Copycat Pharmacies
From Spamwiki
Contents |
[edit] Description
We are seeing the advent of multiple copy-cat fake pharmacies.
- Kmeds
- RXPharma
- XpressRX
- Express Drugmart (Redirection and Round robin, sells Viagara (sic))
- Rxnet (Redirection, shares name servers with Express Drugmart)
- Discounted Pharma
Seemingly cut from a "cookie cutter", these pharmacy web site knock-offs are beginning to proliferate on the Internet. Some examples feature here.
 |  |  |  |  |
 |  |  |  |  |
Where these sites have a link to "View License", they display the same fake Photoshopped "license" as My Canadian Pharmacy or Premier Pharmacy
 |  |
Where these sites have a fake link to Verisign or the Better Business Bureau (BBB), they refer to Discount Pharmacy
[edit] Spam Examples
Our Client Now you have a great opportunity to get all necessary medicament you wish. We provide you the acceptable prices and big rebates. We also suggest you the most comfortable conditions. Our company is very popular in the world!!! Treat yourself and improve your health with our particularized aid! Just CLICK here!
[edit] Sponsoring Registrars
[edit] Name Servers
- ns1.meddsp.org ns2.meddsp.org
- ns0.kerunhandgunfandesikuntun.com ns0.adesuikintandefunhandesun.com
- ns0.deryandsuikiontunhandes.com ns.daseruikiontungandesun.com
- ns.waseruntionkinyungands.com ns.daseruikiontungandesun.com
- ns0.frankintionhandefunpionkin.com ns0.daserunhgenfunyanderunjans.com
- ns0.pasdrtionkintungandesunjin.com ns0.deryandsuikiontunhandes.com
- ns0.caseruikiontungandesun.com ns0.daseruiyionkdefunhan.com
[edit] Spamvertized Sites
| Copycat type | Domain | Domain | Domain | Domain |
| Kmeds | loftyrx.org | fastupp.org | vxoperator.org | hpmedx.org |
| RXPharma | hotrxr.org | rxrolls.org | lastingrx.org | fastdeliverypills.com |
| XpressRX | xpressrx.org | wellprx.org | crossmedd.org |
- TodayNIC
| Copycat type | Domain | Domain | Domain |
| Express Drug Mart | lowpriceofferpill.com | highqualitymeds.com | socialnetworkering.com |
Sample from spam:
Get your meds here (links to http://bgwe.aboutonefifth.com which redirects to lowpriceofferpill.com)
Here is an example of false pretenses, from one KMeds Online Pharmacy site. Click on the Verisign Secure Site logo, and you are served a page from another site (not Verisign), and the faked certificate states
To ensure that this is a legitimate VeriSign Secure Site, make sure that: 1. The original URL of the site you are visiting comes from Discount Pharmacy. 2. The status of the Server ID is Valid.
With a genuine Verisign authorized site, this should have read
To ensure that this is a legitimate VeriSign Secure Site, make sure that: 1. The original URL of the site you are visiting comes from KMeds Online Pharmacy. 2. The URL of this page is https://digitalid.verisign.com. 3. The status of the Server ID is Valid.
The second item has been removed, because the pop-up screen displayed is obviously a fake, and the Verisign warning would make that fact even more obvious.
Look at the properties of this fake certificate screen, and you find that instead of https://digitalid.verisign.com, the URL is actually http://wonderlife.org/verisign.php. The Verisign certificate is fraudulent. Abuse of the seal can be reported to Verisign.
[edit] Related Spam
Five spam operations that share the same registrar, name servers, and even the same spammed domain name are shown here. The base domain is socialnetworkering.com which returns a blank page. Certain prefixes resolve to different but related families of spam operations. The first letter of the prefix dictates which spammer site will be landed upon:
| Prefixed site name | Related operations |
|---|---|
| bhi.socialnetworkering.com | Express Drug Mart |
| bjjj.socialnetworkering.com | Express Drug Mart |
| bhys.socialnetworkering.com | Express Drug Mart |
| bst.socialnetworkering.com | Express Drug Mart |
| bgv.socialnetworkering.com | Express Drug Mart |
| cjt.socialnetworkering.com | Naturaslim Hoodia |
| dtj.socialnetworkering.com | Elite Herbal |
| dwl.socialnetworkering.com | Elite Herbal |
| kbgg.socialnetworkering.com | Rxnet |
| kkfh.socialnetworkering.com | Rxnet |
| kuj.socialnetworkering.com | Rxnet |
| kqw.socialnetworkering.com | RxNet |
| rpg.socialnetworkering.com | SwissWatchesDirect |
This depicts the clear relationship shared by
- Express Drug Mart
- Naturaslim Hoodia
- Elite Herbal
- RxNet
- SwissWatchesDirect
In a similar manner, there is a clear relationship between RxPharma and KMeds Pharmacy. Name servers ns1.788tom.com and ns2.788tom.com resolve all of the following sites
- eddtot.info RX Pharma
- eetryu.info RX Pharma
- gympice.info RX Pharma
- gadyutte.info RX Pharma
- hommeetit.info RX Pharma
- wevtom.info RX Pharma
- yuthoo.info RX Pharma
- bictwill.info KMeds Pharmacy
- bumfuut.info KMeds Pharmacy
- camuptpy.info KMeds Pharmacy
- dotuppy.info KMeds Pharmacy
The most recently registered and spammed sites for this pair will be found at the URIBL link report. The name server domain, 788tom.com is registered with the sponsoring registrar Enom and the illegal spammed fake pharmacies on Public Domain Registry.
[edit] How to report this spam
The Complainterator is configured to report these copy-cat fake pharmacies to the sponsoring registrar
