Genuine Pills

From Spamwiki

Jump to: navigation, search

Contents

[edit] Description

Genuine Pills screen shot
Genuine Pills screen shot

First observed in December 2008, this ironically named pharma site is easily identified as a scam.

First, it offers to sell Schedule II drugs (drugs classified as having the highest potential for abuse among all drugs legal in the U.S.), and asks for no prescription. Offering those drugs sends a site to the top of the list for law enforcement scrutiny.

You can find a "FAQ" page which is word for word taken from another pharma site, but generally the site has pretty minimal text. It is relying on the outrageous product offerings to lure victims, not any type of salesmanship.

Fake credit card numbers are so rapidly rejected that it seems likely they aren't even attempting to process any orders; they're just collecting the credit card numbers.

Why jump to such a conclusion? A little detective work shows why. The spammed domain brought to our attention, mypharmapills.com, is botnet hosted. Instead of paying a hosting company to allow the site to use their computer to host the site, mypharmapills.com is hosted on ten different computers at the same time, located on the IP ranges of multiple hosting services on multiple continents, and changing to ten new IP addresses every few minutes. That's a reliable sign that none of those computers is being used with authorization from its owner.

Botnets don't overlap -- if a computer is in one botnet, it won't be in any others. This particular botnet, in addition to hosting mypharmapills.com, hosts a number of phishing sites. So it is likely that Genuine Pills is actually a variation of social engineering, using familiar pills instead of familiar banks to lure people into giving up their credit card numbers and other personal information.

[edit] Sample of Spam

Subject: Joyce

fetch your pills All Sleeping Pills

Coupon : xmas 5% OFF!!!!

http://mypharmapills.com

[edit] Related Phishing Operations

The hijacked hosts on which this operation resides, also host phishing operations. Take for example the hijacked host with IP address 24.60.223.88:

mybank.1aliance-leicester2.uk.nfdqt3k77.com
mybank.1aliance-leicester2.uk.ni3ew4v6r.com
mybank.1alliance-leicester2.uk.01mpnagqy.com
mybank.aliance-leicester.co.uk.7otd15rud.com
mybank.aliance-leicester.co.uk.vc6w2hruj.com
mybank.alliance-leicester.co.uk.b45ylj6c0.com
mybank.alliance-leicester.co.uk.b6h7lel44.com
mybank.alliance-leicester.co.uk.d06oxcc1t.com
mybank.alliance-leicester.co.uk.rpge8ude2.com
mybank.alliance-leicester.co.uk.vc6w2hruj.com
myonlineaccounts1.abeynational.com.pn3ekq976.com
myonlineaccounts2.abbeynational.co.uk.fke5nnp8m.com

These are obviously phishing attempts on two UK banks.

There are also examples of Money_mule advertising

http://morganinvestments.com.cn/careers.html

See Bob Bear's coverage of this scam.

[edit] How to Report this Spam

In addition to reporting the domain and nameservers to their registrars using Complainterator, any domains for this brand should be reported to SIRT due to their high value for law enforcement. Whether they should be reported to PIRT is being investigated; they do not meet the normal definition of phishing, as they don't spoof trusted brands, but they likely do use typical phish kits to collect the credit card data.

Personal tools