Men Health

From Spamwiki

Contents 1 Description 2 False Claims 2.1 Proof of fake license 2.2 Fake Registration 3 History 4 Related Spam Operations 4.1 Proxy Image Servers 5 Sample spams 6 How to Report this Spam 7 Sponsor Organization 8 Related spam operations

[edit] Description

This purports to be a Manitoba Pharmacy Association licensed pharmacy.

However, it is widely believed to be a credit card theft scam - fronted by a fake pharmacy retailer.

Men's Health or Men Health or Men+ Health: Judging by the name servers used, this is clearly another of ROKSO listed #2 most wanted Cyber criminal Alex Polyakov's site, used for identity theft and credit card theft. If any of his pharmacy product ever gets delivered, it has been found to contain placebos (sugar pills).

The whole site is full of lies.

[edit] False Claims

Men Health displays a fake license, LICENSE NO 03161490 from the Manitoba Pharmacy Association (MPhA).

• Manitoba Pharmacy Association License is faked.
• The ordering transaction is not secure.
• The Verisign logo is misused.

When you click on the verisign logo, you expect to be taken to the Verisign site to display its validity. Here, the link goes back to the same site. The information displayed has been fraudulently modified to try to obscure that fact that it has been tampered with.

Fake version

To ensure that this is a legitimate Soltrus Secure Site, make sure that:

  1. The original URL of the site you are visiting comes from Men+ Health
  2. The status of the Server ID is Valid.

Genuine version

To ensure that this is a legitimate Soltrus Secure Site, make sure that:

  1. The original URL of the site you are visiting comes from <name here>
  2. The URL of our secure pages are https://<custom URL here> which will appear
     when you click on the first continue button during the ordering process.
  3. The status of the Digital ID is Valid. 

and

For your best security while visiting sites, always make sure the address
of the visited site matches the address you are expecting to see. Make sure
that the URL of this page begins with "https://seal.verisign.com"

WARNING: Placing an order on this site is giving your full credit card details to the Internet's worst criminal. If you have made that mistake, cancel your credit card immediately.

The license link on the site, links back to the same site, and displays a certificate supposedly issued by the Manitoba Board of Pharmacy. The image shown here has the same site name as the fake pharmacy site in the address bar.

[edit] Proof of fake license

The signatory on the fake license, Michael N. Dort is not listed on the MPhA site.

The company name listed in the certificate is "(applicant)" !

[edit] Fake Registration

Like other Yambo family sites, CH&CM uses identity theft to register its sites. Victims whose personal information has been used to register one of these sites should follow the steps outlined here.

[edit] History

Men Health runs hand-in-hand with My Canadian Pharmacy, International Legal RX, VIP Pharmacy and Canadian Health&Care Mall, sharing the same methodology:

• Hijacked name servers
• Hijacked web sites
• Hijacked image servers
• All use the same name servers
• Name servers are typically 4 in number, and are registered with a subset of registrars
• Several new sites may be registered and spamvertized every day
• Hijacked sites use identical proxy servers to redirect DNS and http requests to back-end servers
• Hijacked sites have a firewall setting to prevent access from specific addresses such as FBI and Visa

Proof that the site uses image servers

If you load a page, right mouse click on any product image, and select copy image location you can see that is is hosted on another hijacked host such as http://149.132.105.173:8080/mh//shop/images/cialisst-52.gif or http://82.240.202.162:8080/mh//shop/images/viagraprofessional_m.gif for example. The selection of the hijacked image servers is within some Java script code:

<script id=img_redir> 
var urls=new Array(); 
/**rdr urls*/
urls.push('http://82.240.202.162:8080/mh/');
urls.push('http://148.223.209.19:8080/mh/');
urls.push('http://200.123.181.65:8080/mh/');
urls.push('http://66.146.60.20:8080/mh/');
urls.push('http://149.132.105.173:8080/mh/');
/**rdr urls*/
</script>

[edit] Related Spam Operations

[edit] Proxy Image Servers

At the time of writing, all of these hijacked image servers were simultaneously in use for the following sites

• My Canadian Pharmacy
• International Legal RX
• US Drugs
• VIP Pharmacy
• Canadian Health&Care Mall

[edit] Sample spams

[edit] How to Report this Spam

See the Complainterator which is specifically configured to report this spamming operation.

[edit] Sponsor Organization

Bulker.biz is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.

[edit] Related spam operations

See: Bulker.biz