Canadian RX Drugs

From Spamwiki

(Redirected from Canadian Online Meds)
Jump to: navigation, search

Contents

[edit] Description

This is one of several new fake pharmacy sites first observed in July 2007 and which are part of the Rx-Promotions affiliate program. This program was described in detail together with screen shots of the different themes by Nart Villeneuve
  • Any RX Tabs
  • Always Great - http://always-great.com/
  • Canadian Online Meds - http://canadianonlinemedicine.com/
  • Canadian Online Pharmacy
  • Cheap Meds List - http://cheap-meds-list.com/
  • Drugs For Us - http://drugsforus.com/
  • Golden StethoScope - http://golden-stethoscope.com/
  • Great RX Pharmacy - http://great-rx-pharmacy.com/
  • Health-Refill - http://healthreorder.com/
  • Health Online Leader - http://health-online-leader.com/
  • HealthRefill
  • Internet Drugs Pedia - http://i-drugspedia.com/
  • MedrugsPlus - http://med-drugs-plus.com/
  • Meds For Us - http://meds-for-us.com/
  • Meds Leader - Top Online Pharmacy Supplier - http://medicleader.com/
  • Men Drugs Shop - http://drugsshopformen.com/
  • Number One Clinic - http://numberoneclinic.com/
  • Pure RX Shop
  • RX Pharmacy Center - http://rxpharmacy-center.com/
  • RXED On Green - http://rxed-on-green.com/
  • StallionsRX - http://stallionsrx.com/
  • Star Of Health - http://star-of-health.com/
  • The Canadian Rx Drugs - http://canadianrx-drugs.com/ and http://herbiedrugs.com/
  • The US Drugs - http://the-us-drugs.com/ (different from the Bulker.biz brand US Drugs)
  • Trusted Meds Online - http://trusted-drugs-online.com/
  • World Of Drugs - http://world-of-drugs.com/

Visitors to these sites are cautioned against placing an order for any of the products advertised. With so much obvious fraud in the set up of the web sites, any reasonable person would be justified in having doubts about passing identity and credit card details to such blatant fraudsters.

The contact page has a form for inquiries as well as a phone number (currently 1-800-998-7978) and the mailto link support@rx-drugs-support.com. The website rx-drugs-support.com also displays this phone number for customer support, giving the appearance of legitimacy. Read on to see how legitimate the sites are.

Canadian RX Drugs, July, 2007
Canadian RX Drugs, July, 2007
Fake cerificates, Canadian RX Drugs, July, 2007
Fake cerificates, Canadian RX Drugs, July, 2007
Canadian Rx 2010
Canadian Rx 2010
Canadian Rx Drugs April 2010
Canadian Rx Drugs April 2010
Canadian Online Pharmacy June 2010
Canadian Online Pharmacy June 2010
web site Oct 2011
web site Oct 2011
web site Feb 2011
web site Feb 2011
web site Jan 2011
web site Jan 2011
web site Sept 2011
web site Sept 2011
web site Oct 2011
web site Oct 2011

[edit] False Pretenses

[edit] False: Secure link claim

The site claims to take your credit card over a secure connection, and indeed, the checkout page was using

https://secure.payment-rx.com/checkout_gw4.pl?xml=1&site_id=51

Where was this secure payment system registered? 2007 info showed

Domain Name: PAYMENT-RX.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 28-nov-2006
Creation Date: 28-nov-2006
Expiration Date: 28-nov-2007

It was registered with a Chinese registrar, frequently abused by spammers and criminal fraudsters.

Who was the registrant?

Registrant Contact:
  galen Inc
  kevin fairlie donavon@payment-rx.com
  1000707733 fax: 1000285717
  Suite 522
  Manama Manama 6372
  GB

Manama is the capital city in Bahrain and has phone prefix +973 and 8-digit local phone numbers. Manama is certainly not in GB (Great Britain).

It is currently registered with Privacy Protection, another bad sign. A real pharmacy has to have a real location. If it's a real pharmacy and they aren't hiding from law enforcement, why can't they register the domain at that location?

This secure page currently the following statement:

For your convenience in case of any questions or concerns feel free to contact our Customer 
Service at support@rx-drugs-support.com. Also you're able to check your Order Status using our 
Support Center at http://www.rx-drugs-support.com or contact us by phone +1 (800) 998-7978

rx-drugs-support.com is also registered with privacy protection.

In 2007, when first observed, the support domain was pharmacycs.com.

Who was the registrar for pharmacycs.com?

Domain Name: PHARMACYCS.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 28-nov-2006
Creation Date: 28-nov-2006
Expiration Date: 28-nov-2007

Who was the registrant?

Registrant Contact:
  gabe Inc
  noland rudie felix@pharmacycs.com
  1000080971 fax: 1000441258
  Suite 430
  Athens Athens 1290
  GB

Note the similarity in fake company names (galen and gabe), fake phone numbers, and now we have Athens geographically misplaced in Great Britain.

In January 2010, BIZCN's withdrew the secure server:
Domain Name: PAYMENT-RX.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.PENDING-RENEWAL-DOMAIN.COM
Name Server: NS2.PENDING-RENEWAL-DOMAIN.COM
Status: redemptionPeriod
Updated Date: 08-jan-2010

The criminals continued to claim the connection was secure, with pictures of secure connections, but the actual connection was not secure. image:Canadian_Rx_Drugs_SSL2.jpg Note the faked padlock with "Secure order form" and the subtitle "Secure card transaction" - which it was not. Note the "Positive SSL" logo, where the site was not using SSL. Note the depiction of an address bar with "https://" - which would normally indicate a secure connection. But note that in actual fact the page was using "http://" not "https://". They were tryig to defraud you.

|


The site is now using the slightly different domain paymentrx.com, registered with eNom, and with SSL -- for as long as that lasts. But they have tipped their hand that they are willing to use deception to be able to take money while transmitting your medical information and credit card number in plain view.

September 2011

At the bottom of the page is the "Support" link http://www.rx-order-support.com/ ut when you try to go there:

   Server not found
   Firefox can't find the server at http://www.rx-order-support.com.

Looking up the domain name for the support for RX Promotions -

Domain Name: RX-ORDER-SUPPORT.COM
Registrar: INTERNET.BS CORP.
Name Server: NS-CANADA.TOPDNS.COM
Name Server: NS-UK.TOPDNS.COM
Name Server: NS-USA.TOPDNS.COM
Status: clientTransferProhibited
Updated Date: 09-aug-2011
Creation Date: 09-aug-2011

Those name servers do not contain any information about the support site, which leads to the conclusion that it has been withdrawn

ns-usa.topdns.com [216.67.232.70] [Says that there is no a record for rx-order-support.com]  
ns-canada.topdns.com [67.212.92.253] [Says that there is no a record for rx-order-support.com]  
ns-uk.topdns.com [83.170.72.109] [Says that there is no a record for rx-order-support.com]  

April 2010

The "secure payments" system was observed to have become non-secure, still with the usual fake images. The web site handling the non-secure credit card transaction was observed as http://www.finleymed.ru/ registered in Russia and hosted in Viet Nam.
domain:     FINLEYMED.RU
nserver:    ns1.prnservme.ru.
nserver:    ns2.prnservme.ru.
nserver:    ns3.prnservme.ru.
nserver:    ns4.prnservme.ru.
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +7 926 8787645
e-mail:     malogrig@list.ru
registrar:  NAUNET-REG-RIPN
created:    2010.04.21
paid-till:  2011.04.21

Oct 2010

Secure processing was provided by rxfastpay.com - a doain registered with eNom via their reseller Namecheap.com
 Domain Name: RXFASTPAY.COM
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com
 Name Server: DNS1.REGISTRAR-SERVERS.COM
 Name Server: DNS2.REGISTRAR-SERVERS.COM
 Name Server: DNS3.REGISTRAR-SERVERS.COM
 Name Server: DNS4.REGISTRAR-SERVERS.COM
 Status: clientTransferProhibited
 Updated Date: 26-oct-2010
 Creation Date: 26-oct-2010
 Expiration Date: 26-oct-2011

The domain used for the support lime is drugssupport24.com registered in India at the end of 2010

Domain Name: DRUGSSUPPORT24.COM
Registrar: SUN MOUNTAIN LLC
Whois Server: whois.sunmounta.in
Referral URL: http://www.sunmounta.in
Name Server: NS1.BODIS.COM
Name Server: NS2.BODIS.COM
Status: clientTransferProhibited
Updated Date: 28-dec-2010
Creation Date: 27-dec-2010

[edit] False: Claims to have "Pharma Checker" approval

The fraud continues. Sites pretend to be authenticated by Pharmacy Checker - which they are not. So they set up a link to a fake Pharma Checker instead of the genuine Pharmacy Checker. Notice the fake logo on the left, compared with the genuine one on the right.

image:Pharma_Checker.jpg image:Pharmacy_Checker.jpg
The fake seal - Pharma Checker The genuine seal - Pharmacy Checker


Pharmacy Checker response


We do not endorse this company and they are not affiliated with PharmacyChecker.com 
in any manner. The PharmacyChecker.com seal that they publish (“Pharma Checker”) is 
an unauthorized and adulterated copy.

Donna Miller, Customer Services

[edit] False: Claim of "CIMA Rx" approval

The link to the Canadian International Medical Association is a very interesting innovation. No such association actually exists. The criminal who designed the site hoped nobody would notice the subtle name change from the real Canadian International Pharmacy Association.

If you click the image, you see that it is not even a link.

image:CanadianRXDrugs_trailer.jpg image:CIPA_seal.gif
The fake seal - Canadian International Medical Association The genuine seal- Canadian International Pharmacy Association

[edit] False: Claim to be Canadian

  1. Registrant addresses, when they are provided any at all, are never verifiable Canadian or even US addresses.
  2. Name servers have IP addresses that show they are located in the Czech Republic or the Ukraine.
  3. Web sites have been located at IP address 210.211.98.50 which is located in Viet Nam
inetnum:      210.211.96.0 - 210.211.127.255
netname:      VTDC-VNNIC-VN
descr:        Viettel-CHT Company Ltd
descr:        Hoa Lac Hitech Park, Km29, Lang Hoa Lac Road
descr:        Thach That, Ha Noi
country:      VN

[edit] Lack of Pharmacist Oversight

Numerous affiliate programs' pharma sites have begun competing for customers by putting "free Viagra" in the electronic shopping cart with every item ordered. (It's actually not real Viagra; whether it is even generic sildenafil is questionable.) Like the others, the Rx-promotions sites betray their complete lack of involvement of anyone with even the most minimal pharmacy training by including the "Viagra" when someone orders nitrate drugs -- a potentially lethal interaction. There is more detail in the wiki article for Canadian Pharmacy and there is a photo documenting this practice here.

[edit] Invalid contact details

image:Canadian_RX_Contacts.jpg

The domain name in this contact has been suspended by the registrar:

 Domain Name: DRUGSSUPPORT24.COM
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com
 Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM
 Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM
 Status: clientHold
 Updated Date: 14-apr-2010
 Creation Date: 09-oct-2009
 Expiration Date: 09-oct-2010

image:Canadian_RX_affiliates.jpg

Affiliates also will have a problem making contact. The affilates web site has been suspended by the registrar:

 Domain Name: SPAMPROMO.COM
 Registrar: TODAYNIC.COM, INC.
 Whois Server: whois.todaynic.com
 Referral URL: http://www.NOW.CN
 Name Server: NS3.01ISP.COM
 Name Server: NS4.01ISP.NET
 Status: clientHold
 Status: clientTransferProhibited
 Updated Date: 27-dec-2009
 Creation Date: 17-dec-2008
 Expiration Date: 17-dec-2010

The phone number on the site - 1 (800) 998 7978 is answered by a recorded message, which provides a different e-mail address - support@rx-drugs-support.com which is sponsored by US registrar, Enom

 Domain Name: RX-DRUGS-SUPPORT.COM
 Registrar: ENOM, INC.
 Name Server: NS1.RX-DRUGS-SUPPORT.COM
 Name Server: NS2.RX-DRUGS-SUPPORT.COM
 Status: clientTransferProhibited
 Updated Date: 26-feb-2010
 Creation Date: 09-jul-2008
 Expiration Date: 09-jul-2010

The web site at rx-drugs-support.com gives the contact address for Canadian RX Drugs as Suite 2, Portland House, Glacis Road, Gibraltar which is depicted in a photograph This address can also be found in a Google search:

rx-drugs-support.com has an IP address 91.212.135.134 which is located in Russia

inetnum:        91.212.135.0 - 91.212.135.255
netname:        YABA-NET
descr:          YabaMedia Ltd
country:        RU

organisation:   ORG-YL4-RIPE
org-name:       YabaMedia Ltd
org-type:       OTHER
address:        Shipilovskaya st. 18/1
address:        Moscow, 120312, Russia
e-mail:         alexander@yabadaba.ru
 
person:         Alexander Andreev
address:        Shipilovskaya st. 18/1
address:        Moscow, 120312, Russia
phone:          +7 925 8782503
e-mail:         alexander@yabadaba.ru

[edit] FDA Warning Letter

The US Food and Drug Administration FDA) issued an official Warning Letter on October 8, 2010.

Inspections, Compliance, Enforcement, and Criminal Investigations
TO: support@rx-drugs-support.com
FROM: Food and Drug Administration Internet Pharmacy Task Force
RE: Internet Marketing of Unapproved and Misbranded Drugs
DATE: October 8, 2010

Included in the letter were these Canadian Online Pharmacy sites, still operating 6 weeks later despite a deadline of 15 working days -

  • buy-oxycontin.us
  • buyoxycontin.us
  • buyoxycontinonline.us
  • cheapoxycontin.us
  • orderoxycontin.us
  • oxycontin-without-prescription.us
  • oxycontinbuy.us
  • oxycontinnoprescription.us
  • oxycontinwithoutprescription.us

Extract:

Acomplia (rimonabant) is well-known as the name of a drug previously approved in the European Union. It has never been approved by FDA, and in June 2007, FDA’s Endocrinologic and Metabolic Drugs Advisory Committee unanimously voted not to recommend approval of the drug because of increased risk of neurological and psychiatric side effects including seizures, depression, anxiety, insomnia, aggressiveness, and suicidal thoughts among patients.

[edit] Spam Examples

Subject: Subject: Friend username, enter our shop Izesgykeh

The evolution of insect wings has been a subject of debate.
Leung King, Tuen Mun Hospital, Fung Tei.
http://xhx.rodolfodrugs.ru/?f825f2b53cb-5b61a83626e8-d3d163de635
Dragonfly naiads use jet propulsion, forcibly expelling water out of their rectal chamber.
They included Wayne Gretzky, Mark Messier, Ken Linseman, and Mike Gartner.
http://q.rodolfodrugs.ru/?7df68546302e-e41641c38bc-1d52413b5d1

[edit] Hosting Sites

This has become a far more prevalent brand than before. In April 2010 the spam abuse rate increased to match or better that of Canadian Pharmacy

[edit] Sample name server domains

  • aa1ns.ru
  • abrnswowk.ru
  • abvnameshere.ru
  • aebnstree.ru
  • akimdnservice.ru
  • alinanameserv.ru
  • alushyearns.ru
  • ansernameg.ru
  • aprnamesplace.ru
  • armfreenet.ru
  • arnamebz.ru
  • augnameservr.ru
  • azjnameserver.ru
  • g1ns.ru
  • gg2ns.com
  • gg9ns.com
  • hh4ns.com
  • o5nserv.ru
  • prnservme.ru

[edit] URIBL lists of sites

[edit] Sample Name Server IP addresses

CZ bad IPs - CERT email = cert@cert.cz

  • 90.176.146.222
  • 188.130.250.227
  • 193.104.106.81
  • 193.104.106.82
  • 193.104.106.85

UA bad IPs - CERT email = cert@cert.gov.ua

  • 91.206.201.6
  • 124.248.32.111
  • 193.104.12.125
  • 193.104.12.126
  • 193.104.12.127
  • 193.104.12.128
  • 202.165.179.23

[edit] How to report this spam

The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.

Send an email to the Czech and Ukraine country CERT teams at the email addresses shown above. Request that these illegal IP addresses be put in a routing black hole. Again, add a link here for the criminal evidence.

[edit] Related spam operations

Canadian Pharmacy and PharmSite share many similarities. A single agent may register domains for sale to multiple spam affiliate programs, so there may indeed be a connection. And there is likely plenty of plagiarism of things like images of fake seals.

Personal tools