Drug Store

From Spamwiki

Contents 1 Description 2 Basic Summary 2.1 Sample Spam 3 False Claims 4 Credit Cards Accepted 5 Domain Names 5.1 Name servers 6 How to Report this Spam 7 Related Spams 7.1 US Pharmacy

[edit] Description

Drug Store (actually they use several names) is yet another in the long line of illegal online pharmacy operations believed to be attributed to the Yambo Financials group of spammers and sponsors. There also appear to be similarities to previously seen sites for Canadian Pharmacy and US Pharmacy, notably in terms of their contact forms and their order processing forms. Since the bold header featuring the name of the site is not an image, they can call it whatever they like. Most of the recent spam for these sites just used the name "Drug Store."

[edit] Basic Summary

Drug Store is part of a large family of sites which purport to offer discounted pharmaceuticals to an unwitting public. As with most of these previously reported sites, every single claim which they make, on every page of the site, is 100% false. Recent examples show that they even lie to the public by making the link in the spammed messages appear to have a secure (SSL) connection. As we'll see below, they do not feature any security on their sites. It's an extra step these criminals are taking to cheat the public out of their money.

[edit] Sample Spam

Good Day, we are happy to announce that our store has been updated:

- Our physicians are now U.S licensed
- More brands & products
- New order tracking system
- Dedicated Support 24/7
- Faster delivery

Best Regards,
https://stybnryunmtyum.cn
--
In her anxiety over her unexpected pregnancy, Julie would have gone to Melissa for
advice and comfort, talking so late into the night that Melissa would have invited
her to sleep over.
Knots of women, children, old folks.
Jeff's road leads to a country very much like the one I believe you once had.

[edit] False Claims

As with virtually all spammed pharmacy websites of this type, literally all of the claims made on the site are a complete fabrication and have no truthful basis whatsoever.

This includes all their typical "endorsement" icons along the bottom of every page:

Note that the url is https, indicating that the site is secure, using an SSL certificate. You'll find that you get several warnings about this certificate. That's because it is (of course) fake, and being used fraudulently. Here are the details on the "certificate" in use at stybnryunmtyum.cn:

Version: Version 3
Serial Number: 00
Certificate Signature Algorithm: PKCS #1 MD5 With RSA Encryption

Issuer:

E = root @ localhost.localdomain
CN = localhost.localdomain
OU = SomeOrganizationalUnit
O = SomeOrganization
L = SomeCity
ST = SomeState
C = --

Validity:
Not before 2/4/2008 9:41:21 AM GMT
Not After 2/3/2009 9:41:21 AM GMT

Subject (same as issuer information)

Subject's Public Key:
Size: 140 Bytes / 1120 Bits
30 81 89 02 81 81 00 97 cb fc da 7d 2a 8e d1 c3
92 bc b1 25 36 c9 6c a1 2e 87 cb 0c ff 5e 35 c8
36 60 11 76 08 0b 6b 57 50 9b e7 18 92 3d 9f 08
b5 c5 ba 2d ea 1c 3f c0 f9 1a 96 0b f0 9c e6 8f
0c a2 cd 5c 01 03 89 09 64 4e 1a 03 2b 94 1e 1b
b4 77 b2 df b5 43 a1 e6 e4 cf fc 88 65 75 4c 6f
09 3f 6d 43 17 7a 7c 63 1c dc a5 b7 c2 4a 70 25
f6 63 82 56 13 3e db 9e fb 69 98 a8 09 e6 b9 3e
d5 93 9e 43 a1 c5 43 02 03 01 00 01

Certificate Subject Key ID:
Size: 20 Bytes / 160 Bits
a4 09 b3 e7 51 fe d9 a0 fe e4 b3 3f 25 8b 40 a0
54 c6 cf 2c

Certificate Signature Value:
Size: 128 Bytes / 1024 Bits
18 ed 0c 6e 52 73 3c 64 c4 1a 34 13 63 50 fa 64
58 e8 57 e8 aa da 20 9f bb e3 d9 ac 72 04 6a 81
18 de 57 c2 cf 91 3e de fd 51 94 89 cc 48 d8 fe
a3 b3 be 59 a7 ab 1f f8 4c 21 40 03 3f bf 6a ae
00 69 5e 95 ef be 4e b0 3a 7d 27 8a c0 77 dc 49
82 48 72 df b1 7d 7d e8 77 44 f2 d0 9c 7c 60 d8
a6 a2 df 41 04 78 3e 29 f8 80 d7 51 5c 04 16 84
df bd ac 01 16 34 00 d3 39 4d 08 41 65 4f 81 89

Accepting that certificate (you'll notice that in Firefox you get three distinct warnings stating that the certificate is invalid) will still make your browser show the "secure" settings we all expect from a genuine certificate. This is particularly troubling, since the general public will still assume the site is secure when in reality it most certainly is not.

Beyond that extreme measure to lie to us, the site features all of the hallmarks of a typical Yambo or Canadian Pharmacy site. "Endorsements" from CIPA, Verisign and Pharmacy Checker, all fake, all locally hosted. Statements in their so-called "Privacy Policy" that all data is passed securely on their site, etc. etc. Every word is a lie, as usual.

[edit] Credit Cards Accepted

Unlike most other spammed illegal pharmacy websites of this type, "Drug Store" appears to accept the widest variety of credit cards, and isn't merely lying about doing so as was the case with US Pharmacy. Card types accepted include: VISA, MasterCard, American Express, Diners Club, and JCB. They also accept eCheck, and feature a functioning eCheck form when that option is selected. This is in stark contrast to most other illegal pharmacy websites.

[edit] Domain Names

• stybnryunmtyum.cn

Whoever is behind this operation is using obfuscated methods to disguise the registrant information for the domain. The example domain stybnryunmtyum.cn features the following WHOIS data:

Domain Name: stybnryunmtyum.cn
ROID: 20080206s10001s55379980-cn
Domain Status: ok
Registrant Organization: sawers
Registrant Name: BelovDmitriy
Administrative Email: sawers@mail.ru
Sponsoring Registrar: 厦门华商盛世网络有限公司
Name Server:ns1.bulkaffilliate.cn
Name Server:ns2.bulkaffilliate.cn
Registration Date: 2008-02-06 05:59
Expiration Date: 2009-02-06 05:59

That hides the fact that Todaynic is the actual authorizing registrar. As usual that email address will not respond to repeated requests for verification of the registrant's identity. (But unlike most of these sites, at least it is a genuine email address.)

The domains can be reported using Complainterator.

[edit] Name servers

In the above example domain (stybnryunmtyum.cn), both the web server and both of the supporting name server domains (ns1.bulkaffilliate.cn and ns2.bulkaffilliate.cn) are all hosted on the same IP address: 79.135.181.226, which is hosted in Turkey, at turkey-colo.net.

[edit] How to Report this Spam

You will notice that for all of these sites, there is an email listed for questions regarding your order: support@canadianpharmsupport.com. This same email address has been associated with numerous other pharmacy operations, usually those with the highest public outcry regarding orders which were placed and charged, but never received. Examples can be seen here, here and here. This underscores how important it is to verify the legality and propriety of a website before you give them your personal data, especially credit card data.

The spammed domain name can be reported using the Complainterator which will direct an email both to the registrar of the site, and the registrar of the domain name servers that act as the gateway to the sites.

[edit] Related Spams

[edit] US Pharmacy

US Pharmacy US Pharmacy