Genuine Pills
From Spamwiki
Contents |
[edit] Description
First observed in December 2008, this ironically named pharma site is easily identified as a scam.
First, it offers to sell Schedule II drugs (drugs classified as having the highest potential for abuse among all drugs legal in the U.S.), and asks for no prescription. Offering those drugs sends a site to the top of the list for law enforcement scrutiny.
You can find a "FAQ" page which is word for word taken from another pharma site, but generally the site has pretty minimal text. It is relying on the outrageous product offerings to lure victims, not any type of salesmanship.
Fake credit card numbers are so rapidly rejected that it seems likely they aren't even attempting to process any orders; they're just collecting the credit card numbers.
Why jump to such a conclusion? A little detective work shows why. The spammed domain brought to our attention, mypharmapills.com, is botnet hosted. Instead of paying a hosting company to allow the site to use their computer to host the site, mypharmapills.com is hosted on ten different computers at the same time, located on the IP ranges of multiple hosting services on multiple continents, and changing to ten new IP addresses every few minutes. That's a reliable sign that none of those computers is being used with authorization from its owner.
Botnets don't overlap -- if a computer is in one botnet, it won't be in any others. This particular botnet, in addition to hosting mypharmapills.com, hosts a number of phishing sites. So it is likely that Genuine Pills is actually a variation of social engineering, using familiar pills instead of familiar banks to lure people into giving up their credit card numbers and other personal information.
[edit] Sample of Spam
Subject: Joyce fetch your pills All Sleeping Pills Coupon : xmas 5% OFF!!!! http://mypharmapills.com
[edit] Related Phishing Operations
The hijacked hosts on which this operation resides, also host phishing operations. Take for example the hijacked host with IP address 24.60.223.88:
mybank.1aliance-leicester2.uk.nfdqt3k77.com mybank.1aliance-leicester2.uk.ni3ew4v6r.com mybank.1alliance-leicester2.uk.01mpnagqy.com mybank.aliance-leicester.co.uk.7otd15rud.com mybank.aliance-leicester.co.uk.vc6w2hruj.com mybank.alliance-leicester.co.uk.b45ylj6c0.com mybank.alliance-leicester.co.uk.b6h7lel44.com mybank.alliance-leicester.co.uk.d06oxcc1t.com mybank.alliance-leicester.co.uk.rpge8ude2.com mybank.alliance-leicester.co.uk.vc6w2hruj.com myonlineaccounts1.abeynational.com.pn3ekq976.com myonlineaccounts2.abbeynational.co.uk.fke5nnp8m.com
These are obviously phishing attempts on two UK banks.
There are also examples of Money_mule advertising
http://morganinvestments.com.cn/careers.html
See Bob Bear's coverage of this scam.
[edit] How to Report this Spam
In addition to reporting the domain and nameservers to their registrars using Complainterator, any domains for this brand should be reported to SIRT due to their high value for law enforcement. Whether they should be reported to PIRT is being investigated; they do not meet the normal definition of phishing, as they don't spoof trusted brands, but they likely do use typical phish kits to collect the credit card data.
