Editing Canadian RX Drugs

==Description==

{|

|

|This is one of several new fake pharmacy sites first observed in July 2007 and which are part of the [[Rx-Promotions]] affiliate program. This program was described in detail together with screen shots of the different themes by [http://www.nartv.org/2010/12/23/rx-promotion-a-pharma-shop/ Nart Villeneuve]

* [[Any RX Tabs]]

* Always Great - <nowiki>http://always-great.com/</nowiki>

* [[Canadian Online Meds]] - <nowiki>http://canadianonlinemedicine.com/</nowiki>

* [[Canadian Online Pharmacy]]

* Cheap Meds List - <nowiki>http://cheap-meds-list.com/</nowiki>

* Drugs For Us - <nowiki>http://drugsforus.com/</nowiki>

* Golden StethoScope - <nowiki>http://golden-stethoscope.com/</nowiki>

* Great RX Pharmacy - <nowiki>http://great-rx-pharmacy.com/</nowiki>

* Health-Refill - <nowiki>http://healthreorder.com/</nowiki>

* Health Online Leader - <nowiki>http://health-online-leader.com/</nowiki>

* HealthRefill

* Internet Drugs Pedia - <nowiki>http://i-drugspedia.com/</nowiki>

* MedrugsPlus - <nowiki>http://med-drugs-plus.com/</nowiki>

* Meds For Us - <nowiki>http://meds-for-us.com/</nowiki>

* Meds Leader - Top Online Pharmacy Supplier - <nowiki>http://medicleader.com/</nowiki>

* Men Drugs Shop - <nowiki>http://drugsshopformen.com/</nowiki>

* Number One Clinic - <nowiki>http://numberoneclinic.com/</nowiki>

* [[Pure RX Shop]]

* RX Pharmacy Center - <nowiki>http://rxpharmacy-center.com/</nowiki>

* RXED On Green - <nowiki>http://rxed-on-green.com/</nowiki>

* StallionsRX - <nowiki>http://stallionsrx.com/</nowiki>

* Star Of Health - <nowiki>http://star-of-health.com/</nowiki>

* [[The Canadian Rx Drugs]] - <nowiki>http://canadianrx-drugs.com/</nowiki> and <nowiki>http://herbiedrugs.com/</nowiki>

* [[The US Drugs]] - <nowiki>http://the-us-drugs.com/</nowiki> (different from the [[Bulker.biz]] brand US Drugs)

* Trusted Meds Online - <nowiki>http://trusted-drugs-online.com/</nowiki>

* World Of Drugs - <nowiki>http://world-of-drugs.com/</nowiki>

Visitors to these sites are cautioned against placing an order for any of the products advertised. With so much obvious fraud in the set up of the web sites, any reasonable person would be justified in having doubts about passing identity and credit card details to such blatant fraudsters.

The contact page has a form for inquiries as well as a phone number (currently 1-800-998-7978) and the mailto link. The website also displays this phone number for customer support, giving the appearance of legitimacy. Read on to see how legitimate the sites are.

|}

{|

|-

| align="right" valign="top" |[[Image:CanadianRXDrugs.jpg|top|thumb|none|Canadian RX Drugs, July, 2007]]

|[[Image:CanadianRXDrugs_trailer.jpg|top|thumb|none|Fake cerificates, Canadian RX Drugs, July, 2007 ]]

|}

{|

|[[Image:TheCanadianRx.jpg|top|thumb|none|Canadian Rx 2010]]

|[[Image:The_Canadian_RX.April2010.jpg|top|thumb|none|Canadian Rx Drugs April 2010]]

|[[image:Canadian_Online_Pharmacy.jpg|top|thumb|Canadian Online Pharmacy June 2010]]

|[[image:Canadian_RX_Drugs_4.jpg|top|thumb|web site Oct 2011]]

|-

|[[image:Canadian_RX_Drugs_2.jpg|top|thumb|web site Feb 2011]]

|[[image:Canadian_RX_Drugs_3.jpg|top|thumb|web site Jan 2011]]

|[[image:RX_Promotions.jpg|top|thumb|web site Sept 2011]]

|[[image:Canadian_RX_Drugs_other.jpg|top|thumb|web site Oct 2011]]

|-

|}

==False Pretenses==

===False: Secure link claim===

{|

|The site claims to take your credit card over a secure connection, and indeed, the checkout page was using

https://secure.payment-rx.com/checkout_gw4.pl?xml=1&site_id=51

Where was this secure payment system registered? 2007 info showed

Domain Name: PAYMENT-RX.COM

Registrar: BIZCN.COM, INC.

Whois Server: whois.bizcn.com

Referral URL: <nowiki>http://www.bizcn.com</nowiki>

Name Server: NS3.CNMSN.COM

Name Server: NS4.CNMSN.COM

Status: clientDeleteProhibited

Status: clientTransferProhibited

Updated Date: 28-nov-2006

Creation Date: 28-nov-2006

Expiration Date: 28-nov-2007

It was registered with a Chinese registrar, frequently abused by spammers and criminal fraudsters.

Who was the registrant?

Registrant Contact:

galen Inc

kevin fairlie donavon@payment-rx.com

1000707733 fax: 1000285717

Suite 522

Manama Manama 6372

GB

Manama is the [http://en.wikipedia.org/wiki/Manama capital city in Bahrain] and has phone prefix +973 and 8-digit local phone numbers. Manama is certainly not in GB (Great Britain).

It is currently registered with Privacy Protection, another bad sign. A real pharmacy has to have a real location. If it's a real pharmacy and they aren't hiding from law enforcement, why can't they register the domain at that location?

This secure page currently the following statement:

For your convenience in case of any questions or concerns feel free to contact our Customer

In 2007, when first observed, the support domain was pharmacycs.com.

Who was the registrar for pharmacycs.com?

Domain Name: PHARMACYCS.COM

Registrar: BIZCN.COM, INC.

Whois Server: whois.bizcn.com

Referral URL: <nowiki>http://www.bizcn.com</nowiki>

Name Server: NS3.CNMSN.COM

Name Server: NS4.CNMSN.COM

Status: clientDeleteProhibited

Status: clientTransferProhibited

Updated Date: 28-nov-2006

Creation Date: 28-nov-2006

Expiration Date: 28-nov-2007

Who was the registrant?

Registrant Contact:

gabe Inc

noland rudie felix@pharmacycs.com

1000080971 fax: 1000441258

Suite 430

Athens Athens 1290

GB

Note the similarity in fake company names (galen and gabe), fake phone numbers, and now we have Athens

geographically misplaced in Great Britain.

{|

|In January 2010, BIZCN's withdrew the secure server:

Domain Name: PAYMENT-RX.COM

Registrar: BIZCN.COM, INC.

Whois Server: whois.bizcn.com

Referral URL: <nowiki>http://www.bizcn.com</nowiki>

Name Server: NS1.PENDING-RENEWAL-DOMAIN.COM

Name Server: NS2.PENDING-RENEWAL-DOMAIN.COM

Status: redemptionPeriod

Updated Date: 08-jan-2010

The criminals continued to claim the connection was secure, with pictures of secure connections, but the actual connection was not secure. [[image:Canadian_Rx_Drugs_SSL2.jpg]]

Note the faked padlock with "Secure order form" and the subtitle "Secure card transaction" - which it was not.

Note the "Positive SSL" logo, where the site was not using SSL.

Note the depiction of an address bar with "https://" - which would normally indicate a secure connection.

But note that in actual fact the page was using "http://" not "https://". They were tryig to defraud you.

|[[image:Canadian_Rx_Drugs_SSL.jpg|thumb]]|[[image:Canadian_RX_notSSL.jpg|thumb]]

|}

The site is now using the slightly different domain paymentrx.com, registered with eNom, and with SSL -- for as long as that lasts. But they have tipped their hand that they are willing to use deception to be able to take money while transmitting your medical information and credit card number in plain view.

'''September 2011'''

At the bottom of the page is the "Support" link

http://www.rx-order-support.com/ ut when you try to go there:

Server not found

Firefox can't find the server at http://www.rx-order-support.com.

Looking up the domain name for the support for RX Promotions -

Domain Name: RX-ORDER-SUPPORT.COM

Registrar: INTERNET.BS CORP.

Name Server: NS-CANADA.TOPDNS.COM

Name Server: NS-UK.TOPDNS.COM

Name Server: NS-USA.TOPDNS.COM

Status: clientTransferProhibited

Updated Date: 09-aug-2011

Creation Date: 09-aug-2011

Those name servers do not contain any information about the support site, which leads to the conclusion that it has been withdrawn

ns-usa.topdns.com [216.67.232.70] [Says that there is no a record for rx-order-support.com]

ns-canada.topdns.com [67.212.92.253] [Says that there is no a record for rx-order-support.com]

ns-uk.topdns.com [83.170.72.109] [Says that there is no a record for rx-order-support.com]

'''April 2010'''

{|

|The "secure payments" system was observed to have become non-secure, still with the usual fake images. The web site handling the non-secure credit card transaction was observed as <nowiki>http://www.finleymed.ru/</nowiki> registered in Russia and hosted in Viet Nam.

domain: FINLEYMED.RU

nserver: ns1.prnservme.ru.

nserver: ns2.prnservme.ru.

nserver: ns3.prnservme.ru.

nserver: ns4.prnservme.ru.

state: REGISTERED, DELEGATED, VERIFIED

person: Private Person

phone: +7 926 8787645

e-mail: malogrig@list.ru

registrar: NAUNET-REG-RIPN

created: 2010.04.21

paid-till: 2011.04.21

|[[image:Canadian_RX_insecure.jpg|thumb]]

|}

'''Oct 2010'''

{|

|Secure processing was provided by rxfastpay.com - a doain registered with eNom via their reseller Namecheap.com

Domain Name: RXFASTPAY.COM

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: <nowiki>http://www.enom.com</nowiki>

Name Server: DNS1.REGISTRAR-SERVERS.COM

Name Server: DNS2.REGISTRAR-SERVERS.COM

Name Server: DNS3.REGISTRAR-SERVERS.COM

Name Server: DNS4.REGISTRAR-SERVERS.COM

Status: clientTransferProhibited

Updated Date: 26-oct-2010

Creation Date: 26-oct-2010

Expiration Date: 26-oct-2011

The domain used for the support lime is drugssupport24.com registered in India at the end of 2010

Domain Name: DRUGSSUPPORT24.COM

Registrar: SUN MOUNTAIN LLC

Whois Server: whois.sunmounta.in

Referral URL: <nowiki>http://www.sunmounta.in</nowiki>

Name Server: NS1.BODIS.COM

Name Server: NS2.BODIS.COM

Status: clientTransferProhibited

Updated Date: 28-dec-2010

Creation Date: 27-dec-2010

|[[image:Canadian_RX_Drugs_Security.jpg|thumb]]

|}

===False: Claims to have "Pharma Checker" approval===

The fraud continues. Sites pretend to be authenticated by [http://www.pharmacychecker.com/ Pharmacy Checker] - which they are not. So they set up a link to a fake ''Pharma Checker'' instead of the genuine ''Pharmacy Checker''. Notice the fake logo on the left, compared with the genuine one on the right.

{|

|-

|[[image:Pharma_Checker.jpg]]

|[[image:Pharmacy_Checker.jpg]]

|-

| The fake seal - ''Pharma'' Checker || The genuine seal - ''Pharmacy'' Checker

|-

|}

'''Pharmacy Checker response'''

We do not endorse this company and they are not affiliated with PharmacyChecker.com

in any manner. The PharmacyChecker.com seal that they publish (“Pharma Checker”) is

an unauthorized and adulterated copy.

Donna Miller, Customer Services

----

===False: Claim of "CIMA Rx" approval===

{|

|The link to the ''Canadian International '''Medical''' Association'' is a very interesting innovation. No such association actually exists. The criminal who designed the site hoped nobody would notice the subtle name change from the real ''Canadian International '''Pharmacy''' Association''.

If you click the image, you see that it is not even a link.

|}

{|

|-

|[[image:CanadianRXDrugs_trailer.jpg]]

|[[image:CIPA_seal.gif]]

|-

| The fake seal - Canadian International ''Medical'' Association || The genuine seal- Canadian International ''Pharmacy'' Association

|-

|}

----

===False: Claim to be Canadian===

#Registrant addresses, when they are provided any at all, are never verifiable Canadian or even US addresses.

#Name servers have IP addresses that show they are located in the Czech Republic or the Ukraine.

#Web sites have been located at IP address 210.211.98.50 which is located in Viet Nam

inetnum: 210.211.96.0 - 210.211.127.255

netname: VTDC-VNNIC-VN

descr: Viettel-CHT Company Ltd

descr: Hoa Lac Hitech Park, Km29, Lang Hoa Lac Road

descr: Thach That, Ha Noi

country: VN

===Lack of Pharmacist Oversight===

Numerous affiliate programs' pharma sites have begun competing for customers by putting "free Viagra" in the electronic shopping cart with every item ordered. (It's actually not real Viagra; whether it is even generic sildenafil is questionable.) Like the others, the Rx-promotions sites betray their complete lack of involvement of anyone with even the most minimal pharmacy training by including the "Viagra" when someone orders nitrate drugs -- a''' potentially lethal interaction'''. There is more detail in the wiki article for [http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy#No_Pharmacist_Oversight Canadian Pharmacy] and there is a photo documenting this practice [http://spamtrackers.eu/wiki/index.php/Image:CanadianRxDrugsImdur.jpg here.]

===Invalid contact details===

[[image:Canadian_RX_Contacts.jpg]]

The domain name in this contact has been suspended by the registrar:

Domain Name: DRUGSSUPPORT24.COM

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: <nowiki>http://www.enom.com</nowiki>

Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM

Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM

Status: '''clientHold'''

Updated Date: 14-apr-2010

Creation Date: 09-oct-2009

Expiration Date: 09-oct-2010

[[image:Canadian_RX_affiliates.jpg]]

Affiliates also will have a problem making contact. The affilates web site has been suspended by the registrar:

Domain Name: SPAMPROMO.COM

Registrar: TODAYNIC.COM, INC.

Whois Server: whois.todaynic.com

Referral URL: <nowiki>http://www.NOW.CN</nowiki>

Name Server: NS3.01ISP.COM

Name Server: NS4.01ISP.NET

Status: '''clientHold'''

Status: clientTransferProhibited

Updated Date: 27-dec-2009

Creation Date: 17-dec-2008

Expiration Date: 17-dec-2010

The web site at gives the contact address for Canadian RX Drugs as

Suite 2, Portland House, Glacis Road, Gibraltar which is [http://www.flickr.com/photos/lancashire/3918429721/ depicted in a photograph]

This address can also be found in a Google search:

* [http://forums.malwarebytes.org/index.php?showtopic=4701 Rogue antivirus distributor]

* [http://answers.google.com/answers/threadview?id=437261 Registered address of an Adult web site provider]

it has an IP address 91.212.135.134 which is located in Russia

inetnum: 91.212.135.0 - 91.212.135.255

netname: YABA-NET

descr: YabaMedia Ltd

country: RU

organisation: ORG-YL4-RIPE

org-name: YabaMedia Ltd

org-type: OTHER

address: Shipilovskaya st. 18/1

address: Moscow, 120312, Russia

e-mail: alexander@yabadaba.ru

person: Alexander Andreev

address: Shipilovskaya st. 18/1

address: Moscow, 120312, Russia

phone: +7 925 8782503

e-mail: alexander@yabadaba.ru

==FDA Warning Letter==

The US Food and Drug Administration FDA) issued an [http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/ucm229010.htm official Warning Letter] on October 8, 2010.

Inspections, Compliance, Enforcement, and Criminal Investigations

TO: support@rx-drugs-support.com

FROM: Food and Drug Administration Internet Pharmacy Task Force

RE: Internet Marketing of Unapproved and Misbranded Drugs

DATE: October 8, 2010

Included in the letter were these Canadian Online Pharmacy sites, still operating 6 weeks later despite a deadline of 15 working days -

* buy-oxycontin.us

* buyoxycontin.us

* buyoxycontinonline.us

* cheapoxycontin.us

* orderoxycontin.us

* oxycontin-without-prescription.us

* oxycontinbuy.us

* oxycontinnoprescription.us

* oxycontinwithoutprescription.us

Extract:

''Acomplia (rimonabant) is well-known as the name of a drug previously approved in the European Union. It has never been approved by FDA, and in June 2007, FDA’s Endocrinologic and Metabolic Drugs Advisory Committee unanimously voted not to recommend approval of the drug because of increased risk of neurological and psychiatric side effects including seizures, depression, anxiety, insomnia, aggressiveness, and suicidal thoughts among patients. ''

==Spam Examples==

Subject: Subject: Friend ''username'', enter our shop Izesgykeh

The evolution of insect wings has been a subject of debate.

Leung King, Tuen Mun Hospital, Fung Tei.

http://xhx.rodolfodrugs.ru/?f825f2b53cb-5b61a83626e8-d3d163de635

Dragonfly naiads use jet propulsion, forcibly expelling water out of their rectal chamber.

They included Wayne Gretzky, Mark Messier, Ken Linseman, and Mike Gartner.

http://q.rodolfodrugs.ru/?7df68546302e-e41641c38bc-1d52413b5d1

==Hosting Sites==

This has become a far more prevalent brand than before. In April 2010 the spam abuse rate increased to match or better that of [[Canadian Pharmacy]]

===Sample name server domains===

*aa1ns.ru

*abrnswowk.ru

*abvnameshere.ru

*aebnstree.ru

*akimdnservice.ru

*alinanameserv.ru

*alushyearns.ru

*ansernameg.ru

*aprnamesplace.ru

*armfreenet.ru

*arnamebz.ru

*augnameservr.ru

*azjnameserver.ru

*g1ns.ru

*gg2ns.com

*gg9ns.com

*hh4ns.com

*o5nserv.ru

*prnservme.ru

===URIBL lists of sites===

*aa1ns.ru http://rss.uribl.com/ns/aa1ns_ru.html

*abrnswowk.ru http://rss.uribl.com/ns/abrnswowk_ru.html

*abvnameshere.ru http://rss.uribl.com/ns/abvnameshere_ru.html

*aebnstree.ru http://rss.uribl.com/ns/aebnstree_ru.html

*akimdnservice.ru http://rss.uribl.com/ns/akimdnservice_ru.html

*alinanameserv.ru http://rss.uribl.com/ns/alinanameserv_ru.html

*alushyearns.ru http://rss.uribl.com/ns/alushyearns_ru.html

*ansernameg.ru http://rss.uribl.com/ns/ansernameg_ru.html

*aprnamesplace.ru http://rss.uribl.com/ns/aprnamesplace_ru.html

*armfreenet.ru http://rss.uribl.com/ns/armfreenet_ru.html

*arnamebz.ru http://rss.uribl.com/ns/arnamebz_ru.html

*augnameservr.ru http://rss.uribl.com/ns/augnameservr_ru.html

*azjnameserver.ru http://rss.uribl.com/ns/azjnameserver_ru.html

*g1ns.ru http://rss.uribl.com/ns/g1ns_ru.html

*gg2ns.com http://rss.uribl.com/ns/gg2ns_com.html

*gg9ns.com http://rss.uribl.com/ns/gg9ns_com.html

*hh4ns.com http://rss.uribl.com/ns/hh4ns_com.html

*o5nserv.ru http://rss.uribl.com/ns/o5nserv_ru.html

*prnservme.ru http://rss.uribl.com/ns/prnservme_ru.html

===Sample Name Server IP addresses===

'''CZ bad IPs''' - CERT email = cert@cert.cz

*90.176.146.222

*188.130.250.227

*193.104.106.81

*193.104.106.82

*193.104.106.85

'''UA bad IPs''' - CERT email = cert@cert.gov.ua

*91.206.201.6

*124.248.32.111

*193.104.12.125

*193.104.12.126

*193.104.12.127

*193.104.12.128

*202.165.179.23

==How to report this spam==

The [[Complainterator]] is configured to request removal of these fraudulent sites. Add a link to this page as evidence.

Send an email to the Czech and Ukraine country CERT teams at the email addresses shown above. Request that these illegal IP addresses be put in a routing black hole. Again, add a link here for the criminal evidence.

==Related spam operations==

Canadian Pharmacy and PharmSite share many similarities. A single agent may register domains for sale to multiple spam affiliate programs, so there may indeed be a connection. And there is likely plenty of plagiarism of things like images of fake seals.

[[Category:Well-known Spam]]

[[Category:Pharma spam]]|}