Pharmacy Express
From Spamwiki
A static printer-friendly pdf version of this article is available for viewing offline.
Contents |
[edit] Description
|
Pharmacy Express (referred to in this document as PE) is a very large and sophisticated spamming operation believed to be operated by the Russian criminal spammer Leo Kuvayev, and several of his colleagues and affiliates. These sites have been spamvertised relentlessly to several million email addresses since at least 2004, possibly even longer. Mr. Kuvayev is wanted for several international charges which he has never answered for, including money laundering, child porn and of course illegal spamming. This spam operation has numerous ties to several large-scale Windows viruses and Trojan infections dating back numerous years. The botnets alleged to be behind this operation handle everything from domain registration to zombie infection to probably website hosting and "order" processing. Nobody has ever claimed to have received anything upon ordering, so this series of websites is actually considered a credit card fraud operation very similar to Alex Polyakov's My Canadian Pharmacy. As is the case with My Canadian Pharmacy, numerous pharmacy oversight organizations have fielded several thousand complaints per year regarding this illegal operation. They and numerous law enforcement agencies continue to investigate as much as possible regarding the spamming, website setup, DNS setup and (alleged) order processing of this spam gang. This investigation is ongoing. Pharmacy Express sites stopped being spam during the middle portion of 2007, but resurfaced with a completely new design in Feb. 2008. In November 2009, a third iteration was introduced, with a new skin. |
|
[edit] Current Discussion
The November version sparked a new wave of spamming on Chinese .cn registered domains, embedding an iframe for the site justpfizershop.com. Sample redirection sites are jppyanpx.cn jwmubjve.cn xkftadba.cn cndrfvxq.cn svtjyblz.cn itvotozy.cn owjlarwg.cn nfetwode.cn slutluvf.cn
The 2008/2009 version of Pharmacy Express sites started to be spammed in late-February of 2008 and as mentioned above they feature a totally different design.
2008 spam runs relied on Yahoo search redirects to penetrate spam whitelists.
Spamming in 2007 for domains like lodrx.com, tedrx.com and similar, targeted Google's Gmail customers. Most were trapped by Gmail's spam detection and diverted to the spam folder.
You may follow a discussion on Pharmacy Express at the Fight Back forum.
[edit] Basic Summary
Pharmacy Express is yet another illegal pharmacy website operation which claims to offer discounted pharmaceuticals to unsuspecting consumers. As with numerous other pharmacy spam operations, nearly every single claim on their website is 100% false. Their sites are not secure, you are not sent anything after ordering on these sites, and among other things your credit card and possibly your identity may be stolen by this website.
[edit] Sample of a PE Spam e-mail
Subject: Re: PHxyjARMA
Body:
Hi, Vniagra 3, 35 Vnalium 1, 25 Cnialis 3, 75 Anmbien 2, 90 http://agnosti.22rx,com Important: Replace "," with "." in the above link -- Cedric stared at him. Harry saw some of the panic hed been feeling since Saturday night flickering in Cedrics gray eyes. Are you sure? Cedric said in a hushed voice.
Another sample
Hi, Economize 50% on Vaiagra Vaulium Ciualis http://www.tetrx-com Replace "-" with "." in the above link. Thats not the point! raged Mr. Weasley. You wait until I tell your mother Tell me what? said a voice behind them.
Note: The trivial obfuscation of the URL by inserting a comma, hyphen or asterisk is designed to defeat SpamCop's parsing.
[edit] Description of Operations
 |  |  |  |
The Pharmacy Express website is a typical pharmaceutical e-commerce site. They claim to offer generic versions of several prescription drugs including Viagra and Cialis. (As stated elsewhere, neither of those drugs have a generic version since as of this writing they are still protected by international patents.)
In many ways this site is similar to the My Canadian Pharmacy family of sites in terms of products offered and pricing, so the reader is directed to read that entry for further basic details regarding the basics of the pharmaceuticals, ordering process, and claims. Most are either completely identical or very slightly different.
As with My Canadian Pharmacy and numerous other illegal / fake pharmacy operations, nearly every single claim on the site is completely false. Their "How To Order" page outlines this series of steps and makes the same claim as MCP sites that "All orders are received via a secure server, to ensure that your sensitive information is kept private and to guarantee you peace of mind."
As we will discover below: this is 100% false.
[edit] Operator Identification
At this writing, Leo Kuvayev is the #2 spammer in the world according to the Spamhaus Rokso listing, second only to Alex Polyakov, who is linked to numerous articles in this wiki.
Pharmacy Express is likely linked to the renowned criminal spamming gang known as Yambo Financials, which has ties to several criminal activities including child pornography and credit card fraud. They are responsible for the relentless My Canadian Pharmacy spam runs which are sent to millions of email users every single day.
Kuvayev also has ties to a group known as the "Pavka / Artofit" spam gang (Spamhaus ROKSO Link) who have further ties to all manner of illegal activity involving spam, viruses, Trojans, botnets, the creation and distribution of child and bestiality pornography, and of course money laundering and numerous other types of financial fraud.
As with most of the ROKSO top spammers, there are numerous court orders and judgements against Kuvayev, including an outstanding $37 million (USD) fine resulting from a 2005 trial launched by the US Attorney General. Numerous law enforcement groups have been attempting to locate, arrest and incarcerate Mr. Kuvayev since October, 2005, all to no avail. He remains at large and none of this has apparently hindered his rampant spamming practices. It is thought that on an average day, Kuvayev's operations spam over 40 million email addresses, often hitting the same target more than once in the same day.
[edit] Website Claims
The claims made on the PE sites are virtually identical to those made on most MCP websites, so it is recommended that the reader visit that entry for further details. It lists the same "supporters" (including the appearance of the ubiquitous Better Business Bureau icon) and makes the same claims of security. All patently false.
[edit] Website Structure And Domain Names
The PE site structure is slightly different from that of MCP sites, but in terms of user flow and captured data it is virtually identical. In the time period between November 2006 and January 2007 these sites underwent a structural and functional overhaul from the .NET infrastructure to a PHP / MySQL implementation.
They similarly use public Unix servers to host their websites and images, as well as their DNS servers.
One additional item that greatly separates this spam operation is its sophisticated use of extremely large botnets.
In November, 2006, the security company "F-Secure" posted in their security blog about a recent discovery made while investigating the recent bout of "Warezov" botnet infections. (F-Secure Blog Entry) They noted that the infection Trojan for the Warezov virus was attempting to connect to a specific unpronounceable domain name:
Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example: www6.vedasetionkderun.com/819/nt.exe or yuhadefunjinsa.com/chr/grw/lt.exe
They made a direct connection between the virus distribution URL, the spamvertised URLs, and the website URLs for several Pharmacy Express websites.
This is significant because literally every single PE domain at the time looked like that style of URL:
http://www.waseruijingunhdefunkas.com/ http://www.keruijingendasunjasn.com/ http://www.qeuitiondekinjastunde.com/ http://www.wadefuntionkdeunhasbeitun.com/ etc...
This had been the case with their domain names for close to three years, indicating a well-entrenched pattern of Windows virus infections, tied to automated domain registrations for Pharmacy Express specifically. Clearly their domain names are automatically named via some automated algorithm using word syllables in random sequence. On any given day, up to 100 such domains were being registered with multiple domain registrars via automated means. They all followed that structure.
[edit] Recent Domains
Feb. 2008:
Spammed url:
http://search.yahoo.com/search?y=Search&p=ascorbic.autoallyear%2ecom&fr=sfp&ei=UTF-8
Redirects to:
http://ascorbic.autoallyear.com
Which loads a frameset featuring:
http://ascorbic.autoallyear.com/www/filiz/?cmpid=678&affid=5563
Site loads all images from oleroneg.info:
http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_1.jpg
http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_4.jpg
http://www.oleroneg.info/ohpaN4ei/70/imgs/pr2_3.jpg
As of Feb 2007 they had switched to shorter domain names. The reasoning for this is unknown. It's possible they might have exhausted all the "syllable" domain names. Starting in December of 2006 the PE domain names began taking on a shorter, more sequential naming convention:
| 22rx.com * | 33rx.com * | 44rx.com * |
| lodrx.com * | zodrx.com | ledrx.com |
| vedrx.com * | tetrx.com | kedrx.com * |
| tedrx.com | zonrx.com | rx555.com * |
| hodrx.com |
Note: * Removed March 14, 2007
However, notably, their DNS servers still maintain the longer, randomized syllable naming convention. As at Feb 2007, the DNS servers for 22rx, tedrx, lodrx etc were:
ns0.kerunhandgunfandesikuntun.com ns0.adesuikintandefunhandesun.com
The sponsor for the access to these illegal websites is the ICANN accredited PRC Registrar, Beijing Innovative Linkage Technology.
As at March 10, 2007 these name servers no longer worked. New name servers registered again with Beijing Innovative were
ns0.terinyungandefunhanse.com [216.195.34.107] ns0.gandesuitungenfunhandesun.com [216.195.34.107]
In April, more new name servers registered were
ns.waseruntionkinyungands.com ns.daseruikiontungandesun.com ns0.frankintionhandefunpionkin.com ns0.daserunhgenfunyanderunjans.com ns0.caseruikiontungandesun.com ns0.daseruiyionkdefunhan.com ns0.pasdrtionkintungandesunjin.com ns0.deryandsuikiontunhandes.com
Chinaemail is aware of the problem, and has even listed 22rx.com in its spam tracking (Jan 2007).
Given that several virus types also use this type of domain name for their command and control, and for installation instructions, it is safe to say that no human being was creating those unique domain names.
[edit] Redirections
[edit] Microsoft spaces.live.com
Each spaces.live.com URL spammed provides a web page on Microsoft's abused service that will redirect to one of a range of spam brands. Each brand represents an illegal web site that indulges in fraud and misrepresentation. It is strongly recommended that visitors do not provide their identity and credit card details on any of these sites. They are run by criminals who use credit cards to order domain names for spamming, or to sell stolen identities within their own "carding" community. Pharmacy Express is one of several brands targeted.
[edit] Storm Trojan
As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/
- Pharmacy Express
- ED Express
- United ED Meds
- Canadian Pharmacy
For Pharmacy Express, the redirection sites detected were daysidehomes.com flipsidesite.com thestarside.com sideeventsonline.com
[edit] How to report this spam
The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.
[edit] Related sites
In 2007: The same name servers were used to resolve both Pharmacy Express and Your Online Pharmacy sites. For example
- ns0.pasdrtionkintungandesunjin.com
- ns0.deryandsuikiontunhandes.com
These are used to resolve access to
- Pharmacy Express
- xrzu.com
- mudrx.com
- pudrx.com
- Your Online Pharmacy
- 2211122.com
- dodrx.com
- kodrx.com
- gudrx.com
- xodrx.com
Sharing the same IP Address
- Pharmacy Express
- ED Express
- Viagra Express
