Pharmacy Express

From Spamwiki

Revision as of 08:20, 5 December 2011 by MarkGiles (Talk | contribs)
Jump to: navigation, search

A static printer-friendly pdf version of this article is available for viewing offline.


Contents

Description

Not to be confused with the legitimate Pharmacy Express (http://pharmacyexpress.com and http://pharmacyexpress.co.nz) based in New Zealand,) Pharmacy Express (hereafter referred to in this document as PE) is a very large and sophisticated spamming operation believed to be operated by the Russian criminal spammer Leo Kuvayev, and several of his colleagues and affiliates. These sites have been spamvertised relentlessly to several million email addresses since at least 2004, possibly even longer. Mr. Kuvayev is wanted for several international charges which he has never answered for, including money laundering, child porn and of course illegal spamming. This spam operation has numerous ties to several large-scale Windows viruses and Trojan infections dating back numerous years. The botnets alleged to be behind this operation handle everything from domain registration to zombie infection to probably website hosting and "order" processing. Nobody has ever claimed to have received any quality assured medications upon ordering, so this series of websites is actually considered a credit card fraud operation very similar to Alex Polyakov's My Canadian Pharmacy.

As is the case with My Canadian Pharmacy, numerous pharmacy oversight organizations have fielded several thousand complaints per year regarding this illegal operation. Together with numerous law enforcement agencies they continue to investigate as much as possible regarding the spamming, website setup, DNS setup and alleged order processing of this spam gang. This investigation is ongoing.

PE sites stopped being spammed during the middle portion of 2007, but resurfaced with a completely new design in Feb. 2008. In November 2009, a third iteration was introduced, with a new skin. The spam rate increased alarmingly in September 2010.

PE Logo, 2008
PE Logo, 2008
PE Logo, 2007
PE Logo, 2007

Current Discussion 2011

Since end November 2010, there have been millions of spams containing links to the Pharmacy Express fraud pharmacy. The criminal nature of the fraud and proof of its false pretenses are clearly documented here.

This operation uses the "redirector" approach. The spammed link has a long, padded format, with extra words in it. Common words that are always present as a "fingerprint" are pfizer and viagra. For example

  • http://will.ulyh.pfizer.pillsdrx.ru
  • http://pfizer.viagra.sbynmori.humidiclc.ru

These links in turn redirect to a "target" domain, to avoid the spammed links getting blacklisted as is common today. The spammer strategy is to hide the actual location of the pharmacy fraud web sites.

Since anti-spam operations will also report the hosting IP address on which illegal web sites are running, this operation takes measures to "bullet-proof" the IPs as well. The target web sites run on a "fast-flux" or rapidly changinge range of host locations. These are a botnet of machines that have been compromised and are running a "reverse proxy" program. The reverse proxy program is a small front-end program that tunnels all request for web pages to hidden back-end servers, providing another level of bullet-proofing.

Anti-spam measures can involve

  1. reporting and getting the spammed redirectors suspended (there are over 2500, and they add more daily)
  2. reporting and getting the target site suspended ( there are hundreds, and they change daily)
  3. reporting and having the hosting IPs cleaned (botnet counts are in the millions)
  4. locating, arresting and prosecuting the perpetrators of the Pharmacy Express fraud

Looking at that that list, the last one is the only effective solution.

Current Discussion 2010

The incidence of this scam increased remarkably in August/September 2010. Domain names followed a recognizable pattern, with domains registered in Russia, and widely spammed. The domains, however, redirected to target sites in order to avoid being detected and blacklisted in spam traps.

Example - almedicshop.ru would redirect to fildrugs.com/medic/index.php

Typical name for redirectors registered at REGRU-REG-RIPN are

  • almedicshop.ru
  • apmedicshop.ru
  • armedicshop.ru
  • aumedicshop.ru
  • bimedicshop.ru
  • ecmedicshop.ru
  • flmedicshop.ru
  • himedicshop.ru
  • hymedicshop.ru
  • medicshopai.ru
  • medicshopam.ru
  • medicshopan.ru
  • medicshopas.ru
  • medicshopce.ru
  • medicshopct.ru
  • medicshopgr.ru

The target site is Domain Name: FILDRUGS.COM, Registrar: POWER BRAND SOLUTIONS LLC

The November 2009 version sparked a new wave of spamming on Chinese .cn registered domains, embedding an iframe for the site justpfizershop.com. Sample redirection sites are jppyanpx.cn jwmubjve.cn xkftadba.cn cndrfvxq.cn svtjyblz.cn itvotozy.cn owjlarwg.cn nfetwode.cn slutluvf.cn

The 2008/2009 version of PE sites started to be spammed in late-February of 2008 and as mentioned above they feature a totally different design.

2008 spam runs relied on Yahoo search redirections to penetrate spam whitelists and avoid blacklists.

Spamming in 2007 for domains like lodrx.com, tedrx.com and similar, targeted Google's Gmail customers. Most were trapped by Gmail's spam detection and diverted to the spam folder.

You may follow a discussion on PE at the Fight Back forum.

Basic Summary

PE is yet another illegal pharmacy website operation which claims to offer discounted pharmaceuticals to unsuspecting consumers. As with numerous other pharmacy spam operations, nearly every single claim on their website is 100% false. Their sites are not secure, you are not sent anything after ordering on these sites, and among other things your credit card and possibly your identity may be stolen by this website.

Sample of a PE Spam e-mail

Subject: Re: PHxyjARMA

Body:

Hi, 


Vniagra 3, 35 
Vnalium 1, 25 
Cnialis 3, 75 
Anmbien 2, 90 


http://agnosti.22rx,com 


Important: Replace "," with "." in the above link 


-- 


Cedric stared at him. Harry saw some of the panic hed been feeling 
since Saturday night flickering in Cedrics gray eyes. 
Are you sure?  Cedric said in a hushed voice.

Another sample

Hi,
 
Economize 50% on

Vaiagra
Vaulium
Ciualis

http://www.tetrx-com

Replace "-" with "." in the above link.



Thats not the point!  raged Mr. Weasley. You wait until I tell your
mother
Tell me what?  said a voice behind them.  


Note: The trivial obfuscation of the URL by inserting a comma, hyphen or asterisk is designed to defeat SpamCop's parsing.

Description of Operations

PE homepage, 2010/2011
PE homepage, 2010/2011
November 2009, click to enlarge
November 2009, click to enlarge
October 2009, click to enlarge
October 2009, click to enlarge
PE, Feb. 2008
PE, Feb. 2008
PE, March, 2007
PE, March, 2007

The PE website is a typical pharmaceutical e-commerce site. They claim to offer generic versions of several prescription drugs including Viagra and Cialis. (As stated elsewhere, neither of those drugs have a generic version since as of this writing they are still protected by international patents.)

In many ways this site is similar to the My Canadian Pharmacy family of sites in terms of products offered and pricing, so the reader is directed to read that entry for further basic details regarding the basics of the pharmaceuticals, ordering process, and claims. Most are either completely identical or very slightly different.

As with My Canadian Pharmacy and numerous other illegal / fake pharmacy operations, nearly every single claim on the site is completely false. Their "How To Order" page outlines this series of steps and makes the same claim as MCP sites that "All orders are received via a secure server, to ensure that your sensitive information is kept private and to guarantee you peace of mind."

As we will discover below: this is 100% false.

Operator Identification

It has been alleged for many years that the operator of PE is one Leo Kuvayev, head of a spamming organization known as BadCow and the pharma affiliate program Mailien.

At this writing, Leo Kuvayev was the #2 spammer in the world according to the Spamhaus Rokso listing, second only to Alex Polyakov, who is linked to numerous articles in this wiki.

Leo Kuvayev's ROKSO Listing

In 2009 it was reported that Kuvayev was in prison awaiting trial on a charge of child molestation - http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK9179

PE has long been linked to the renowned criminal spamming gang known as Yambo Financials, which has ties to several criminal activities including child pornography and credit card fraud. Kuvayev also has ties to a group known as the "Pavka / Artofit" spam gang (Spamhaus ROKSO Link) who have further ties to all manner of illegal activity involving spam, viruses, Trojans, botnets, the creation and distribution of child and bestiality pornography, and of course money laundering and numerous other types of financial fraud.

In August 2010, an anonymous blogger at lj.rossia.org/users/clonopay/ alleged that this Leo Kuvayev is the same Leonid Aleksandorovich Kuvayev (Леонида Александровича Куваева) jailed in Moscow on 50 counts of raping children from an orphanage. Independent reporter Brian Krebs, formerly a technology columnist for the Washington Post, confirmed numerous details. See also 2011 updates - the Sophos report and an article in the Moscow News, where Kuvayev has partly admitted to the charges of molesting orphan children.

Website Claims

The claims made on the PE sites are virtually identical to those made on most MCP websites, so it is recommended that the reader visit that entry for further details. It lists the same "supporters" (including the appearance of the ubiquitous Better Business Bureau icon) and makes the same claims of security. All patently false.

False pretenses

The web site claims to have a pharmacy license issued by the non-existent "New Zealand Board of Pharmacy". The fake pharmacy license quotes an address at

3 Akoranga Drive, Northcote.
Auckland, New Zealand.

This address does exist, and it is an outlet for a legitimate New Zealand online pharmacy, but it is not PE. The actual New Zealand Pharmacy Direct shop at Akoranga Drive is shown in the picture. It is safe to conclude that PE has decided to use a real address, where a real pharmacy is located, to try to pass themselves off as legitimate.

New Zealand Pharmacy Direct shop
New Zealand Pharmacy Direct shop
The license that can be viewed from the false PE site has obvious errors.
  1. It is issued by a New Zealand Board of Pharmacy - whereas no such Board exists (New Zealand has a "Pharmacy Council of New Zealand")
  2. It is supposedly issued to PE, but at an address which does not belong to them.
  3. It uses US English spelling for the word "license". No New Zealand certificate would use US spelling - it would be spelled "licence", because New Zealand uses UK English for official documents.
  4. No certification authority would allow grammatical errors in a document, such as The license is required by law to immediately notify the New Zealand Board of Pharmacy ...
  5. The forged certificate infringes the copyright of the legitimate owner, New Zealand's Pharmacy Express

The fake license is shown in the picture.

Fake pharmacy license
Fake pharmacy license

Website Structure And Domain Names

The PE site structure is slightly different from that of MCP sites, but in terms of user flow and captured data it is virtually identical. In the time period between November 2006 and January 2007 these sites underwent a structural and functional overhaul from the .NET infrastructure to a PHP / MySQL implementation.

They similarly use public Unix servers to host their websites and images, as well as their DNS servers.

One additional item that greatly separates this spam operation is its sophisticated use of extremely large botnets.

In November, 2006, the security company "F-Secure" posted in their security blog about a recent discovery made while investigating the recent bout of "Warezov" botnet infections. (F-Secure Blog Entry) They noted that the infection Trojan for the Warezov virus was attempting to connect to a specific unpronounceable domain name:

Once the downloader is executed on a computer, it connects to a download URL.
A typical URL would be, for example:

  www6.vedasetionkderun.com/819/nt.exe

or

  yuhadefunjinsa.com/chr/grw/lt.exe

They made a direct connection between the virus distribution URL, the spamvertised URLs, and the website URLs for several PE websites.

This is significant because literally every single PE domain at the time looked like that style of URL:

http://www.waseruijingunhdefunkas.com/
http://www.keruijingendasunjasn.com/
http://www.qeuitiondekinjastunde.com/
http://www.wadefuntionkdeunhasbeitun.com/
etc...

This had been the case with their domain names for close to three years, indicating a well-entrenched pattern of Windows virus infections, tied to automated domain registrations for PE specifically. Clearly their domain names are automatically named via some automated algorithm using word syllables in random sequence. On any given day, up to 100 such domains were being registered with multiple domain registrars via automated means. They all followed that structure.

Recent Domains and sponsoring registrars

December 2011

Registrar = Name.com

pillsfeg.com medicngez.com medicopaz.com pillsthu.com pillsdory.com

August 2011

Registrar is the NIC in the Ukraine

pillab.com.ua pillsb.com.ua pillsc.com.ua pillsv.com.ua pillsc.com.ua pillsx.com.ua pillsz.com.ua

Registrar = Name.com

pillsceny.com

Registrar = eNom Inc, Registration Service Provided By: Namecheap.com

pillsrork.com pillsuses.com pillszgos.com (suspended)

Registrar = NETLYNX

pharmacyem1.com to pharmacyem30.com
pharmacyio1.com to pharmacyio15.com
pharmacypl6.com to pharmacypl5.com
medicrxff1.com to medicrxff23.com

Registrar = CV. JOGJACAMP

pharmacyem31.com to pharmacyem34.com

Registrar = GODADDY.COM, INC.

pharmacyem36.com to pharmacyem39.com

Registrar = REALTIME REGISTER BV

pharmacypl1.com to pharmacypl5.com


February 2011

Registrar = eNom Inc, Registration Service Provided By: Namecheap.com

Note: Some of these have been suspended - placed on status Client Hold, or have had the name servers changed (blockedduetospam.pleasecontactsupport.com & dummysecondary.pleasecontactsupport.com). Others were still live in March 2011.

abdoctorv.com ackmedic.com alcbpills.com aldoctorv.com almedicr.com amdoctorx.com ancbpills.com armedicr.com asimedic.com aumedicg.com avapills.com avapillsx.com avaqpillsx.com bacmedic.com badoctorv.com bapills.com bapillsx.com baqpillsx.com barpills.com bedoctorv.com bhapills.com bidoctorx.com birxdrugs.com bomedicg.com boopills.com boopillsx.com booqpillsx.com brdoctorv.com bufmedicg.com bunpills.com bunpillsx.com bunqpillsx.com bupills.com cabpills.com cadoctorx.com capmedic.com carmedicg.com carxdrugs.com cedmedic.com chbpills.com chdoctorx.com chipills.com chlmedic.com chobpills.com chopills.com cocpills.com codoctorv.com codoctorx.com comedicg.com compills.com conmedicg.com cranmedic.com crpills.com deopills.com dicbpills.com doctorxad.com doctorxar.com doctorxax.com doctorxbe.com doctorxci.com doctorxdi.com doctorxgy.com doctorxki.com doctorxle.com doctorxme.com doctorxna.com doctorxnn.com doctorxpe.com doctorxrd.com doctorxre.com doctorxst.com doctorxta.com doctorxti.com dramedic.com dromedic.com dulmedic.com edebpills.com eitmedic.com elbpills.com emrxdrugs.com enbpills.com epdoctorx.com estpills.com eupmedic.com evpills.com faybpills.com femedicr.com fidoctorv.com fipills.com fipillsx.com fiqpillsx.com fodoctorv.com fomedic.com foupills.com foupillsx.com fouqpillsx.com frepills.com frrxdrugs.com fumedic.com gadoctorx.com galmedicr.com gammedicr.com gomedicg.com gomedicr.com grrxdrugs.com guapills.com haggmedic.com hardmedic.com heomedic.com hepills.com hucpills.com hucpillsx.com hucqpillsx.com idimedic.com inepills.com iomedicg.com isdoctorx.com ismedicg.com jerxdrugs.com jitpills.com jitpillsx.com jitqpillsx.com kedoctorv.com kemedic.com lamedicg.com larxdrugs.com ledoctorx.com limedicg.com lodoctorx.com loimedic.com maipills.com mannmedic.com medicaniz.com medicapba.com medicasle.com medicbedl.com medicbite.com medicckey.com medicdeli.com medicdu.com medicewhe.com medicgal.com medicgdi.com medicgec.com medicgei.com medicgel.com medicggy.com medicig.com medicmalt.com medicmber.com medicmble.com mediconda.com medicresi.com medicrr.com medicrtyn.com mediczu.com medoctorv.com micmedic.com minpills.com modoctorx.com morxdrugs.com nadoctorv.com nadoctorx.com noimedic.com opdoctorv.com orcmedic.com ozmedic.com padoctorv.com padoctorx.com piepills.com pillsab.com pillsar.com pillsct.com pillsel.com pillsgw.com pillshs.com pillsim.com pillsle.com pillsma.com pillsmp.com pillsrf.com pillsti.com pirxdrugs.com plimedic.com plipills.com plmedicg.com podoctorv.com pospills.com prpills.com prpillsx.com prqpillsx.com pubmedicg.com quimedicg.com rapills.com redmedicg.com redoctorx.com resemedic.com resmedicg.com rolmedic.com sadoctorx.com sapills.com sarxdrugs.com sclmedic.com scomedicg.com sebmedic.com semmedic.com shipills.com shipillsx.com shiqpillsx.com shmedic.com shpills.com simmedic.com slmedic.com smumedic.com soxmedic.com stdoctorx.com stepfiveworld.com stmmedic.com submedicg.com swrxdrugs.com sypills.com tagpills.com tarxdrugs.com tchpills.com thrxdrugs.com tidoctorx.com tirxdrugs.com treamedic.com tsmedic.com tymedic.com tyrxdrugs.com urdoctorx.com vappills.com vegmedic.com vitmedic.com volpills.com whomedicg.com Xpillsng.com xpillsno.com xpillsnt.com xpillsny.com xpillsor.com xpillsro.com xpillsth.com xpillstt.com xpillsty.com xpillsum.com yermedic.com zoomedic.com


December 2010

Registrar = eNom Inc

achdoctor.com bandoctor.com bisnmedic.com bucdoctor.com bucmedic.com cajdoctor.com cayelmedic.com chiemedic.com circmedic.com coopdoctor.com costemedic.com crodoctor.com debmedic.com doctoracti.com doctorauro.com doctorbspa.com doctorchis.com doctoreree.com doctorgy.com doctorhagy.com doctorhnin.com doctorie.com doctorieve.com doctoronec.com doctorroon.com doctorstra.com doctorthio.com emmmedic.com endoctor.com esotmedic.com evonmedic.com faldoctor.com febrdoctor.com folmedic.com haldoctor.com hepdoctor.com hulmedic.com inqumedic.com kazedoctor.com liamedic.com lynmedic.com majomedic.com medicbelt.com medicerdo.com medicgluc.com medickp.com mediclier.com mediclyns.com medicmm.com medicmold.com medicngue.com medicnspe.com medicocat.com medicolar.com mediconis.com medicresh.com medicrist.com medicrrho.com medicteff.com medicth.com noredoctor.com ocmedic.com potomedic.com prudoctor.com retdoctor.com rinmedic.com rubamedic.com salemedic.com santdoctor.com submedic.com thmmedic.com truamedic.com twibmedic.com tylmedic.com vampomedic.com wenmedic.com wicodmedic.com

September 2010

Registrar = eNom Inc

afpharmacy.info agpharmacy.info alpharmacy.info bapharmacy.info bepharmacy.info blpharmacy.info bopharmacy.info chpharmacy.info crpharmacy.info cupharmacy.info dapharmacy.info enpharmacy.info fapharmacy.info frpharmacy.info gepharmacy.info grpharmacy.info hopharmacy.info hypharmacy.info impharmacy.info kepharmacy.info lapharmacy.info lipharmacy.info mapharmacy.info mipharmacy.info nopharmacy.info papharmacy.info prpharmacy.info sapharmacy.info sppharmacy.info supharmacy.info sypharmacy.info tapharmacy.info thpharmacy.info trpharmacy.info unpharmacy.info vapharmacy.info vopharmacy.info wopharmacy.info

pharmacyac.info pharmacyad.info pharmacyan.info pharmacyau.info pharmacych.info pharmacyck.info pharmacyec.info pharmacyen.info pharmacyer.info pharmacyey.info pharmacyfe.info pharmacygb.info pharmacygg.info pharmacygy.info pharmacyia.info pharmacyid.info pharmacyie.info pharmacyip.info pharmacyit.info pharmacyko.info pharmacyld.info pharmacyli.info pharmacyll.info pharmacymi.info pharmacyna.info pharmacynd.info pharmacyng.info pharmacynr.info pharmacynt.info pharmacynu.info pharmacyoo.info pharmacyra.info pharmacyre.info pharmacyri.info pharmacyro.info pharmacyrt.info pharmacysh.info pharmacyte.info pharmacyti.info pharmacytj.info pharmacyty.info pharmacyui.info pharmacyva.info pharmacywn.info

doctoran.info doctorar.info doctorba.info doctorbc.info doctorbh.info doctorbl.info doctorbo.info doctorce.info doctorch.info doctorci.info doctorco.info doctorct.info doctorcy.info doctorda.info doctordo.info doctordw.info doctordy.info doctorei.info doctorel.info doctorem.info doctorer.info doctoret.info doctorft.info doctorge.info doctorgo.info doctorhe.info doctorhr.info doctorhu.info doctorhy.info doctoric.info doctorie.info doctorin.info doctorir.info doctorit.info doctoriv.info doctorjo.info doctorke.info doctorki.info doctorle.info doctorlv.info doctorma.info doctormo.info doctorna.info doctornc.info doctornd.info doctorne.info doctorng.info doctorni.info doctornk.info doctorns.info doctornu.info doctorny.info doctoroe.info doctorok.info doctorol.info doctorom.info doctoron.info doctoror.info doctorot.info doctorox.info doctorpe.info doctorph.info doctorpl.info doctorpp.info doctorra.info doctorrb.info doctorre.info doctorrg.info doctorri.info doctorrk.info doctorrl.info doctorrm.info doctorrp.info doctorrt.info doctorsh.info doctorsi.info doctorsl.info doctorsp.info doctorss.info doctorst.info doctorsu.info doctorta.info doctorte.info doctorth.info doctorti.info doctorto.info doctorue.info doctorui.info doctorum.info doctorus.info doctorwa.info doctorwe.info doctorwn.info doctoryc.info doctorye.info doctorzi.info doctorzo.info

acdoctor.info aedoctor.info andoctor.info apdoctor.info ardoctor.info asdoctor.info bedoctor.info bidoctor.info bodoctor.info budoctor.info cadoctor.info chdoctor.info cidoctor.info cldoctor.info codoctor.info crdoctor.info cudoctor.info dadoctor.info dedoctor.info didoctor.info doctorab.info drdoctor.info ecdoctor.info endoctor.info exdoctor.info fadoctor.info fldoctor.info fodoctor.info fudoctor.info gidoctor.info gldoctor.info gudoctor.info hadoctor.info hedoctor.info hidoctor.info hodoctor.info hudoctor.info indoctor.info irdoctor.info jadoctor.info judoctor.info kedoctor.info kidoctor.info ledoctor.info lidoctor.info lodoctor.info lydoctor.info madoctor.info medoctor.info modoctor.info oldoctor.info oudoctor.info ovdoctor.info padoctor.info prdoctor.info sedoctor.info sodoctor.info stdoctor.info sydoctor.info thdoctor.info trdoctor.info tudoctor.info ukdoctor.info urdoctor.info wadoctor.info

May, 2010

Fake pharmacy domain and crime sponsoring registrar

  • ebestfree.com (Registrar: REALTIME REGISTER BV) - removed 05/31
  • allnewmall.com (Registrar: REALTIME REGISTER BV) - removed 05/31
  • drhomecalls.com (Registrar: WEB WERKS INDIA PVT. LTD)
  • webmedicineman.net (Registrar: DISTRIBUTE IT PTY LTD)
  • chempharma1.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • yourpharmarc.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • farmapharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • biodipharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • sodipharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • acopharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • medpharmsite.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • icapharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • ergapharm.com (Registrar: GAL COMMUNICATION (COMMUNIGAL) LTD) - removed 05/31
  • solapharm.com (Registrar: UK2 GROUP LTD)
  • somapharm.com (Registrar: UK2 GROUP LTD)
  • impopharm.com (Registrar: UK2 GROUP LTD)
  • thepharmact.com (Registrar: UK2 GROUP LTD)
  • greatdrugmart.com (Registrar: UK2 GROUP LTD)
  • pharmacoge.com (Registrar: UK2 GROUP LTD)
  • dietdrugcash.com (Registrar: UK2 GROUP LTD)


Feb. 2008

Spammed url:

http://search.yahoo.com/search?y=Search&p=ascorbic.autoallyear%2ecom&fr=sfp&ei=UTF-8

Redirects to:

http://ascorbic.autoallyear.com

Which loads a frameset featuring:

http://ascorbic.autoallyear.com/www/filiz/?cmpid=678&affid=5563

Site loads all images from oleroneg.info:

http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_1.jpg

http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_4.jpg

http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_3.jpg

As of Feb 2007 they had switched to shorter domain names. The reasoning for this is unknown. It's possible they might have exhausted all the "syllable" domain names. Starting in December of 2006 the PE domain names began taking on a shorter, more sequential naming convention:


Recent PE sites
22rx.com * 33rx.com * 44rx.com *
lodrx.com * zodrx.com ledrx.com
vedrx.com * tetrx.com kedrx.com *
tedrx.com zonrx.com rx555.com *
hodrx.com

Note: * Removed March 14, 2007

However, notably, their DNS servers still maintain the longer, randomized syllable naming convention. As at Feb 2007, the DNS servers for 22rx, tedrx, lodrx etc were:

ns0.kerunhandgunfandesikuntun.com
ns0.adesuikintandefunhandesun.com

The sponsor for the access to these illegal websites is the ICANN accredited PRC Registrar, Beijing Innovative Linkage Technology.

As at March 10, 2007 these name servers no longer worked. New name servers registered again with Beijing Innovative were

ns0.terinyungandefunhanse.com [216.195.34.107]
ns0.gandesuitungenfunhandesun.com [216.195.34.107] 

In April, more new name servers registered were

ns.waseruntionkinyungands.com
ns.daseruikiontungandesun.com

ns0.frankintionhandefunpionkin.com
ns0.daserunhgenfunyanderunjans.com

ns0.caseruikiontungandesun.com
ns0.daseruiyionkdefunhan.com

ns0.pasdrtionkintungandesunjin.com
ns0.deryandsuikiontunhandes.com

Chinaemail is aware of the problem, and has even listed 22rx.com in its spam tracking (Jan 2007).

Given that several virus types also use this type of domain name for their command and control, and for installation instructions, it is safe to say that no human being was creating those unique domain names.

Redirections

Hijacked web sites

These samples were spammed in mid October

  • http://commerch.com.br/refueling.html
  • http://comptech.dualtechhosting.com/hinged.html
  • http://death.s86.ru/materials.html
  • http://mmtlgua.eu.pn/screeches.html
  • http://silkscalp.perso.sfr.fr/pacified.html
  • http://www.pcc.com.ar/forefinger.html
  • http://www.welmas.ae/coexists.html
  • http://domen.lviv.name/forward.html
  • http://jvlv.demvar.lv/cursor.html
  • http://laspraderas.com.pe/professionals.html
  • http://oyun.gebze.org/specifications.html

Each of these represents a legitimate web site which has been hijacked. An additional html file has been inserted in the server root directory containing code that links to PE site medicvisd.ru which in turn redirects to medicksma.com like this

<html><head><title>Buy Viagra Online - #1 Online Pharmacy - www.medicvisd.ru</title>
<style type="text/css"> a { font-size: 24pt; } </style>
<script type="text/javascript">var a = "http://medicvisd.ru";window.location = a;</script></head>
<body><center><h1>#1 Online Pharmacy</h1><br>Online DrugStore<br>
<a href="http://medicvisd.ru">Buy Viagra Online</a></center></body></html>

That results in a web page looking like this

image:Pharmacy_Express_BVO.jpg

Microsoft spaces.live.com

Each spaces.live.com URL spammed provided a web page on Microsoft's abused service that redirected to one of a range of spam brands. Each brand represented an illegal web site that indulged in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community. PE is one of several brands targeted.

Storm Trojan

As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/

For PE, the redirection sites detected were daysidehomes.com flipsidesite.com thestarside.com sideeventsonline.com

How to report this spam

The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.

Unrelated sites

The legitimate Pharmacy Express

Pharmacy Express, headquartered in New Zealand, which is a division of Pharmacy Direct (http://pharmacydirect.co.nz) is a legitimate pharmacy. PE, the subject of this evidence, is trying to pose as part of the New Zealand Pharmacy Express.

The New Zealand Pharmacy Express web sites are at http://pharmacyexpress.com and at http://pharmacyexpress.co.nz and the genuine web site is shown in the images to the right (click to expand)

The trademark notice shown on the right establishes that the name "Pharmacy Express" is a registered trademark. It is safe to conclude that the illegitimate PE is infringing on this registered trademark.

Legitimate owner's comments

When contacted for his views of the fake PE operation, the legal owner of the Pharmacy Express trademark in New Zealand stated:

I am the sole director of PHEX LTD which is owned by my family interests including my parents. Phex Ltd trades as Pharmacy Express and Top Brands for Less (both .com and .co.nz)

“Pharmacy Express” and “Top Brands for Less” is a legitimate pharmacy operating as a trading division of Pharmacy Direct North Shore Limited and compliant with NZ law for the operation of a pharmacy.

PHEX LIMITED is the owner of the registered trademarks for Pharmacy Express 314935 and 314936 in classes 4 / 5 and 4 / 35.

The actions of Leo Kuvayev have had a tremendously negative impact on the real and legitimate Pharmacy Express and destroyed our brand value.

The reality is, Pharmacy Express has been operating online since 1997 when it was one of the first pharmacies to go online in NZ (indeed one of the earliest e-commerce sites) and in the last 13 years has served hundreds of thousands of satisfied customers.

We are deeply troubled by the apparently scant regard for our business shown by this individual and completely disillusioned by the lack of teeth from the authorities to deal with this type of fraud and criminal activity.

Mark

Director

Pharmacy Express & Top Brands for Less

Shop 36, Fox outlet centre, 3 Akoranga Drive, Northcote, Auckland

www.pharmacyexpress.co.nz | www.pharmacyexpress.com | www.topbrandsforless.co.nz | www.topbrandsforless.com


The New Zealand real Pharmacy Express
The New Zealand real Pharmacy Express
Trademark notice
Trademark notice

Related sites

Refer to the captured screen image. In 2011, spammer affiliates who registered with the Mailien spamming program were presented with pharmacy operations to select from. These included

---

Your Online Pharmacy

In 2007: The same name servers were used to resolve both PE and Your Online Pharmacy sites. For example

  • ns0.pasdrtionkintungandesunjin.com
  • ns0.deryandsuikiontunhandes.com

These are used to resolve access to

  • PE
    • xrzu.com
    • mudrx.com
    • pudrx.com

Sharing the same IP Address

See: Category:Kuvayev family

Personal tools