US Healthcare
From Spamwiki
Contents |
[edit] Description
US Health Care Inc. boldly claims "We care about your health." Based on all of the other sites of this type which we've described here, it is safe to say that nothing could be further from the truth.
This is yet another in the never-ending stream of illegal pharmacy operations, and looks and acts very similarly to all the rest of them. The key difference is that this set of sites does not appear to be hosted on hijacked servers, and has some subtle differences in their spamming techniques, sometimes similar to several image spam attempts for "OEM software" websites.
There is a clearly discernible fingerprint for these sites. The registrant for its many domain names has a habit of using double characters in the naming convention. This is a common attribute for sites registered by one person or his associates - William Stanley.
William Stanley is listed in the Spamhaus Register of known spammer organizations (ROKSO) in a detailed record which associates him with Romanian Alexandru Andrei Stanciu. Another clearly established link is Robert Russo, which is possibly an alias, if not a close associate. These associations are also shown in an incident at the slantsix web site where there was a campaign to remove his postings and discredit him to his clients. "Alex" the Romanian makes his appearance there, too.
US Healthcare has resorted as recently as September 2007 to using fast-flux hijacked web hosting. This lasted until October, when the sites reverted to single servers.
Spamhaus also gives the ownership of some US Healthcare IP address space to ROKSO listed William Stanley.
See just this one spam:
We have cheapest Cial1s S0ft T4bs and V1agra S0ft T4bs online. Visit US He4lthc4re Inc. at: http://www.ikkealle.com/
ikkealle.com uses
Nameservers according to NS-records Internal lookup Address Reverse Liststatus Country URIBL associated domains Comment ns1.servwee22.com 193.200.50.96 193.200.50.96 Blacklisted Romania URIBL SBL57032 ns2.servwee22.com 193.200.50.96 193.200.50.96 Blacklisted Romania URIBL SBL57032
.. 193.200.50.95 ns1.34seddel.com 193.200.50.96 ns1.servwee2.com
William Stanley appears in this link, that also ties him in to DefamationAction.com, a still active web site.
Part of his distinguishing fingerprint is the double characters in his domain names, such as ikkealle servwee22 soewkijj yyunerd etc
Spamhaus SBL58318 has http://www.spamhaus.org/sbl/sbl.lasso?query=SBL58318
William Stanley / Ironserver.com. www.soewkijj.com botnet spammer on dirty host NS1.BRAVOO7.COM NS2.BRAVOO7.COM
with more fingerprint names like bravoo7.com crediwjj.com spalokkw.com suejwhh.com etc
He works in partnership with the Romanian, "Alex".
draculahosting.com has him as registrant:
Alexandru Andrei Stanciu email stanciu.andrei@yahoo.com Victoriei Suceava, 5800 Romania (555) 512-3323
A disgruntled ex-friend talks about him at a debian.org discussion forum
William Stanley's "ironserver.com" was registered with Enom
Domain Name: IRONSERVER.COM Registrar: ENOM, INC. Name Server: NS5.QEDTODAY.COM Name Server: NS6.QEDTODAY.COM Status: clientTransferProhibited Updated Date: 18-sep-2007 Creation Date: 28-jun-2004
Its name server domain is with Gandi SAS. Though the name servers NS5.QEDTODAY.COM and NS6.QEDTODAY.COM no longer exist, however.
Domain Name: QEDTODAY.COM Registrar: GANDI SAS Name Server: NS1.QEDTODAY.COM Name Server: NS2.QEDTODAY.COM Status: clientTransferProhibited Updated Date: 27-apr-2007 Creation Date: 25-may-2006
The registrant is Qedmediadgroup LLC., whose listed contact person is none other than Robert Russo himself (see Spam-court archives and Spamhaus for the Stanley/Russo link)
Qedmediadgroup LLC. Robert Russo 1124 Brighton Ave Suite 27 04101 Portland Maine United States of America +1.8662685588 admin@qedmediagroup.com
[edit] False Claims
[edit] Identity Confusion
| The front page refers to the site and the company as US Healthcare Inc. The trailer has a copyright notice for US Healthcare Inc. But when you click on the "About Us" link, the site has an identity crisis. Now it refers to itself as OurGlobalPharmacy. |  |
[edit] Secure Ordering
The "How to Order" link states:
All orders are received via a secure server, to ensure that your sensitive information is kept private and to guarantee you peace of mind. To lend credibility to this claim, the trailer has the usual Verisign Secure Site logo. But this is a forgery. When you take the ordering to checkout, the page is using http, not the secure https. You are expected not only to provide your identity and credit card details to these criminals, but to do so over a non-secure link. |  |
[edit] Copyright
When claiming a copyright for the site, these fraudsters didn't even take care to correctly spell the name of their fictitious company
Copyright 2007 © US HEALTCARE INC.
[edit] Pharmacy Checker
Though the Pharmacy Checker logo is shown in the trailer, it is not a link to their site. Nor does this operation appear at the Pharmacy Checker site. This constitutes a fraudulent misuse of the Pharmacy Checker logo.
[edit] Better Business Bureau
Although the BBB logo is displayed, it is not a link to the Better Business Bureau, nor is this pharmacy listed at their site. This is another fraudulent misuse of the BBB logo.
[edit] Sample Spam
 |  |
[edit] Domain Name Servers
Typically uses name servers like
- ns1.regsett4.com ns2.regsett4.com (Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NET)
- ns1.servwee22.com ns2.servwee22.com (Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN}
- ns1.caccopt.com ns2.caccopt.com (Registrar: XIN NET TECHNOLOGY CORPORATION)
[edit] Sponsoring Registrars
- Name IT Corp
ns1.regsett4.com ns2.regsett4.com
| Domain | Domain | Domain | Domain | Domain |
| nnyyuuii.com | bbeetw.com | lebeben.com | deminisso.com | bebehuii.com |
- XIN Net
ns1.caccopt.com ns2.caccopt.com
| Domain | Domain | Domain | Domain | Domain |
| uyrewe.com | poekiwjj.com | uyehbbe.com | uyrhehhe.com | yhruehh.com |
| ytrueujj.com |
The most recent registrations for spammed sites using these name servers are for Prestige Replicas and US Healthcare Inc.
[edit] How to Report this Spam
See Complainterator for the method to use.
If a registrar replies that you should be complaining to the company that "hosts the site" they are overlooking an important fact. As a company they have accepted a contract to register a domain name. If that domain name is being used for criminal purposes, a refusal to act on a complaint can be viewed as a deliberate decision to aid and abet a crime.
If this registrar replies that you should be filling in an ICANN Whois Data Problem Report System WDPRS form, they are overlooking an important fact. They have allowed this criminal to hide his details for the regsett4.com domain, thus removing the option to use a WDPRS report.
