- 1 Description
- 2 Acquisition of new spammers / mailers
- 3 Hijacked Unix / Linux Servers
- 4 Identity Theft and Credit Card Fraud
- 5 Unlawful practices
- 6 Products Bulker.biz / EvaPharmacy promotes
- 7 How these fraud families are related
- 8 Common IP addresses
EvaPharmacy (previously known as Bulker.biz) is the organization which sponsors spammers to promote sites within what has previously been referred to as the Yambo Financials group of web properties. These include My Canadian Pharmacy, International Legal RX, Canadian Health&Care Mall, US Drugs, Canadian Family Pharmacy, Canadian Family Pharmacy, Toronto_Drug_Store, RxExpressOnline, RxMedications and others.
This was learned from postings on bulkerforum.biz by username "ebulker", who would invite users to promote for their properties.
Please note that as of late 2008, they changed their domain name to bulkerbiz.com, since a rash of domain shutdowns terminated the bulker.biz domain. bulkerbiz.com still showed all the original branding of bulker.biz.
Bulkerbiz.com is now also terminated. On or around April 14th, 2009, bulkerbiz.com suddenly announced that they were yet again changing domains, leaving the ICQ address of the individual known as "ebulker" .
Site is closed. Please contact ICQ 333192431 for new address.
According to Knujon and LegitScript, the brands previously part of the Bulker.biz affiliate program are now part of an operation called "EvaPharmacy."
Eva Pharmacy brand websites were first discovered in 2007 loading content from Bulker.biz sites. User EvaPharmacy made the first announcement of an affiliate program by that name on the antichat.ru forum in November 2009.
Although the public terms of service for EvaPharmacy state that spamming is not permitted, the affiliate program buys ad banners on forums like antichat.ru, on which members openly discuss spamming and hacking.
The website for Bulker.biz, in contrast, openly advertised that affiliates were permitted to spam.
Acquisition of new spammers / mailers
Here is a posting from Mar. 14th, 2007 found on bulkerforum.biz, posted by ebulker. It directly connects this operation to the abovementioned sites, and outlines their commission structure:
ebulker Joined: 19 Sep 2006 Posts: 28 Posted: Wed Mar 14, 2007 10:00 am Post subject: Bulker.biz newsletter for February 2007. Last news: - New portal "Men's Health" is going to be launched next Monday! - "My Canadian Pharmacy" redesign will be rounded off soon. - Next popular products were added in February: norvasc, zyban, cymbalta ====== Features of Bulker.biz ========= Resemble our feautures: 1. Daily payouts for all the affiliates (or on demand) 2. We pay wires, WebMoney, and Fethard 3. Popular sites with a great choice of products and high ratio (beginning from 1:30) 4. 5% referral system 5. Free personal domains (ability to add your domains to our servers) 6. We pay probable refunds & chargebacks ourselves 7. Live support (icq, skype messenger & e-mail) 8. "Bonus Timer" program. Bonus-money for the three best affiliates EVERY DAY 9. Free geocities accounts ================ TOP Products ============================= - Viagra - Cialis Soft - Cialis + Viagra - Viagra Soft - Cialis - Ambien - Soma - HGH ================ TOP Domains =============================== - yahoo.com - aol.com - hotmail.com - comcast.net - sbcglobal.net - cox.net - earthlink.net - bellsouth.net - msn.com - gmail.com Best Regards, Bulker.Biz Team Mailto: firstname.lastname@example.org ICQ: 333192431 Skype: BulkerSupport _________________ Bulker biz is: - 40% affiliates comission - Lot of very popular pharma products - Daily payments All you need for huge earnings! ICQ: 333192431; e-mail: email@example.com
Hijacked Unix / Linux Servers
As discussed in the My Canadian Pharmacy entry in detail, Bulker.biz domains used in their spam campaigns were all hosted via hijacked, publicly owned Unix or Linux servers without their owners' knowledge or consent. This is achieved by gaining root access to these poorly-secured and often abandoned servers, and installing two custom-written Unix binaries known (as of this writing) as "tirqd" and "uirqd". These binaries act as proxy web hosts, drawing content from an as-yet-unknown third party server (tirqd), and a DNS proxy server (uirqd), often providing DNS services for hundreds of spamvertisable domains. This renders the cost of their web hosting to virtually zero, since they are in fact stealing the bandwidth from an unwitting third party who is unaware that their server has been compromised in any way.
Identity Theft and Credit Card Fraud
Bulker.biz / EvaPharmacy domains are routinely registered using the identity of an unwitting third party, using their name, address and phone number, and registering using their credit card. Information gathered via independent research has shown that in many cases these individuals are very ill and not computer literate, and often don't know what "domain registration" is. This research is ongoing but has uncovered several hundred such individuals who were unaware their contact information was used for the WHOIS data for hundreds of illicit "My Canadian Pharmacy" (and other bulker.biz / EvaPharmacy property) domains.
Notably the email address is always one which someone or some group at bulker.biz / EvaPharmacy have created to handle email questions only.
Drug Enforcement Administration
From DEA Consumer Alert
READ THIS BEFORE PURCHASING PRESCRIPTION DRUGS OVER THE INTERNET !!!
DEA Warning--Buying drugs online may be illegal and dangerous!
Federal law prohibits buying controlled substances such as narcotic pain relievers (e.g., OxyContin®, Vicodin®), sedatives (e.g., Valium®, Xanax®, Ambien®), stimulants (e.g., phentermine, phendimetrazine, Adderall®, Ritalin®) and anabolic steroids (e.g., Winstrol®, Equipoise®) without a valid prescription from your doctor. This means there must be a real doctor-patient relationship, which by most state laws requires a physical examination. Prescriptions written by "cyber doctors" relying on online questionnaires are not legitimate under the law.
Buying controlled substances online without a valid prescription may be punishable by imprisonment under Federal law. Often drugs ordered from rogue websites come from foreign countries. It is a felony to import drugs into the United States and ship to a non-DEA registrant.
Buying drugs online may not be only illegal, but dangerous. The American Medical Association and state boards of medicine and pharmacy have all condemned the practice of cyber doctors issuing online prescriptions as unacceptable medical care. Drugs delivered by rogue websites may be the wrong drugs, adulterated or expired, the wrong dosage strength, or have no dosage directions or warnings.
DEA is targeting rogue online pharmacies for prosecution and shutting down these illegal websites.
Food and Drug Administration
The FDA is working with a global law enforcement consortium -
- World Customs
- Department of Justice
- National health and law enforcement agencies from 99 participating countries
They have been vigorously pursuing the Eva Pharmacy sites, and using their powers to seize some of the more prevalent domains.
Examples of seizures:
They have issued a June 2013 press release explaining the operation.
Products Bulker.biz / EvaPharmacy promotes
The list of products known to be promoted by this sponsor are:
- Canadian Health&Care Mall
- My Canadian Pharmacy
- Canadian Neighbor Pharmacy
- Toronto Drug Store
- Canadian Family Pharmacy
- International Legal RX
- US Drugs
- US Pharmacy
- VIP Pharmacy ("Viagra + Cialis")
- Men Health (Men+ Health, Men's Health)
- Nutrition Mall (November 2016)
- OEM Software
- Exclusive Caviar Online
- Double Your Dating
When the Eva Pharmacy domains are set up as web sites, there are common factors which show that they are from the same people, the Eva Pharmacy gang.
As at November 19, 2014, most of these operations transferred to the same web server to perform the check-out operation.
They all transferred to the same site, safecheckoutrx.com with variations on the prefix
Domain Name: SAFECHECKOUTRX.COM Registrar: CJSC REGISTRAR R01 Registrant Name: Privacy protection service - whoisproxy.ru.
On November 23 2014 the checkout site was changed to smartpaymentrx.com on the same Russian registrar and the same Russian privacy protection.
It can be seen that Russian registrar R01.RU who protects over 1,650 Eva pharmacy fraud domains, and also protects the checkout operation.
Brands going through this checkout include
- Men's Health
- US Drugs
- Toronto Drugstore
- Canadian Family Pharmacy
- Canadian Neighbor Pharmacy
- My Canadian Pharmacy
- Canadian Health&Care Mall
The site has an SSL certificate issued by COMODO RSA and the connection uses 128-bit TLS 1.2 encryption issued Nov 19 2014 to *.safecheckoutrx.com with expiry Nov 20 2015.
An examination of the IP addresses of the name servers across the fraud families show that they are residing on the same IPs. Take one example, IP 188.8.131.52 in Buenos Aires, Argentina.
ns2.arnlxjze.ru ns2.hotaidservice.su ns2.hotmedsquality.su ns2.hotpilloutlet.su ns2.izgjnuyq.ru ns2.jwkteyvv.ru ns2.khharfjs.ru ns2.myhealthcareshop.ru ns2.mysafeinvestment.su ns2.newglobaleshop.su ns2.onlinerxelement.su ns2.pbcbxweq.ru ns2.smartnaturalinc.su ns2.smarttabletshop.su ns2.suanborr.ru ns2.xxfrdzop.ru
All of these name servers are authoritative for the domains across all of the Eva Pharmacy categories. That means they are owned by the same people.
An examination of the IP addresses used for hosting these fraud domains shows that all families share the same IPs. Take for example address 184.108.40.206 - six of the families shared it in June 2016 -
- Canadian Family Pharmacy
- Canadian Health&Care Mall
- Canadian Neighbor Pharmacy
- My Canadian Pharmacy
Common IP addresses
A quick way to verify these sites is to examine the hosting addresses. Note that * items have been removed. Many compromised hosts used for this operation during September 2020 - May 2021 were located at these IPs.
|- - - - - - - - - - -||- - - - - - - - - - -||- - - - - - - - - - -||- - - - - - - - - - -||- - - - - - - - - -|
Where to contact the compromised hosting ISP:
Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' (Removed) Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' (Removed) Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' (Removed) Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'firstname.lastname@example.org' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' 'email@example.com' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' Abuse contact for '188.8.131.52 - 184.108.40.206' is 'email@example.com' Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124/26' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'email@example.com' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' Abuse contact for '184.108.40.206 - 220.127.116.11' is 'firstname.lastname@example.org' Abuse contact for '18.104.22.168 - 22.214.171.124' is 'email@example.com' Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' Abuse contact for '184.108.40.206' is 'email@example.com' syt.com web page Abuse contact for '220.127.116.11 - 18.104.22.168' is 'firstname.lastname@example.org' Abuse contact for '22.214.171.124 - 126.96.36.199' is 'email@example.com'
Here is a selection from over 500 live sites in October 2020, on the same IP
Domain name Fraud type Sponsoring Registrar aarenclaudetta.ru My Canadian Pharmacy R01-RU abbeclarinda.ru My Canadian Pharmacy R01-RU abigaleede.ru Canadian Health&Care Mall R01-RU addiesusan.ru My Canadian Pharmacy R01-RU adelaidastephi.ru My Canadian Pharmacy R01-RU adelicerebeca.ru My Canadian Pharmacy R01-RU adrianfarrah.ru Canadian Health&Care Mall R01-RU adrienalettie.ru My Canadian Pharmacy R01-RU agnesseeloise.ru Canadian Health&Care Mall R01-RU agnessejenifer.ru CanadianPharmacy R01-RU ... wilhelminacymbre.ru CanadianPharmacy R01-RU wilhelminekatlin.ru CanadianPharmacy R01-RU willabellareeva.ru Canadian Health&Care Mall R01-RU williecara.ru Canadian Health&Care Mall R01-RU winnahgwyn.ru Canadian Health&Care Mall R01-RU winnedarameara.ru CanadianPharmacy R01-RU winnierita.ru CanadianPharmacy R01-RU winniolivette.ru CanadianPharmacy R01-RU winnyminnaminnie.ru Canadian Health&Care Mall R01-RU xenaninalin.ru Canadian Health&Care Mall R01-RU
All of these frauds are registered with the same Russian registrar, and at one time they all shared the same hosting IP address. This supports the statement that all frauds come from the same perpetrators.
Selection of registrars
Historically, each family of fraud is spread over a common subset of registrars. For example, over the 2015 year, the most frequently abused registrars for the highest spammed families were
1764 PSI-USA, INC. DBA DOMAIN ROBOT (abandoned) 1749 TRUNKOZ TECHNOLOGIES PVT LTD. 1267 NETLYNX, INC. 978 NAMESILO, LLC (abandoned) 779 DOMAINCONTEXT, INC. 459 CLOUD GROUP LIMITED (abandoned)
1545 PSI-USA, INC. DBA DOMAIN ROBOT (abandoned) 1411 TRUNKOZ TECHNOLOGIES PVT LTD. 1026 NETLYNX, INC. (abandoned) 892 NAMESILO, LLC (abandoned) 370 CLOUD GROUP LIMITED (abandoned) 277 NAUNET-REG-RIPN
152 NAUNET-REG-RIPN 148 PSI-USA, INC. DBA DOMAIN ROBOT (abandoned) 114 TRUNKOZ TECHNOLOGIES PVT LTD. 91 NETLYNX, INC. (abandoned) 82 REGRU-REG-RIPN 68 CLOUD GROUP LIMITED (abandoned)
57 TRUNKOZ TECHNOLOGIES PVT LTD. 56 PSI-USA, INC. DBA DOMAIN ROBOT (abandoned) 23 NETLYNX, INC. (abandoned) 21 NAMESILO, LLC (abandoned) 10 CLOUD GROUP LIMITED (abandoned) 8 REGRU-REG-RIPN
26 PSI-USA, INC. DBA DOMAIN ROBOT (abandoned) 23 NETLYNX, INC. (abandoned) 11 NAMESILO, LLC (abandoned) 10 TRUNKOZ TECHNOLOGIES PVT LTD. 8 NAUNET-REG-RIPN 4 REGRU-REG-RIPN
By 2017/2018 most of these abused registrars were so effective in shutting them out, they were abandoned by the Eva perpetrators leaving R01.RU as the only sponsor.
Naming patterns are common across the whole family.
- One pattern comprises the concatenation of two forenames. For example -
aarenclaudetta.ru abbeclarinda.ru abigaleede.ru addiesusan.ru adelaidastephi.ru adelicerebeca.ru adrianfarrah.ru adrienalettie.ru agnesseeloise.ru agnessejenifer.ru
- Another pattern concatenates medical terms.
For example -
bestdrugstrade.su curativedrugdeal.ru curativedrugmart.su homedrugquality.com mydrugvalue.su torontodrugstore.su ... drugslevitrapills.com healthflu.com bioportfoliotabhealthcare.com medtabletandroid.com opioidherbalmeds.com apptabletmed.com ipadlistablet.com
- This pattern uses a common string, eg "lucky"
luckyremedyinc.ru luckytabsquality.su vannalucky.ru ...
- Another common string is "your"
yourbestreward.su yourfastservices.ru yourremedialmart.su yourtabletmall.ru ...
- Another common string is "hot"
excellenthotinc.ru excellenthotsale.su globalhotsale.su hotherbssupply.su hothotdeal.su hotmedsinc.ru hotnaturalshop.su hotpharmacyvalue.su magichottrade.su purehotquality.com
Other common naming strings are "magic" (magicgenericmart.su, magichottrade.su), "medical" (bestmedicalstore.su, medical-line.su, medicalfamilyinc.ru), "medicinal", "natural", "online", "organic", "perfect", "pure", "remedial", "safe", "secure", "smart", "trusted"
The identification of common naming patterns further demonstrates that all of these brands of frauds belong to the same perpetrators - the Eva Pharmacy gang. These commonly named domains spread across the full Eva brand family -
Canadian Health&Care Mall CanadianPharmacy My Canadian Pharmacy Canadian Neighbor Pharmacy Canadian Family Pharmacy Toronto Drugstore Canadian Family Pharmacy Online Pharmacy RxExpressOnline RxMedications Men's Health
Summary of common factors
- 1. The same registrars are being selected with the same frequency by these perpetrators.
- 2. They are hosting their domains on the same common IP addresses.
- 3. All Eva Pharmacy name servers are authoritative for domains across the whole family.
- 4. The name servers across the whole family reside on the same IP addresses.
- 5. Domains follow a common naming pattern across the whole family.
Sample EvaPharmacy domains, brands and abused registrars
From December 2012 to August 2014 there has been a concerted anti-fraud campaign against these unlawful pharmacy domains. An historical list showing the domain names, brands and registrars providing the domain name service is listed above.
A list of the most abused registrars, counting the frequency of occurrences of domain registrars, ordered by most to least frequent. The responsiveness is based on how many reports were acted upon, and how quickly.
|R01.RU||refuses to act 0%|
|CLOUD GROUP LIMITED aka UK2GROUP||100% compliant|
|NICS TELEKOMUNIKASYON TICARET LTD.STI.||100% compliant|
|REGRU-REG-RIPN / REG.RU||100% compliant after one week delay|
|REGISTRYGATE GMBH||100% compliant|
|UNITED-DOMAINS AG||100% compliant|
|InterNetworX Ltd. & Co. KG||100% compliant|
|LCN.COM LTD.||100% compliant|
|0101 INTERNET INC.||100% compliant|
|MAILCLUB SAS||100% compliant|
|EURODNS S.A||100% compliant|
|NEW DREAM NETWORK LLC||100% compliant|
|TUCOWS DOMAINS INC.||formerly 100% compliant slow to act in 2018|
|UA.SHOST / NIC.UA||100% compliant|
|REGISTER.COM INC.||100% compliant|
|KEY-SYSTEMS GMBH||100% compliant|
|TRUNKOZ aka OWNREGISTRAR||100% compliant fastest response, under 6 hours|
|PSI-USA INC. DBA DOMAIN ROBOT aka INTERNETX||100% compliant|
|NAMESILO LLC||100% compliant|
|NETLYNX INC.||100% compliant|
|HTTP.NET INTERNET GMBH||100% compliant|
|PUBLIC DOMAIN REGISTRY PDR||100% compliant|
|TODAYNIC,COM, INC||100% compliant|
|BIZCN.COM, INC||responds to LegitScript and ICANN requests - very slow to act in 2018, 2-3 months|
|NAUNET-REG-RIPN||unresponsive and unhelpful (12 month expiries) 40%|