addresses being a corner bistro (see photo) and a catholic medical center watched over by over-worked elderly women.
Looking at any low-detailed map of Paris, like one sees online or in a tourist map, one sees a cross or a hospital icon at the end of rue Miollis. This would therefore give the impression that there really is "Reliable Pharmacy" at this location.
In reality the medical center is a small facility called the "Centre Médico Social Soeurs Saint Vincent de Paul" (phone +33.(0)1.47.34.11.49) that treats people of the lower income bracket, which is at a different address. I spoke with a receptionist and a nun/nurse concerning this case, and they were upset to see that one might mistake their facility for one that sells medication. Both persons confirm (with some amusement) that there is no building at 62 rue Miollis, and that no Charles Lindbergh is associated with their facility at 40 rue Miollis, and that they most certainly do not sell medication.
At the other end of the short street, there is one notable building: the UNESCO headquarters. Given that there are many floors in the building, and the international nature of the name "Room 346" within a French address, it is likely that the false whois information was originally based on a UNESCO address. The fake address for the registrant was therefore created by taking UNESCO's address, changing the street number, adding a 0 to the postal code. The use of a famous person's name as the registrant is an old technique used by spammers to make online searches by name more difficult.
Any registrar that continues to sponsor domains of this registrant data is in clear violation of their contract with the registries and their ICANN accreditation.
*Photos courtesy of GANDI Domain Abuse Investigation Department.
[edit] Sponsoring Registrars
The registration contract is with the registrar Beijing Innovative Linkage Technology
Domain Name: ONLINEQUALITYPILLS.COM Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN Whois Server: whois.dns.com.cn Referral URL: http://www.dns.com.cn Name Server: NS1.989TIM.COM Name Server: NS2.989TIM.COM Status: clientTransferProhibited Updated Date: 15-aug-2007 Creation Date: 06-jul-2007
The name servers that guarantee access to this spamvertized web site is sponsored by Enom
Domain Name: 989TIM.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.989TIM.COM Name Server: NS2.989TIM.COM Status: ok Updated Date: 24-jul-2007 Creation Date: 30-jun-2007
[edit] Related Spam
This spam site is found by redirection from other spammed sites.
For example, sites reported as being spamvertized include:
- kiperfumed.com Sun, 09 Sep 2007 00:25:14
- kiincense.com Sat, 08 Sep 2007 12:54:26
- khinthe.com Sat, 08 Sep 2007 01:18:12
- kgpatterned.com Fri, 07 Sep 2007 13:28:45
- khtable.com Fri, 07 Sep 2007 08:44:43
- kccsilver.com Wed, 29 Aug 2007 00:06:42
- kbrunners.com Tue, 28 Aug 2007 20:43:24
- kbringsof.com Tue, 28 Aug 2007 11:38:40
- bffidchipsto.com Mon, 27 Aug 2007 16:00:13
All of these are registered via a contract with the same sponsoring registrar
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Each of them use another name server domain. These name servers are
ns1.tenderinghome.com ns2.tenderinghome.com ns3.tenderinghome.com ns4.tenderinghome.com
The sponsoring registrar for the tenderinghome.com name server domain is
Domain Name: TENDERINGHOME.COM Registrar: TODAYNIC.COM, INC.
[edit] Analysis of the spam
The tenderinghome.com name servers show signs of running on a fast-flux basis. They are likely to be hijacked systems. IP addresses observed for ns1.tenderinghome.com include
24.22.203.187 - 24.60.147.209 - 24.200.63.111 - 59.149.71.223 - 59.149.105.211 - 60.49.135.42 - 61.15.57.46 - 62.21.51.155 - 66.165.197.187 - 67.36.26.168 - 67.181.174.56 - 68.21.7.27 - 68.42.110.208 - 68.54.107.166 - 68.84.7.129 - 69.110.108.138 - 69.119.19.133 - 69.182.153.182 - 69.231.116.58 - 70.83.188.53 - 70.126.118.26 - 71.86.220.70 - 71.194.103.101 - 74.57.16.67 - 74.61.81.43 - 75.24.189.204 - 75.39.165.45 - 75.63.53.126 - 75.111.101.251 - 75.131.246.72 - 76.109.172.122 - 76.211.143.74 - 80.192.9.212 - 81.13.112.173 - 81.30.197.229 - 82.64.159.120 - 82.228.187.157 - 82.241.19.181 - 82.242.222.17 - 82.250.133.223 - 84.10.126.100 - 84.27.206.207 - 84.73.37.3 - 85.65.223.212 - 85.93.105.37 - 85.227.238.206 - 86.106.57.143 - 87.105.3.142 - 88.164.10.2 - 88.165.68.136 - 88.169.40.113 - 88.199.184.219 - 89.3.150.81 - 89.32.2.190 - 89.102.48.180 - 89.102.84.93 - 89.156.141.117 - 89.176.90.55 - 91.147.219.139 - 98.203.12.148 - 122.52.73.255 - 122.100.56.101 - 122.252.65.222 - 124.244.161.160 - 125.99.245.29 - 190.3.35.246 - 190.16.108.211 - 190.18.8.219 - 190.164.48.63 - 200.8.82.215 - 200.118.72.132 - 200.147.164.37 - 200.220.208.194 - 203.186.248.136 - 203.223.250.184 - 211.52.171.238 - 211.217.255.22 - 211.227.168.132 - 213.22.232.178 - 213.213.215.13 - 213.250.200.94 - 216.164.204.56 - 219.68.77.43 - 222.96.104.203 - 222.233.167.146
IP addresses for the name servers are shown here in a snapshot
IP addresses for a web site are shown here in another snapshot
[edit] How to Report this Spam
The Complainterator is configured to report this spam to the registrars.
Sites to report, active in December, 2007
paprince.com pbthreatened.com pctosue.com pdandother.com phfor.com raandimage.org rbbutby.org rctargeting.org rdfansites.org sjthenational.com skchampion.com slshiphope.com
[edit] Related Spams
Where
- kjaz.kkroomin.com redirects to Pharma Shop web site r2.rx-shop.biz
so
- bfjv.kkroomin.com redirects to Reliable Pharmacy web site onlinequalitypills.com
and
- rvhtk.kkroomin.com redirects to SwissWatchesDirect web site widnw.net
The same name servers resolve domains that land on
- Herbal King
- Pharma Shop
- Reliable Pharmacy
- SwissWatchesDirect
- NaturaSlim Hoodia
- Online Replica Collection,handbags,Watches,shoes,pens..
[edit] Redirections
As at February 2008
This brand is a target site of many spammed site redirections. The current formula is a redirection based on the first character to the subdomain name:
- a*.domain.tld: pdandotherb.com (shut down)
- b*.domain.tld: ageshell.com (Canadian Pharmacy)
- c*.domain.tld: wehelpyounow.com/clothes/ (shut down)
- d*.domain.tld: wehelpyounow.com/freepenispill/ (shut down)
- g*.domain.tld: fqa34s2.com (US Pharmacy)
- h*.domain.tld: diet350.info (100% Pure Hoodia Gordonii Pills)
- i*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
- k*.domain.tld: ideaexciting.com (US Pharmacy)
- p*.domain.tld: iakospro.com (VPXL) affiliate ID 2515592000
- r*.domain.tld: keogbw.net (Swiss Watches Direct)
- s*.domain.tld: parpower.com (VPXL) affiliate ID 2515592000
- t*.domain.tld: flutteoi.com (Replica Store) affiliate ID 3508239664
- v*.domain.tld: wehelpyounow.com/vm/ (shut down)
Before February 2008
Spammed sites:
- bbdw.oxagainst.com
- bzvun.oxagainst.com
- bhcisf.oxagainst.com
- dqpl.oxagainst.com
- djtwd.oxagainst.com
- kpwi.oxagainst.com
- kmfvnu.oxagainst.com
- kkjsp.oxagainst.com
- rhlybg.oxagainst.com
- rxtm.oxagainst.com
- rutdkl.oxagainst.com
This one domain redirects to multiple different scams.
- Prefix letter A = Elite Herbals on saverxp.org which was not operational from Sept 2007. In December it redirected to samolsen.com
- Prefix letter B = Reliable Pharmacy redirected to onlinequalitypills.com [Beijing dns.com.cn], subsequently to jumewa.com - Global Pharmacy
- Prefix letter C = redirected to hoodiastoresale.com - Naturaslim Hoodia - 100% Pure Hoodia Gordonii Diet Pills , subsequently to Dolce & Gabbana .. Designer Fashion Clothing
- Prefix letter D = Herbal King redirected to samsege.com [CSL / Joker], subsequently to wehelpyounow.com/freepenispill/ - ManXL
- Prefix letter K = Pharma Shop redirected to r2.rx-shop.biz subsequently to r2.pharm-shop.biz [GMO INTERNET]
- Prefix letter R = SwissWatchesDirect redirected to einison.net or pornogh.net or azfuek.net [INTERNET.BS CORP]
- Prefix letter S = Wondercum redirected to fozip.com subsequently to parpower.com
- Prefix letter T = redirected to getthasteppin.com which was not operational as at Sept 2007, subsequently in December to wehelpyounow.com/su/ SizeUp.
- Prefix letter V = redirected to wehelpyounow.com/vm/ Vigramax
The switching is achieved on a redirector that announces itself upon connection thus
HTTP/1.1 302 Found Date: Tue, 03 Dec 2007 20:17:21 GMT Server: Apache/2.0.59 (FreeBSD) PHP/4.4.7 with Suhosin-Patch X-Powered-By: PHP/4.4.7
and a redirection in the form
Location: http://wehelpyounow.com/su/
