- 1 Description
- 2 False Pretenses
- 3 FDA Warning Letter
- 4 Spam Examples
- 5 Hosting Sites
- 6 How to report this spam
- 7 Related spam operations
Description[edit | edit source]
|This is one of several new fake pharmacy sites first observed in July 2007 and which are part of the Rx-Promotions affiliate program. This program was described in detail together with screen shots of the different themes by Nart Villeneuve
Visitors to these sites are cautioned against placing an order for any of the products advertised. With so much obvious fraud in the set up of the web sites, any reasonable person would be justified in having doubts about passing identity and credit card details to such blatant fraudsters.
The contact page has a form for inquiries as well as a phone number (currently 1-800-998-7978) and the mailto link. The website also displays this phone number for customer support, giving the appearance of legitimacy. Read on to see how legitimate the sites are.
False Pretenses[edit | edit source]
[edit | edit source]
|The site claims to take your credit card over a secure connection, and indeed, the checkout page was using
Where was this secure payment system registered? 2007 info showed
Domain Name: PAYMENT-RX.COM Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS3.CNMSN.COM Name Server: NS4.CNMSN.COM Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 28-nov-2006 Creation Date: 28-nov-2006 Expiration Date: 28-nov-2007
It was registered with a Chinese registrar, frequently abused by spammers and criminal fraudsters.
Who was the registrant?
Registrant Contact: galen Inc kevin fairlie firstname.lastname@example.org 1000707733 fax: 1000285717 Suite 522 Manama Manama 6372 GB
Manama is the capital city in Bahrain and has phone prefix +973 and 8-digit local phone numbers. Manama is certainly not in GB (Great Britain).
It is currently registered with Privacy Protection, another bad sign. A real pharmacy has to have a real location. If it's a real pharmacy and they aren't hiding from law enforcement, why can't they register the domain at that location?
This secure page currently the following statement:
For your convenience in case of any questions or concerns feel free to contact our Customer
In 2007, when first observed, the support domain was pharmacycs.com.
Who was the registrar for pharmacycs.com?
Domain Name: PHARMACYCS.COM Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS3.CNMSN.COM Name Server: NS4.CNMSN.COM Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 28-nov-2006 Creation Date: 28-nov-2006 Expiration Date: 28-nov-2007
Who was the registrant?
Registrant Contact: gabe Inc noland rudie email@example.com 1000080971 fax: 1000441258 Suite 430 Athens Athens 1290 GB
Note the similarity in fake company names (galen and gabe), fake phone numbers, and now we have Athens geographically misplaced in Great Britain.
The site is now using the slightly different domain paymentrx.com, registered with eNom, and with SSL -- for as long as that lasts. But they have tipped their hand that they are willing to use deception to be able to take money while transmitting your medical information and credit card number in plain view.
At the bottom of the page is the "Support" link http://www.rx-order-support.com/ ut when you try to go there:
Server not found Firefox can't find the server at http://www.rx-order-support.com.
Looking up the domain name for the support for RX Promotions -
Domain Name: RX-ORDER-SUPPORT.COM Registrar: INTERNET.BS CORP. Name Server: NS-CANADA.TOPDNS.COM Name Server: NS-UK.TOPDNS.COM Name Server: NS-USA.TOPDNS.COM Status: clientTransferProhibited Updated Date: 09-aug-2011 Creation Date: 09-aug-2011
Those name servers do not contain any information about the support site, which leads to the conclusion that it has been withdrawn
ns-usa.topdns.com [184.108.40.206] [Says that there is no a record for rx-order-support.com] ns-canada.topdns.com [220.127.116.11] [Says that there is no a record for rx-order-support.com] ns-uk.topdns.com [18.104.22.168] [Says that there is no a record for rx-order-support.com]
False: Claims to have "Pharma Checker" approval[edit | edit source]
The fraud continues. Sites pretend to be authenticated by Pharmacy Checker - which they are not. So they set up a link to a fake Pharma Checker instead of the genuine Pharmacy Checker. Notice the fake logo on the left, compared with the genuine one on the right.
Pharmacy Checker response
We do not endorse this company and they are not affiliated with PharmacyChecker.com in any manner. The PharmacyChecker.com seal that they publish (“Pharma Checker”) is an unauthorized and adulterated copy. Donna Miller, Customer Services
False: Claim of "CIMA Rx" approval[edit | edit source]
False: Claim to be Canadian[edit | edit source]
inetnum: 22.214.171.124 - 126.96.36.199 netname: VTDC-VNNIC-VN descr: Viettel-CHT Company Ltd descr: Hoa Lac Hitech Park, Km29, Lang Hoa Lac Road descr: Thach That, Ha Noi country: VN
Lack of Pharmacist Oversight[edit | edit source]
Numerous affiliate programs' pharma sites have begun competing for customers by putting "free Viagra" in the electronic shopping cart with every item ordered. (It's actually not real Viagra; whether it is even generic sildenafil is questionable.) Like the others, the Rx-promotions sites betray their complete lack of involvement of anyone with even the most minimal pharmacy training by including the "Viagra" when someone orders nitrate drugs -- a potentially lethal interaction. There is more detail in the wiki article for Canadian Pharmacy and there is a photo documenting this practice here.
Invalid contact details[edit | edit source]
The domain name in this contact has been suspended by the registrar:
Domain Name: DRUGSSUPPORT24.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: BLOCKEDDUETOSPAM.PLEASECONTACTSUPPORT.COM Name Server: DUMMYSECONDARY.PLEASECONTACTSUPPORT.COM Status: clientHold Updated Date: 14-apr-2010 Creation Date: 09-oct-2009 Expiration Date: 09-oct-2010
Affiliates also will have a problem making contact. The affilates web site has been suspended by the registrar:
Domain Name: SPAMPROMO.COM Registrar: TODAYNIC.COM, INC. Whois Server: whois.todaynic.com Referral URL: http://www.NOW.CN Name Server: NS3.01ISP.COM Name Server: NS4.01ISP.NET Status: clientHold Status: clientTransferProhibited Updated Date: 27-dec-2009 Creation Date: 17-dec-2008 Expiration Date: 17-dec-2010
The web site at gives the contact address for Canadian RX Drugs as Suite 2, Portland House, Glacis Road, Gibraltar which is depicted in a photograph This address can also be found in a Google search:
it has an IP address 188.8.131.52 which is located in Russia
inetnum: 184.108.40.206 - 220.127.116.11 netname: YABA-NET descr: YabaMedia Ltd country: RU organisation: ORG-YL4-RIPE org-name: YabaMedia Ltd org-type: OTHER address: Shipilovskaya st. 18/1 address: Moscow, 120312, Russia e-mail: firstname.lastname@example.org person: Alexander Andreev address: Shipilovskaya st. 18/1 address: Moscow, 120312, Russia phone: +7 925 8782503 e-mail: email@example.com
FDA Warning Letter[edit | edit source]
The US Food and Drug Administration FDA) issued an official Warning Letter on October 8, 2010.
Inspections, Compliance, Enforcement, and Criminal Investigations TO: firstname.lastname@example.org FROM: Food and Drug Administration Internet Pharmacy Task Force RE: Internet Marketing of Unapproved and Misbranded Drugs DATE: October 8, 2010
Included in the letter were these Canadian Online Pharmacy sites, still operating 6 weeks later despite a deadline of 15 working days -
Acomplia (rimonabant) is well-known as the name of a drug previously approved in the European Union. It has never been approved by FDA, and in June 2007, FDA’s Endocrinologic and Metabolic Drugs Advisory Committee unanimously voted not to recommend approval of the drug because of increased risk of neurological and psychiatric side effects including seizures, depression, anxiety, insomnia, aggressiveness, and suicidal thoughts among patients.
Spam Examples[edit | edit source]
Subject: Subject: Friend username, enter our shop Izesgykeh The evolution of insect wings has been a subject of debate. Leung King, Tuen Mun Hospital, Fung Tei. http://xhx.rodolfodrugs.ru/?f825f2b53cb-5b61a83626e8-d3d163de635 Dragonfly naiads use jet propulsion, forcibly expelling water out of their rectal chamber. They included Wayne Gretzky, Mark Messier, Ken Linseman, and Mike Gartner. http://q.rodolfodrugs.ru/?7df68546302e-e41641c38bc-1d52413b5d1
Hosting Sites[edit | edit source]
This has become a far more prevalent brand than before. In April 2010 the spam abuse rate increased to match or better that of Canadian Pharmacy
Sample name server domains[edit | edit source]
URIBL lists of sites[edit | edit source]
Sample Name Server IP addresses[edit | edit source]
CZ bad IPs - CERT email = email@example.com
UA bad IPs - CERT email = firstname.lastname@example.org
How to report this spam[edit | edit source]
The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence.
Send an email to the Czech and Ukraine country CERT teams at the email addresses shown above. Request that these illegal IP addresses be put in a routing black hole. Again, add a link here for the criminal evidence.
Related spam operations[edit | edit source]
Canadian Pharmacy and PharmSite share many similarities. A single agent may register domains for sale to multiple spam affiliate programs, so there may indeed be a connection. And there is likely plenty of plagiarism of things like images of fake seals.|}