Fraud Reports Wiki
Advertisement

Key-Systems is a registrar in Germany.

Description of the Registrar[]

Key-Systems is an international IT company that currently manages more than 4 million domains for more than 100,000 retail/corporate customers and 2,300 resellers worldwide. Key-Systems' headquarters are located in St. Ingbert/Germany. Furthermore, the company runs a subsidiary in the USA. Key-Systems’ business areas include the retail customer portal domaindiscount24, the reseller portal RRPproxy and the corporate domain portal BrandShelter. Furthermore, the company runs the TIER III Key-Systems DataCenter and a service for registry operation (KSregistry). Key-Systems is member of the CentralNic Group PLC.

Anti-Spam Position[]

Official Position[]

http://www.key-systems.net/deutsch/registrierungsvereinbarung.html

Ein registrierter Domainname kann vorübergehend gesperrt oder deaktiviert werden, wenn der Kunde durch die darunter verfügbar gemachten Inhalte in schwerwiegender Weise gegen geltendes Recht oder diese Vereinbarung verstößt bzw. ein solcher Verstoß glaubhaft gemacht wurde, und auf die Aufforderung, diese Inhalte nicht zu entfernen oder anzupassen nicht entsprechend reagiert.

Soweit einzelne Domainnamen durch den Kunden, wegen Verstoß gegen die Registrierungsbedingungen, aufgrund verbindlicher Entscheidungen in Domainstreitigkeiten, oder aufgrund sonstiger in diesen Bedingungen genannten Gründen gekündigt oder übertragen werden, besteht kein Anspruch auf Beantragung einer unentgeltlichen Ersatzdomain oder eine sonstige Erstattung, sofern nicht die Kündigung durch Registrar vorsätzlich oder grob fahrlässig widerrechtlich verschuldet worden ist. Dies gilt ebenso für sonstige Leistungen oder zusätzlich gebuchte Optionen hinsichtlich de betroffene Domainnamen.

http://www.key-systems.net/english/registration-agreement.html

A registered domain name can be temporarily blocked or disabled if the customer offends applicable law or this arrangement in a serious manner through the content made available under the domain name or if such an offence was made plausible and Customer does not react to the request to remove or adapt the content accordingly.

As far as a single domain name is canceled or transferred by Customer, due to violation of the registration agreement, due to binding decisions in domain name disputes or due to other causes specified in these conditions, no right to request for a free replacement domain or other reimbursement exists, provided that the termination was not caused illegally by Registrar in a culpable or grossly negligent manner. This also applies to other services or additionally booked options regarding the affected domain names.

Actual Behavior[]

This registrar has previously acted decisively to remove illegal sites.

Registrar responsiveness[]

Showing all registrars including R01.RU LiveSite2014.jpg

Showing all registrars excluding R01.RU LiveMinors.jpg

Piechart showing the crime sponsoring contribution by each registrar.

RegPie.jpg

The comparison between this registrar and others can be seen on the graphs.

It shows how many domains have not been suspended by various registrars over the past year. The higher the column, the more domains are sponsored by the registrar.

Currently the most abused registrar is Russia's R01.ru. This registrar sponsors the vast majority (often over 60%) of the fraud domains used within the Eva Pharmacy group.

The second most abused registrar is Russia's REG.RU REG.RU at over 25%

The next most abused registrar is GKG GKG at 4%.

The next most abused registrar is The Netherlands' Hosting Concepts aka OpenProvider at 3%.

These are followed by Russia's ARDIS, India's PublicDomainRegistry PDR, China's CNOBIN, Canada's Tucows, and Pakistan's PakNIC.


Outside of Russia, most registrars have been quick to terminate the service contracts with these cyber-criminals upon seeing the obvious evidence of fraud.



Examples of domains used for fraud[]

These domains were tested on August 14, 2016 and found to be live. The cyber-criminals behind these scams use IP blocking to try to prevent verification of their sites. They block known law enforcement addresses, pharmaceutical company addresses, VISA, Mastercard, Paypal and American Express addresses, registrar addresses, and any IP address that repetitively loads a series of their domains in quick succession. They often use disposable domains whose sole purpose is to redirect to illegal pharmacies running on bullet-proof domains registered in Russia. Most competent registrars have the skills to circumvent these blocking methods, using tunnels, proxies and external IP addresses. Key-Systems appear to lack this ability.

The headings below link to evidence that each domain is being used for fraud.

Some examples taken at random are shown on the right. These were screen captured, using a proxy service to avoid their IP blocking of law enforcement and registrar IP addresses. These may serve other fraud sites at other times, or from other geographies. But any site served is still an illegal fraud pharmacy.

Live example Aug 16 yournaturalstore.eu

Aug 16 2016 fraud sample globalherbassist.be

Aug 16 2016 fraud sample herbalhealthmart.be

Aug 16 2016 fraud sample naturlfirstmall.be

Aug 16 2016 fraud sample healingaidstore.be

Aug 16 2016 fraud sample janeendinajolie.be

Aug 16 2016 fraud sample Redirection marjoriesonja.be

Aug 16 2016 fraud sample Redirection pollyannabobbette.be

Aug 16 2016 fraud sample Redirection debbiehephzibah.be

Aug 16 2016 fraud sample Redirection claretapersis.be

See current live list at Key-Systems_GmbH_list


Canadian Health&Care Mall Suspended[]

curativebestbargain.be (suspended)
curingcaremarket.eu (suspended)
fastnaturalservices.eu (suspended)
flxqokqn.be (suspended)
globalgenericgroup.eu (suspended)
globalpillsmarket.eu (suspended)
homeherbstrade.be (suspended)
homenaturalquality.be (suspended)
luckyorganicassist.be (suspended)
magicpillgroup.be (suspended)
medicalsmartstore.be (suspended)
medicalwelnessshop.eu (suspended)
medicatingfastmart.be (suspended)
naturalfirstmarket.eu (suspended)
remedialtrustedinc.eu (suspended)
secureherbalbargain.be (suspended)
smartremedyinc.be (suspended)
yourorganicprogram.be (suspended)
assistantheadcoach.be (suspended)
besthealthreward.be (suspended)
bestmedicalbargain.eu (suspended)
bodycarerx.eu (suspended)
canadiandrugreward.eu (suspended)
dfnfoskt.be (suspended)
familyhealthquality.be (suspended)
genericglobalmart.be (suspended)
goodremedialmart.be (suspended)
healingsmartgroup.be (suspended)
herbalsecuremart.eu (suspended)
luckyhealingshop.be (suspended)
mybiologicalquality.be (suspended)
naturaldrugsmall.be (suspended)
nhlbqyuc.eu (suspended)
organicsmartbargain.eu (suspended)
perfectaideshop.be (suspended)
pogjlbwb.eu (suspended)
remedialpillmart.be (suspended)
ruaohjji.be (suspended)
rwmxlkwn.eu (suspended)
vrswovjt.be (suspended)
vzbhtapi.eu (suspended)
pureremedyinc.eu (suspended)
smartpharmshop.eu (suspended)
yourmedicatingtrade.eu (suspended)
firstmedsservice.eu (suspended)
globalmedicinaldeal.eu (suspended)
healingprivatemall.be (suspended)
herbaldruggroup.be (suspended)
curingfastprogram.be (suspended)
bestmedswebmart.be (suspended)
goodfitnesswebmart.be (suspended)
hotgenericspurchase.eu (suspended)
magiccaredeal.eu (suspended)
mycuringeshop.eu (suspended)
newtreatmentprogram.eu (suspended)
curativesmartmallorca.be (suspended)
medicinaldrugsinc.eu (suspended)
organicsafesale.eu (suspended)
perfectherbalmart.be (suspended)
remedialglobalmart.eu (suspended)
svxoskid.be (suspended) 
curativesmartmallorca.be (suspended)
curingtrustedoutlet.eu (suspended)
fastgenericsupply.be (suspended)
globaldrugsgroup.eu (suspended)
globalnaturalmarket.be (suspended)
herbalherbpurchase.eu (suspended)
herbalrxpurchase.eu (suspended)
jdjlpdcq.be (suspended)
luckygenericmart.be (suspended)
magictableteshop.eu (suspended)
medicalrxgroup.be (suspended)
mudttflg.eu (suspended)
newpillsinvestment.be (suspended)
newwelnessshop.eu (suspended)
privateremedyoutlet.eu (suspended)
safemedicinalmall.eu (suspended)
familyremedysale.be (suspended)
genericbestgood.eu (suspended)
globalmedicaresale.be (suspended)
naturalrxdeal.eu (suspended)
safemedicativevalue.be (suspended)
thepharmacyservice.eu (suspended)
bestcanadianprogram.eu suspended
fastmedicinalshop.be  (suspended)
genericpillservice.be  (suspended)
globaltreatmentshop.be  (suspended)
klfwyqzo.eu  (suspended)
newsupplementmall.eu  (suspended)
remedialglobalstore.eu suspended
safewelnessgroup.eu  (suspended)
yourcuringsupply.eu  (suspended)

Canadian Neighbor Pharmacy Suspended[]

trustedaiddeal.be (suspended)
herbalfirstmall.eu (suspended)

CanadianPharmacy[]

annualhealthcareconference.be (suspended)
bestherbreward.eu (suspended)
bestremedialmart.be (suspended)
bestremedialquality.eu (suspended)
healingtablettrade.eu (suspended)
hotremedystore.eu (suspended)
medicalpharmacysales.eu (suspended)
mypharmvalue.be (suspended)

My Canadian Pharmacy Suspended[]

curativesmartvalue.eu (suspended)
fastmedicalgive.eu (suspended)
yourdrugtrade.eu (suspended)
homemedseshop.eu (suspended)
homeremedysale.eu (suspended)
hotherbalpurchase.eu (suspended)
hotremedialquality.eu (suspended)
hotrxtrade.eu (suspended)
luckyherbalwebmart.eu (suspended)
mydrugsale.be (suspended)
naturaltrustedgroup.eu (suspended)
onlinedrugvalue.eu (suspended)
organicfirstreward.be (suspended)
safedrugstrade.eu (suspended)
saferxgroup.eu (suspended)
trustedhealthassist.eu (suspended)
canadianaidmart.eu (suspended)
hotremedyelement.eu (suspended)
canadianfirstshop.eu (suspended)
trustedrxinc.eu (suspended)
pxlckfxe.eu  (suspended)
yourmedicaleshop.be  (suspended)

RxExpressOnline Suspended[]

mypillsassist.eu (suspended)
onlineherbalmarket.eu (suspended)
medicalonlinesupply.be (suspended)
curativehealthsale.eu  (suspended)

RxMedications Suspended[]

mynaturaldealdirect.be  (suspended)
securemedsinc.be  (suspended)

Toronto Drugstore Suspended[]

bestgenericmarket.eu  (suspended)

US Drugs[]

excellentherbsupply.be  Name is available.

Common IP addresses[]

A quick way to verify these sites is to examine the hosting addresses. Note that * items have been removed. Many compromised hosts used for this operation during September 2020 - May 2021 were located at these IPs.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Live
----
2.184.67.164 5.101.140.77 5.188.211.29 37.46.135.24 51.222.136.197*
51.89.151.227 84.15.139.143 84.200.77.180 95.165.145.236 95.165.149.124
95.165.27.205 95.31.40.41 103.117.141.163 103.121.91.117 103.126.6.161
103.127.31.154* 103.135.128.72* 103.139.42.59 103.146.23.100 103.147.153.123*
103.147.153.126* 103.157.224.90 103.228.114.93 103.236.150.106* 103.236.201.228
103.92.25.124 103.242.117.197 103.28.149.174 103.30.246.103 103.83.192.109
103.9.158.67 103.92.25.124 185.182.105.220 185.182.105.221 185.227.136.203
185.24.232.98 185.227.136.205 198.211.33.45 200.55.243.166* 202.145.2.67


Removed
----------
5.133.12.16* 5.181.158.179* 5.181.158.181* 5.187.52.1* 5.187.52.12*
5.187.52.13* 5.187.52.9* 5.2.89.72* 5.253.62.111* 5.45.82.242*
31.132.1.40* 37.61.211.187* 37.61.211.188* 37.61.211.189* 45.119.41.11*
45.119.41.12* 45.119.41.14* 45.125.65.93* 45.131.83.10* 45.137.21.144*
45.137.21.166* 45.67.116.219* 45.86.163.7* 51.158.23.140* 51.210.134.178*
51.38.80.31* 58.64.137.69* 62.141.56.196* 78.157.200.139* 80.233.134.248*
80.233.134.249* 81.4.110.230* 82.199.101.248* 82.199.101.44* 82.199.104.3*
85.17.219.96* 85.183.104.125* 85.254.72.7 * 87.120.253.209* 89.105.221.82*
89.222.128.42* 91.199.41.51* 91.199.41.53* 91.199.41.55* 93.119.105.5*
94.126.173.105* 94.152.214.31* 94.156.175.107* 101.53.147.97* 101.99.90.111*
103.108.117.18* 103.117.141.184* 103.130.218.113* 103.138.96.86* 103.142.25.210*
103.160.144.64* 103.160.62.153* 103.221.220.169* 103.42.58.61* 103.56.148.90*
103.6.207.162* 103.8.26.45* 103.86.51.178* 103.92.30.110* 109.232.240.24*
111.90.158.205* 112.78.10.214* 119.59.123.55* 119.59.123.55* 128.1.60.6*
130.185.72.89* 134.119.186.27* 134.119.186.29* 141.98.10.125* 141.98.10.136*
141.98.10.142* 141.98.10.225* 146.247.49.105* 146.88.26.167* 159.148.186.165*
159.148.187.4* 159.148.187.6* 167.114.188.36* 170.130.173.37* 171.244.143.163*
173.213.80.216* 176.123.9.67* 178.239.177.183* 178.255.40.234* 179.43.149.28*
180.131.147.100* 185.105.109.213* 185.108.128.181* 185.128.42.106* 185.128.42.107 *
185.128.43.18* 185.128.43.21* 185.128.43.54* 185.130.206.6* 185.140.249.133*
185.183.104.123* 185.216.8.156* 185.227.136.206* 185.24.232.118* 185.24.232.134*
185.24.232.76* 185.9.158.36* 185.99.3.68* 185.99.3.80* 194.5.179.140*
195.123.247.36* 198.27.110.97* 209.127.28.5* 209.97.184.221* 212.34.158.134*
212.34.158.134* 213.226.100.10*


Where to contact the compromised hosting ISP:

Abuse contact for '5.2.88.0 - 5.2.89.255' is 'alvaro.montero@ipcore.com'
Abuse contact for '5.45.80.0 - 5.45.83.255' is 'abuse@ispiria.net'
Abuse contact for '5.101.140.64 - 5.101.140.95' is 'abuse@ukservers.com'
Abuse contact for '5.181.158.0 - 5.181.158.255' is 'abuse@mivocloud.com'
Abuse contact for '5.133.8.0 - 5.133.15.255' is 'abuse@artnet.pl'
Abuse contact for '5.187.48.0 - 5.187.55.255' is 'abuse@artnet.pl'
Abuse contact for '5.188.211.0 - 5.188.211.255' is 'abuse@pindc.ru'
Abuse contact for '5.253.60.0 - 5.253.63.255' is 'abuseto@adminvps.ru' (Removed)
Abuse contact for '27.124.80.0 - 27.124.95.255' is 'abuse@medialink.net.id'
Abuse contact for '31.200.247.0 - 31.200.247.255' is 'ripe@unelink.com'
Abuse contact for '37.46.132.0 - 37.46.135.255' is 'abuse@abusehost.ru'
Abuse contact for '45.67.116.0 - 45.67.116.255' is 'abuse@itns.md'
Abuse contact for '45.86.163.0 - 45.86.163.255' is 'support@crowncloud.net'
Abuse contact for '45.125.65.0 - 45.125.65.255' is 'abuse@tele-asia.net'
Abuse contact for '45.131.83.0 - 45.131.83.255' is 'abuse@sered.net'
Abuse contact for '51.89.148.0 - 51.89.151.255' is 'abuse@ovh.net'
Abuse contact for '79.172.193.0 - 79.172.193.255' is 'abuse@deninet.hu' (Removed)
Abuse contact for '80.233.134.0 - 80.233.134.255' is 'abuse@telia.lv'
Abuse contact for '82.199.104.0 - 82.199.107.254' is 'abuse@seven-sky.net'
Abuse contact for '84.15.136.0 - 84.15.143.255' is 'abuse@bi.lt'
Abuse contact for '84.200.77.0 - 84.200.77.255' is 'abuse@accelerated.de' (Removed)
Abuse contact for '85.254.72.0 - 85.254.72.255' is 'support@serveria.com'
Abuse contact for '87.120.253.0 - 87.120.253.255' is 'abuse@neterra.net'
Abuse contact for '89.105.192.0 - 89.105.223.255' is 'abusedesk@novoserve.com'
Abuse contact for '89.222.128.0 - 89.222.131.255' is 'abuse@netorn.net' 'abuse@netorn.ru'
Abuse contact for '80.233.134.0 - 80.233.134.255' is 'abuse@telia.lv'
Abuse contact for '93.119.104.0 - 93.119.105.255' is 'abuse@virtono.com'
Abuse contact for '94.152.0.0 - 94.152.255.255' is 'abuse@kei.pl'
Abuse contact for '94.156.175.0 - 94.156.175.255' is 'abuse@iws.co'
Abuse contact for '95.24.0.0 - 95.31.255.255' is 'abuse-b2b@beeline.ru'
Abuse contact for '95.84.128.0 - 95.84.159.255' is 'abuse@rt.ru'
Abuse contact for '95.165.128.0 - 95.165.255.255' is 'abuse@spd-mgts.ru'
Abuse contact for '103.6.204.0 - 103.6.207.255' is 'yogie@redwhite.co.id'
Abuse contact for '103.9.156.0 - 103.9.159.255' is 'cuong.trinh@vnso.vn'
Abuse contact for '103.28.148.0 - 103.28.149.255' is 'support@easyway.co.id'
Abuse contact for '103.56.148.0 - 103.56.149.255' is 'abuse@jagoanhosting.com'
Abuse contact for '103.86.48.0 - 103.86.48.255' is 'abuse@bangmodhosting.com'
Abuse contact for '103.92.24.0 - 103.92.27.255' is 'hm-changed@vnnic.vn' 'system@tlsoft.vn'
Abuse contact for '103.117.141.0 - 103.117.141.255' is 'abuse@casbay.com'
Abuse contact for '103.121.88.0 - 103.121.91.255' is 'tampd@bkns.vn'
Abuse contact for '103.126.6.0 - 103.126.7.255' is 'shazim@serverstack.in'
Abuse contact for '103.138.96.0 - 103.138.96.255' is 'hello@hostitsmart.in'
Abuse contact for '103.146.22.0 - 103.146.23.255' is 'duc@lanit.com.vn'
Abuse contact for '103.147.152.0 - 103.147.153.255' is 'abuse@shineservers.com'
Abuse contact for '103.221.220.0 - 103.221.223.255' is 'hoanglong@azdigi.com'
Abuse contact for '103.236.201.0 - 103.236.201.255' is 'admin@idcloudhost.com'
Abuse contact for '111.90.128.0 - 111.90.159.255' is 'abuse@shinjiru.com.my'
Abuse contact for '112.78.0.0 - 112.78.15.255' is 'vanht@ods.vn'
Abuse contact for '130.185.72.0 - 130.185.72.255' is 'report@parspack.com'
Abuse contact for '119.59.96.0 - 119.59.127.255' is 'abuse@metrabyte.cloud'
Abuse contact for '141.98.10.0 - 141.98.10.255' is 'admin@serveroffer.lt'
Abuse contact for '146.247.49.0 - 146.247.49.255' is 'abuse@netcetera.co.uk'
Abuse contact for '159.148.186.0 - 159.148.186.255' is 'support@serveria.com'
Abuse contact for '159.148.0.0 - 159.148.255.255' is 'abuse@latnet.eu'
Abuse contact for '171.224.0.0 - 171.255.255.255' is 'hm-changed@vnnic.vn' 'soc@viettel.com.vn'
Abuse contact for '176.123.0.0 - 176.123.11.255' is 'abuse@alexhost.com'
Abuse contact for '178.239.176.0 - 178.239.177.255' is 'abuse@irideos.it'
Abuse contact for '178.255.40.232 - 178.255.40.235' is 'abuse@artnet.pl'
Abuse contact for '179.43.149.0/26' is 'support@privatelayer.com'
Abuse contact for '180.131.144.0 - 180.131.147.255' is 'abuse@nawala.org'
Abuse contact for '185.24.232.0 - 185.24.232.255' is 'abuse@servebyte.com'
Abuse contact for '185.128.40.0 - 185.128.43.255' is 'abuse@rackend.net'
Abuse contact for '185.130.206.0 - 185.130.207.255' is 'abuse@as61317.net'
Abuse contact for '185.140.248.0 - 185.140.249.255' is 'contact@buzinessware.com'
Abuse contact for '185.183.104.0 - 185.183.104.255' is 'abuse@m247.ro'
Abuse contact for '194.5.176.0 - 194.5.179.255' is 'berbid238@gmail.com'
Abuse contact for '200.55.243.166'  is 'radhios@gmail.com' syt.com web page
Abuse contact for '202.145.0.0 - 202.145.3.255' is 'abuse@uninet.net.id'
Abuse contact for '209.127.0.0 - 209.127.138.255' is 'abuse@servermania.com'


Example of the highest used IP addresses from November 2020 IPabuses.jpg

Where to send abuse complaints[]

abuse@key-systems.net

Web site http://www.domaindiscount24.com/en/company/contact

Please send your complaint to:

Fax: +49-6894 93 96 851
E-Mail: abuse@key-systems.net for all abuse reports
Or call us on: +49-6894 93 96 850

Additional Contact Information[]

Postal address[]

Key-Systems GmbH, Im Oberen Werk 1, St. Ingbert, 66386, Germany

Key-Systems USA, Inc., 604 S. King Street, Leesburg, VA, 20175, USA

Registration Information[]

Telephone and FAX[]

Telephone +49 689 4939 6850
Fax +49 689 4939 6851

Related information[]

Pharmacy fraud operations

Affiliate program coordinator employing spammers

Sources for this article[]

Independent[]

Interview[]

Corporate[]

Facebook http://www.facebook.com/KeySystems

Twitter http://www.facebook.com/KeySystems

Company Homepage http://www.key-systems.net

Advertisement