Canadian Pharmacy
From Spamwiki
NOTE: For your convenience, this article also exists as a printer-friendly downloadable PDF document that you can read offline.
Read the FDA public safety warning .
[edit] Description
Acknowledged by [Spamhaus] as the Internet's worst case of criminal offending, this spam brand has the dubious distinction of being the most heavily spammed domain our staff receives. Russian authorities are pursuing Igor Anatolyevich Gusev who is thought to be the owner of the Glavmed organization promoting this fraud.
The "Canadian Pharmacy" titled sites are the most common. They may also be labeled European Pharmacy for visitors from IP addresses located outside North America. When accessed from the UK, it may be called United Pharmacy.
Other sites include "PharmSite" and "best online PHARMACY." They are riddled with identical fraudulent claims. Similarly, they are closely related to Dr.Pills and Canadian Healthcare - sharing the same titles.
For simplicity, this entry refers by default to Canadian Pharmacy, but the false claims apply equally to all of these. The exception is "Official" Canadian Pharmacy which lacks the false certification claims.
The copyright statement in the trailers for "PharmSite" and "best online PHARMACY" actually contains the words Copyright Canadian Pharmacy.
Visitors to these sites are cautioned against placing an unsecure order for any of the products advertised. With so much obvious fraud in the set up of the web site, any reasonable person would be justified in having doubts about passing identity and credit card details to such blatant criminals.
 |  |  |  |
 |  |  |  |
 |  |  |
[edit] False Pretenses
[edit] False: Verisign secure link claim
| Both sites falsely pretend to take your credit card over a secure connection, but the protocol is unsecure http, and even in their fakery, they foolishly left the padlock image unlocked! |  |
| Here is an example from one site selected at random.
Click on the Verisign Secure Site logo [ To ensure that this is a legitimate VeriSign Secure Site, make sure that: 1. The original URL of the site you are visiting comes from treeprovide.hk. 2. The URL of this page is https://digitalid.verisign.com. 3. The status of the Server ID is Valid. Look at the properties of this fake certificate screen, and you find that instead of https://digitalid.verisign.com, the URL is actually http://www.reasontalk.com/checker2.php (where reasontalk.com in this case is the spammed fake pharmacy site). The Verisign certificate is obviously fraudulent. Abuse of the seal can be reported to Verisign. |  |
[edit] False: Claims to have "ADA" approval
| The link to the American Drug Administration is also served by this fraud site itself. A Google search for "American Drug Administration" turns up only links to this scammer's sites. There appears to be no such entity, except as defined by this fraudster. In fact, it is an attempt to make it look as if the site has FDA approval. The ADA logo is a reworked version of the FDA Centennial 1906 - 2006 logo.
At the bottom is the name of the representative, Kris Thorkelson, Vancouver. Likewise he is referenced in the link to the "PharmaChecker" site, again served locally. Kris is a real person, with the right credentials, but he is not amused to find that his identity has been stolen in this way. He writes: The is one of many web sites created by a group that has been doing a large amount of spamming. They copied my information and have been using it without my consent. I have no idea who they are but as you can see all of their credentials are fake. Good luck in finding out more about these people. Kris Thorkelson CEO of the CanadaDrugs.com Group of Companies |  |
A comparison of the fake ADA logo and the genuine FDA logo shows the fraud for all to see.
| Banner | Logo | |
|---|---|---|
| Fakes | 
| |
| Genuine | 
| 
|
[edit] False: Claims to have "Pharma Checker" approval
The fraud continues. Both sites pretend to be authenticated by Pharmacy Checker - which they are not. So they set up a link to a fake Pharma Checker instead of the genuine Pharmacy Checker. Notice the fake logos on the left, compared with the genuine ones on the right.
| 
|
| The fake logo - Pharma Checker | The genuine logo - Pharmacy Checker |
| . | . |
| . | . |
| 
|
| The fake seal - Pharma Checker | The genuine seal - Pharmacy Checker |
In 2013, they even implemented a fake version of Pharmacy Checker to award themselves a certification! Domain pharmacy-checker1.com was rapidly suspended by the registrar (April 10). They then created another domain, pharmacychecker1.com (April 15).
Pharmacy Checker response
We do not endorse this company and they are not affiliated with PharmacyChecker.com in any manner. The PharmacyChecker.com seal that they publish (“Pharma Checker”) is an unauthorized and adulterated copy. Donna Miller, Customer Services
[edit] False: Claim of "CIDA Rx" approval
| The link to the Canadian International Drug Association is a very interesting innovation. No such association actually exists. The criminal who designed the site hoped nobody would notice the subtle name change from the real Canadian International Pharmacy Association.
If you click the link, you see that you are invited to "Report Unauthorized Seal Use". In small print on the next line is a telling reference to "this CIPA Seal". A click on that link opens an email to info@cidarx.ca. Everyone who sends off a report is probably identifying themselves via email to the criminal. A whois lookup on cidarx.ca is surprisingly brief, but does reveal that it was registered through Canadian Internet Registration Authority (NFP) / Autorité Canadienne pour les enregistrements Internet (OSBL) |  |
| 
|
| The fake logo - Canadian International Drug Association | The genuine logo - Canadian International Pharmacy Association |
| Fake unauthorized seal use reports go to info@cidarx.ca | Genuine unauthorized seal use reports go to info@ciparx.ca |
| . | . |
| . | . |
| 
|
| The fake seal - Canadian International Drug Association | The genuine seal- Canadian International Pharmacy Association |
[edit] False: Claim to be Canadian
Both sites have a Contact Us link that states:
Customer Support (click here to mail us sitesupport@pharmsupport.us)
The choice of ".us" is presumably to give the impression that this is registered in the USA, which is the site's target marketplace. So where is the registrant for this domain?
A WHOIS lookup on pharmsupport.us reveals where the operation is possibly located:
Domain Name: PHARMSUPPORT.US Domain ID: D10685285-US Sponsoring Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM Domain Status: ok Registrant ID: DI_2607867 Registrant Name: Alex Markovich Registrant Organization: Be SEO Registrant Address1: Sadovo-spasskaya st. 15-19 Registrant City: Moscow Registrant State/Province: Moskovskaya oblast Registrant Postal Code: 125021 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +007.4952582102 Registrant Email: beseo@bk.ru
Another Alex in the Russian Federation.
[edit] Fake Pharmacy License
Like Pharmacy Express, the latest version of Canadian Pharmacy displays a "Drug Reselling License" supposedly issued by the New Zealand Board of Pharmacy. Such an entity does not exist. The address of Canadian Pharmacy is given as 3 Akoranga Drive, Northcote, Auckland, New Zealand. This address does exist, and it is an outlet for a legitimate New Zealand online pharmacy, but it is not Canadian Pharmacy.
The license that can be viewed from the false Canadian Pharmacy site has obvious errors.
- It is issued by a New Zealand Board of Pharmacy - whereas no such Board exists (New Zealand has a "Pharmacy Council of New Zealand")
- It is supposedly issued to Canadian Pharmacy, but at an address which does not belong to them.
- It uses US English spelling for the word "license". No New Zealand certificate would use US spelling - it would be spelled "licence", because New Zealand uses UK English for official documents.
- No certification authority would allow grammatical errors in a document, such as The license is required by law to immediately notify the New Zealand Board of Pharmacy ...
- The forged certificate infringes the copyright of the legitimate owner, New Zealand's Pharmacy Express
- If it was truly a Canadian Pharmacy, it would neither be located nor licensed in New Zealand!
[edit] No Pharmacist Oversight
Although most of the spam for Canadian Pharmacy hawks drugs for impotence, and there are lots of controlled substances with street value advertised, their website offers a wide range of medications for serious medical illnesses as well.
These may only exist to give the impression this is a real pharmacy instead of a scam. The prices for these other drugs are significantly higher than what they are in US bricks-and-mortar pharmacies to people with prescriptions. On the other hand, there are people who do not visit their doctors or get required monitoring tests and whose doctors will stop writing prescription refills for them. Those people may be willing to pay the extra money in order to obtain drugs without prescription.
What is the rationale for requiring prescriptions for drugs that aren't narcotics, anyway?
- They treat conditions that require medical training to diagnose
- Medical testing/monitoring must be done to see if they are working adequately
- They may have risks that someone without medical training would not fully understand, or risks that cannot be evaluated without medical testing.
For instance, the cholesterol drug lovastatin requires a prescription. You need a blood test to know if you have high cholesterol, you need a blood test to know if the dose you are taking is lowering your cholesterol adequately, and you need a blood test to make sure you are not one of the people who get liver damage from it. (Of course, in the case of drugs of uncertain origin, like those that may be shipped to you if you order from CPh, if your blood test shows your cholesterol is still high, even your doctor won't know whether the problem is that you need a higher dose of lovastatin or that you were shipped a batch of fake pills with no active ingredients.)
People who have ordered drugs from CPh report sometimes receiving placebo pills that mimic the appearance of real drugs, and sometimes getting drug with active ingredients, though often the dose contained is higher or lower than it is supposed to be. Many drugs require each patient's dose to be individually adjusted, and a pill whose dose is too high or low could put a patient in the toxic range or leave them at risk of their medical condition going out of control. A classic example of such a "narrow therapeutic index" drug is warfarin (Coumadin), a drug initially invented as rat poison because it is more toxic to rodents than to people. If the dose of warfarin is too high, a person may die of internal bleeding in the brain or stomach. If it is too low, he may die of blood clots in the lungs or suffer strokes due to clots to the brain. Warfarin pills come in an unusually large variety of strengths, but even so, there is so much variability in requirement from one person to another that someone could end up having to take different size pills on different days of the week to get the level to stabilize in the correct range. People must undergo frequent blood tests to check that level, as warfarin interacts with multiple drugs as well as to vitamin K in food.
It's very frightening that a drug like warfarin is being sold by CPh to people without prescriptions who may not be getting the proper monitoring. But it's even more frightening when you realize there appears to be no one involved in the operation with even the most basic knowledge of pharmacy.
Case in point is their 2009 "free Viagra" promotion. All their websites put a few free tabs of "Viagra" in every shopping cart at checkout:
 | => | 
|
Viagra's active ingredient, sildenafil, is not dangerous to the heart itself, but there is a severe interaction with drugs in the nitrate family that can cause shock (severely low blood pressure, so low that brain, heart, and kidney damage or death can occur). Viagra is prescription only in part because drugs in that family don't always have the word "nitro" in the name, so people may not realize they are taking nitrates.
But in the example in the above image, it's not subtle. It's an order for nitroglycerin, the most famous member of the nitrate family. It's hard to imagine any pharmacist so incompetent or undeserving of a license that he/she would remain associated with a website that would even have ads promoting Viagra on the same page as an order for nitroglycerin, let alone throwing a few tabs into the shopping cart unbidden. It's more likely there are no pharmacists involved whatsoever.
If this interaction is so dangerous, why aren't we hearing of deaths? There are several possibilities
- they don't really sell nitroglycerin and the whole ordering process is a sham to make it appear this is a real pharmacy
- there's no real sildenafil in their fake Viagra tablets
- even if someone did have an interaction, the interaction was mistaken for consequences of the heart disease itself. One can imagine that a man who has ordered drugs without a doctor's prescription may be using drugs for impotence without telling his partner. If he has chest pain, takes some nitroglycerin, then collapses and dies, it's likely to be attributed to death from a heart attack. No one may even know he was taking drugs he bought on line. Extensive coroner's autopsies with toxicology testing are only done when foul play is suspected. CPh could be leaving a trail of bodies with no one realizing it.
[edit] Spam Examples
[edit] French
Vous avez cache vos Pilules. Vous pouvez les obtenir rapidement et facilement. Il vous suffit de regarder chez nous, vous obtenez pres de nous autant de Pilules, comme vous avez besoin. Regardez chez nous et achetez les meilleures Pillules, vous les connaissez. La meilleure Pharma en ligne, nous nous connaissons avec les Pilules, vous pouvez nous faire confiance. Seuls les meilleurs pour nos chers clients. http://landdictionary.com
The structure and use of French (along with the multitude of errors) clearly indicates that the text was translated literally, most likely using computer software.
French spamvertized domains:
- corncentury.com
- repeatparent.com
- correcttruck.com
- severalwhole.com
- landdictionary.com
Being that prescription drugs are available for free (or next to free depending on your mutuelle) in France, I fail to see the point of targeting this market, though it does indicate a certain desperation on the part of the spammer.
[edit] English
In July 2009, CPh spam apparently felt their spam would be more trusted if disguised as an ecard trojan:
Subject: You've received a greeting ecard Good day. You have received an eCard To pick up your eCard, choose from any of the following options: Click on the following link (or copy & paste it into your web browser): http://wallmotion.com/ Your card will be aviailable for pick-up beginning for the next 30 days. Please be sure to view your eCard before the days are up! We hope you enjoy you eCard. Thank You!
VIAGRA
If you have a problem getting or keeping an erection, your sex life can suffer.
You should know that you’re not alone. In fact, more than half of all men over 40
have difficulties getting or maintaining an erection. This issue, also called
erectile dysfunction, occurs with younger men as well!
You should know there is something you can do about it.
Join the millions of men who have already improved their sex lives with VIAGRA!
VISIT STORE ONLINE!
Dear valued member. MyCanadianPharmacy provides a wide range of pharmaceutical products. You will be surprised by the selection of products available. Still ordering your Products in American drug stores? Try cheaper Canadian products of the same quality. Don?t miss the possibility to buy the best pharmaceutical products at the best possible prices. Click here and see a wide range of products to choose from http://makesame.hk Absolute security and confidentiality guaranteed. You will be satisfied with the variety of drugs available. Yours faithfully, Ethan Crofoot
Image spam:
 |
| This is nearly identical to several spams received for a variety of fake / illegal "OEM software" sites, notably Downloadable Software
It is also clear that this image is identical to that used on the Canadian Health&Care Mall site.
|
 |
| This one co-opted the html template for a recent legitimate email from Kraft Foods.
|
 |
| In late 2007, Canadian Pharmacy began the unauthorized use of the Men's Health magazine brand, going so far as to claim the address of Rodale, Inc., its publisher. Needless to say, all links from the headlines for the supposed articles actually linked to Canadian Pharmacy web sites. The email appeared rather professional as spam goes, if you overlooked the photo of the topless woman. |
[edit] Sponsoring Registrars
[edit] Redirections
[edit] Microsoft spaces.live.com
Each spaces.live.com URL spammed provides a web page on Microsoft's abused service that will redirect to one of a range of spam brands. Each brand represents an illegal web site that indulges in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community. Canadian Pharmacy is one of several brands targeted.
[edit] Google Groups
Redirections using Google Groups remain very common in July 2009. Google recognizes the problem and inserts a page identifying the link as possible spam, but does not shut down some very obvious frauds. For instance the link illegally using Pfizer's name
groups.google.com/group/pfizer-online
links to buybegin.com, with the continued assistance of Google.
[edit] Google Blogspot/Blogger
Google Blogspot redirections, March 2008, are listed at Blogspot. Blogspot redirections are a move to try to evade filters and complaints against the target sites. Existing reporting tools focus on the spammed URL, so the spammer hopes that the actual site will be obscured from reporting tools.
[edit] Yahoo Groups
While Yahoo does shut these down, they are being spammed at high frequency for Canadian Pharmacy and other pharma and replica scams. Example:
groups.yahoo.com/group/bykobusebonaso/message/1
redirects to sweetcould.com.
[edit] Yahoo! Geocities
Yahoo! Geocities is also used for redirections. In May, 2008, these were seen to be averaging over 600 per day as detected in spam traps and spam honey pots. The reports can be seen in the URIBL.COM Geocities abuse tracking system].
[edit] Storm Trojan
As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/
- Pharmacy Express
- ED Express
- United ED Meds
- Canadian Pharmacy
For Canadian Pharmacy, the redirection sites detected were
- fruitlot.com
- samevalue.com
- lednose.com
- discussin.com
- wrongsame.com
- grasschange.com
- pathsix.com
- writeprovide.com
Each of these in turn was running on another botnet, 20 IPs at a time in a round robin refreshing every 5 minutes.
On May 19, 2008 the redirections were seen to be
- catsharp.com
- followequate.com
- lowsmell.com
- picturewest.com
- posestory.com
- printlength.com
- producemorning.com
[edit] Name Servers
October 2009
Network Solutions has taken a service contract with 'Registrant: Dvoshilin, Michail' for the name server domain NSCONTROL.COM. That domain runs these name servers, according to the WHOIS listing
Domain servers in listed order:
NS1.NSCONTROL.COM 91.208.162.9
NS2.NSCONTROL.COM 91.209.183.61
NS3.NSCONTROL.COM 91.209.183.21
NS4.NSCONTROL.COM 91.209.183.21
NS5.NSCONTROL.COM 91.208.162.5
Those IP addresses are owned by Andrey/Andrew Smirnov of GlavMed
inetnum: 91.208.162.0 - 91.208.162.255 netname: RUSDESIGN-NET descr: RusDesign Ltd country: RU org: ORG-RL57-RIPE admin-c: AS13070-RIPE tech-c: AS13070-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: RUSDESIGN-MNT mnt-routes: RUSDESIGN-MNT mnt-routes: AS2118-MNT mnt-domains: RUSDESIGN-MNT source: RIPE # Filtered organisation: ORG-RL57-RIPE org-name: RusDesign Ltd org-type: OTHER address: Krasina 5-15 address: Moscow, Russia e-mail: asmirnoff73@gmail.com mnt-ref: RUSDESIGN-MNT mnt-by: RUSDESIGN-MNT source: RIPE # Filtered person: Andrey Smirnov address: Krasina 5-15 address: Moscow, Russia phone: +7 916 9894767 nic-hdl: AS13070-RIPE mnt-by: RUSDESIGN-MNT
Canadian Pharmacy sites registered with DirectNic, a company that gives its address as
Regatta Office Park Windward 1, Suite 141 85A Lime Tree Bay Road West Bay, Grand Cayman --- KY (345) 745-6022 Fax:(345) 745-6023
An example of sites using the nscontrol.com domain for name servers
online-meds1.com online-pharm1.com online-rx1.com pharm-bill.com pharm-charge.com pharm-help.com pharm-online1.com pharmacy777.com rx-charge.com
These sites in turn are registered by the same person, Andrey Smirnov, this time giving an address in Canada as part of the fraudulent Canadian impersonation of the web sites
Domain Name: RX-CHARGE.COM Administrative Contact: Smirnov, Andrey whois@pharmashopsupport.com 200-1765 West 8th Ave. Vancouver, British Columbia V6J 5C6 CA CA 866-420-707
Additional fraud sites that use nscontrol.com for name servers are shown in the graphic.
July 2009
The prevalent name server registration method is to select a trio of systems across 2 or 3 registrars
- ns1.clearfab.ru ns2.clearfab.ru REGRU-REG-RIPN
- ns3.b6z.ru ns4.b6z.ru REGRU-REG-RIPN
- ns5.lucidhere.com ns6.lucidhere.com ONLINENIC
or
- ns1.secondwee.com ns2.secondwee.com - ALANTRON BLTD.
- ns3.methodsister.com ns4.methodsister.com - ONLINENIC, INC.
- ns5.houratom.ru ns6.houratom.ru - REGRU-REG-RIPN
The name servers are used to resolve access to spammed redirection sites, which are detected and listed by spam-traps, such as URIBL.COM
The redirection sites are designed to conceal the ultimate Canadian Pharmacy target sites from blacklisting. Sample redirection targets are
- awesomepharmsline.com - ONLINENIC, INC. / Serpino Berbeto
- storemedicalroyal.com - ONLINENIC, INC. / Serpino Berbeto
- wheelmade.com - ONLINENIC, INC. / Serpino Berbeto
where ONLINENIC, INC. / Serpino Berbeto represents the registrar and the registrar's (rogue) authorized reseller respectively.
Xin Net [2007-2008]
Canadian Pharmacy typically registered its nameserver domains with Xin Net, and used groups of four at a time to service hundreds of domains. Examples:
ns0.piotiongandesunkdes.com ns0.gedsactunjerion.com ns0.chitionkdetunlionpsa.com ns0.fionkunjerunhedase.com
ns0.nuspharkosa.com ns0.kopepharas.com ns0.mukopkufude.com ns0.pharokufuma.com
ns0.likenewdesign.com ns0.globonss.com ns0.globohosts.com ns0.yourpleasant.com
Recently, it has begun using Xin Net's own nameservers:
ns.xinnet.cn ns.xinnetdns.com ns2.xinnet.cn ns2.xinnetdns.com
Given the Xin Net's sudden commitment to enforcing acceptable use policies, suspending thousands of fraudulent and spammy domains, the Canadian Pharmacy scammers may be concerned thousands of their domains could go down at one time if their nameservers were blackholed. Using a registrar's own nameservers prevents doing that, although it also makes it easy for the registrar of the nameservers to effectively shut down the spamvertised domains, regardless where those individual domains are registered.
[edit] Spamvertized Sites
| Illegal pharmacy site | Spam brand with links to information | Registrar sponsoring the criminal operation |
|---|---|---|
| drugsea.com | Drug Store | ENOM, INC. |
| brightfutureabc.com | Canadian_Pharmacy | REGTIME LTD. |
| your-drug-store.com | Drug Store | ENOM, INC. |
| canadians-health.com | Canadian_Pharmacy | INTERNET NAMES WORLDWIDE |
| nscontrol.com | Support Center | NETWORK SOLUTIONS, LLC. |
| mens-medication.com | Canadian_Pharmacy | INTERNET NAMES WORLDWIDE |
| simple-op.com | Canadian_Pharmacy | ENOM, INC. |
| all-about-cialis.com | All About Cialis | DIRECTNIC, LTD |
| brand-generic-pills.com | Canadian_Healthcare,Canadian_Pharmacy | TODAYNIC.COM, INC. |
| alltrustedpills.com | Canadian_Healthcare,Canadian_Pharmacy | ENOM, INC. |
| medgetfarmos.com | Canadian_Healthcare,Canadian_Pharmacy | BIZCN.COM, INC. |
| onlyhighestquality.com | Canadian_Healthcare,Canadian_Pharmacy | DYNADOT, LLC |
| medicationcenter.info | Canadian_Healthcare,Canadian_Pharmacy | ENOM, INC. |
| officialmedicines.info | Canadian_Healthcare,Canadian_Pharmacy | DirectNIC, LTD |
| check-order-status.info | Support Center | GKG.NET, INC. |
| unitedpharmacysupport.info | Support Center | GKG.NET, INC. |
InterCosmos Media Group
| canadianmedsworld.com |
Public Domain Registry
| bestpharmstock.com |
[edit] Sponsoring ISPs
IP addresses habitually used for hosting Canadian Pharmacy sites and their name servers are
- 218.75.144.6 (abuse.cd@2118.com.cn) & (abuse.szx@2118.com.cn) Chinanet Hunan
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL75487
- 203.93.208.86 (michael@chinaunicom.com.hk) (abuse@cnc-noc.net) China Unicom
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL74278
- 60.191.239.150 (anti_spam@mail.jhptt.zj.cn) Jinhua Telecom
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL76119
- 222.186.12.113 (abuse@jsinfo.net) (ip@jsinfo.net) CHINANET Jiangsu
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL71237
- 220.248.167.126 (michael@chinaunicom.com.hk) (abuse@cnc-noc.net) China Unicom Hunan
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL74724
[edit] Hijacked Hosting Infrastructure
As of this writing (August 2007) independent investigation has shown a large number of hijacked home and business computers providing DNS and web hosting infrastructure for this operation's websites.
The typical spam run features a link to a single html page on an otherwise legitimate website which has been compromised. That html page typically performs a JavaScript redirect to another domain which is the true target of the spam run.
Typical sites in June 2007 were using four name servers - for example
| ns0.chitionkdetunlionpsa.com | c-71-233-121-19.hsd1.ma.comcast.net | 71.233.121.19 |
| ns0.fionkunjerunhedase.com | 212.143.150.121 | 212.143.150.121 |
| ns0.gedsactunjerion.com | 28-196-n.ipv4.vnet.ee | 85.29.196.28 |
| ns0.piotiongandesunkdes.com | 89-178-24-169.broadband.corbina.ru | 89.178.24.169 |
When resolved to web server hosts, there would be up to 20 IP addresses found, demonstrating a round robin aka fast-flux approach of distributing the hosting over multiple hijacked host machines. These hosts are usually on systems attaching to the Internet over cable or broadband (DSL) supplier ISPs. A live example recorded June 1, 2007
216.165.48.73 NY University 24.152.128.81 Earthlink 66.171.238.63 Verizon 24.137.125.124 Eastlink 75.17.12.41 AT&T SBC 65.24.187.23 Road Runner 71.130.204.142 AT&T SBC 67.70.22.98 Bell Canada 71.146.151.88 AT&T SBC 66.177.73.244 Comcast 217.211.55.49 TeliaNet,SE 76.181.146.11 Road Runner 68.124.63.138 AT&T SBC 84.60.32.53 Arcor AG, DE 87.228.41.40 Infoline, RU 89.178.91.169 Corbina Broadband, RU 58.227.40.221 Hanaro Telecom, KR 217.209.21.229 TeliaNet, SE 81.245.237.237 SkyNet, BE 217.70.103.109 Novosibirsk, RU
These are typically hacked servers, or otherwise normal personal computers which have been compromised. It is unknown at this time how the group behind Canadian Pharmacy gains access to these servers, and the investigation is ongoing. It is assumed to be a form of botnet hosting.
[edit] Typical Fake WHOIS Contact Information
In many cases, domains used in the Canadian Pharmacy spam run will be registered to the following fake identity within the WHOIS data for the domain:
Michael Leslie mail@boxbetter.com 1-713-775-3348 fax: 2218 Ewing St Houston TX 77004 us
Needless to say: boxbetter.com is yet another Canadian Pharmacy domain. No legitimate contact information is ever used in the registration of these domains.
[edit] How to report this spam
The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.
[edit] Related spam operations
Canadian Pharmacy exploits many different methods of redirections to try to escape detection.
Canadian Pharmacy, PharmSite and Nature Medicines share many common functions, leading to the conclusion they come from the same perpetrator
- same registrars
- same name servers
- same online support number - +1 210 80 PHARM
- same email support address - sitesupport@pharmsupport.us
- same false claims
Dionpills.org is advertised in forum comment spam, such as on YouTube. Their phone number, 210-787-1711, has also been used by Canadian Pharmacy. Although that is a Texas area code, the company controlling 210-787-1xxx numbers provides voice-over-internet, so no assumptions can be made about the location of a company with that number. Dionpills.org uses the same scam of having the fake endorsement logos on their webpage link to other pages on the same website, when real logos would link to the sites for the endorsing agencies. But their claim to fame is their "testimonials" page, where supposed customers praise them. It's one of the funniest pages on any spamvertised site:
Sam, 28 Acclaim to Viagra! I could not help self but feel inspired both a long long time. Now, I am over the world, I am travel, I am very happy I saved my family me children and my wife. Thanks this site Dionpills.ORG ...
RENE, 24 Recently and had tried Viagra gently into account the difference, it really works, and nothing helped me before. Trust him. Dionpills.org the Best. It acts more quickly and allows them to improve the situation asked: Behold what they need - and speed!
Barbara, 45 I do not believe in drugs, who can reduce their weight and remain small and reduce, but actually there. Since the beginning of the adoption of Phentermine culinary herbs once or twice a day before meals, I think brilliantly: my appetite decreased, began to judge that filled me and not think further into the food! i am very like Dionpills.Org
Gulia, 23 I am not only Hoodia which helped lower my extra kilogramms, but their impact is great and have ingredients. Since trust told me he lost a lot, I never thought that the fact that it can help. In addition Hoodia Gordonii gives me so much energy that I lost weight, not only because I have no more hunger, but my work becomes tremendous. Thanks for Dionpills.org
Kent, 26 Cialis and PS no longer live together! Men must understand what I mean. With Cialis, I stopped thinking about the problem and had relations with his wife, which is so costly me, and what I wanted to divorce his wife but to take Cialis. Now, we are as happy as it 10-15 years.
(Men: Do you understand what he means?)
And last but not least, a comment from someone whose name is presumably supposed to be "Phil Mahoney:"
Fill Mahouny, 33 Buspar inherited my life 2 months ago! He had changed: I do not feel well passionnan but after having worked for 10 hours and my real help before going to bed: Awakened costs and the desire to work, working and travel. I have the best to live
People who have ordered from that site or from Canadian Pharmacy have listed their complaints on this site that rates businesses based on their phone numbers.
Penis Enlarge Patch, Canadian Pharmacy and Soft Eden software piracy sites run on the same botnet of hijacked hosts, for example:
- buysoftworld.com = Soft Eden
- puface.com = Penis Enlarge Patch
- ironfinal.com = Canadian Pharmacy
See: Glavmed
[edit] Related brands
October/November 2009 showed a new trend. Canadian Pharmacy sites contain a "Best sellers" section, which in turn link through to an Online Pharmacy site.
 | links to |  |
The title line at the top of the site's web page is randomly selected from a list of titles. Some examples -
- We Always Have Special Offers In Our Online-Drugstore
- We Always Have Special Offers In Our Pharmacy Store
- We Always Have The Best Offers for Viagra, Cialis and Levitra
- We Always Have The Best Offers In Our Online Pharmacy Store
- We Always Have The Best Pharmacy Offers
- We Always Have The Best Pharmacy Online-Offers
- We Always Have The Cheapest Offers In Our Online-Drugstore
- We Always Have The Cheapest Offers In Our Pharmacy Store
These titles are also used for Dr.Pills. Random selection of titles from a list is also a method adopted by Canadian Healthcare.
Refer to the captured screen image. In 2011, spammer affiliates who registered with the Mailien spamming program were presented with pharmacy operations to select from. These included
- Canadian Pharmacy
- ED Express
- Pharmacy_Express
[edit] Sponsor Organization
Spamit (the underground sponsor affiliate program related to Glavmed) is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.
[edit] Further Reading
- (Russian) News Media conference on Igor Gusev and the RAEC crack-down, Nov 2, 2010
- E-mail spam falls after Russian crack-down - The New York Times, Published: October 26, 2010 - Police officials announced a criminal investigation of a suspected spam kingpin, Igor A. Gusev.
- LegitScript report, May 2010
- Pharma Spammers Use HTML Tricks to Bypass Anti-Spam Filters Softpedia News - Spam Reports October 2010
- Times Online UK
Cyber-criminals cashing in with online pharmacies November 28, 2009 Cyber-criminals from Russia are taking advantage of Canada's reputation for quality health care, bombarding the Internet with unwanted e-mail advertising counterfeit and potentially lethal male-enhancement drugs and painkillers, according to online security experts.
Thanks to great researchers: James McQuaid and Dancho Danchev
They show that other RBN folks:
Alexander Boykov
Andrey Smirnov
Were both directly involved in using their RBN resources in the DDOS against Georgia
RUSSIAN BUSINESS NETWORK
The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia - but senior operatives in positions of responsibility with vast background knowledge.
Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely `hacktivism.' Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.
.. The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.
.. 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes.
To peek into the world of rogue online pharmacies, our class decided to become a customer. We purchased drugs without a prescription in the hope of uncovering who might be running this transnational trade. Tracing that purchase took us on a far-flung world tour as we followed how the drugs — and our money — crisscrossed the globe.
