Pharmacy Express

Post Reply
alphacentauri
Posts: 3291
Joined: Mon Nov 02, 2009 12:52 pm

Pharmacy Express

Post by alphacentauri » Sun Aug 22, 2010 12:53 pm

These are domains for the "Pharmacy Express" Russian scam pharma affiliate program (not to be confused with the actual pharmacy called Pharmacy Express, located at the address these sites put on their forged pharmacy license).

Despite the head of their affiliate program, Leo Kuvayev, being in prison charge with 50 counts of raping children lured from a Russian orphanage, the affiliate program is going strong. I noticed that some of these domains were rated as "spam" by other reviewers, though many had no other ratings than mine from what I could see. (I haven't rated all of them; I'm not qualified for bulk posting here yet.)

I think a stronger designation than "spam" is called for. Gevalia Coffee spams, but I wouldn't be afraid they will steal my credit card number or send me arsenic-laced gravel and call it coffee. These sites do much worse than just "spam."

List of domains/hosts

edit: removed 5 year old stale domain list


Guest

reference link

Post by Guest » Sun Aug 22, 2010 1:11 pm

Here's the Spam Wiki reference link:
http://www.spamtrackers.eu/wiki/index.p ... cy_Express

Guest

@ AlphaCentauri

Post by Guest » Sun Aug 22, 2010 2:26 pm

thank you RED> with a strong comment

Guest

@ Bob Zenith

Post by Guest » Sun Aug 22, 2010 2:30 pm

thank you for such a great article link ===== I have learned quite a lot by articles like this one , and at the same time it worries me this Russian mafia ======

TheBonobo4
Posts: 152
Joined: Sat Nov 07, 2009 2:56 pm

Rated accordingly.

Post by TheBonobo4 » Sun Aug 22, 2010 4:32 pm

Rated accordingly.

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

re: Pharmacy Express

Post by c۞g » Sun Aug 22, 2010 4:45 pm

I see these domains use a different site template compared to my last screen capture

A few servers [Fedora] not listed:
breavdns.com
daftdns.com
gruedns.com
bagwdns.com


FAKE pharmacies not listed:
vapharmacye.com

The shopping cart is courtesy of:
cartinternetsite.com - whois created: 30 June 2010
notice the lack of SSL
and the phone number: +1-888-738-9650 - spamhaus.org
It's also viewable on this fake Generic ED site: paymeddirect.com where at the bottom left you'll see reference back to: Fortex Investments LTD aka: fortexltd.com

Oh!
Rated and thanks!

[EDIT]
minor edit nothing changed

alphacentauri
Posts: 3291
Joined: Mon Nov 02, 2009 12:52 pm

@g7w

Post by alphacentauri » Sun Aug 22, 2010 5:36 pm

> I see these domains use a different site template compared to my last screen capture

I haven't tried loading through a proxy, so I don't know if the American flag image is presented to visitors from other countries.

There is some uproar in Russia right now, not only because Kuvayev has been jailed (and presumably every computer that can be traced to him has been seized), but because someone hacked or claims to have hacked Chronopay, a major online payment processor in Russia ( http://www.chronopay.com/en/ ). Chronopay handles lots of legitimate companies, but also pornography sites (allegedly including child pornography) and many other blackhat activities. Supposedly, they handled payments for all the scam pharma affiliate programs other than Glavmed (Canadian Pharmacy). The hackers have been posting blogs on livejournal (that get taken down as fast as they are posted) that appear to indicate the breach was real and was significant -- they have recordings of telephone calls, including one in which one of their officers is talking to his lawyer about suing Brian Krebs, the reporter who tied Chronopay to a rogue antivirus software operation.

The scammers have operated with impunity only because they did not appear to be scamming Russians -- some of the trojans they use to create their botnets will abort installation if they detect Cyrillic keyboards, for instance. But they have no idea how much data was taken from Chronopay, and the hackers say they will only reveal password to the data to law enforcement agencies. So bottom line, they're nervous, and they've got reason to want to emphasize the fact that they're targeting Americans, not Russians.

> FAKE pharmacies not listed:
> vapharmacye.com

Thanks. There are actually lots more, so everybody: have at 'em. (I'm so looking forward to being able to bulk post and spend time finding them instead of posting reviews one at a time :) )

> The shopping cart is courtesy of:
> cartinternetsite.com - whois
>
> created: 30 June 2010
> notice the lack of SSL

Thanks for that, too. I'm not confident enough to enable javascript on a site like this yet.


> and the phone number: +1-888-738-9650 - spamhaus.org

LOL!


> It's also viewable on this fake Generic ED site: paymeddirect.com where at the bottom left you'll see reference back to:
> Fortex Investments LTD aka: fortexltd.com

That's a famous address, too: Harley Street 29, Suite B London, UK
I guess it's the equivalent of Mailboxes Etc., because all kinds of companies use that suite number, including numerous scammers.

One of the best known:

Domain: spamit.com - Domain History
Cache Date: 2008-01-17
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM

Registrant:
MEDIA CAPITAL LTD
Suite B, 29 Harley street
London, NA W1G 9QR
GB
4402070604540

Domain Name: SPAMIT.COM

Administrative Contact:
Smirnov, Andrey admin@spamit.com
Suite B, 29 Harley street
London, NA W1G 9QR
GB
4402070604540

Spamit is the evil twin of Glavmed -- both have "Canadian Pharmacy" sites, but Glavmed claims not to spam. Andrey Smirnov, however, is employed by Glavmed and is an admin on their affiliate forum. He claims Glavmed is unrelated to Spamit. I think the claim is pretty ludicrous, as the Spamit site templates change in response to information given to Andrey. If Spamit affiliates were stealing their templates, as he claims, it would be trivial to find out which Glavmed affiliate was giving it to them by concealing minor differences in the code of a site that large. And if they used his name to register their domain name, he could take possession of the name whenever he chose -- it would be an incredibly stupid move if Spamit were just trying to annoy a competitor.

-Saad-
Posts: 244
Joined: Fri Jun 18, 2010 2:17 am

Thanks. Rated.

Post by -Saad- » Mon Aug 23, 2010 3:17 am

Thanks. Rated.

Guest

-

Post by Guest » Mon Aug 30, 2010 6:57 am

AlphaCentaur = thank you ------ RATED!

alphacentauri
Posts: 3291
Joined: Mon Nov 02, 2009 12:52 pm

more Pharmacy Express

Post by alphacentauri » Wed Sep 01, 2010 2:25 am

edit: removed old domain list

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 1 guest