InBoxRevenge KS Forum

Template 1 header


Template 2 header



There is a pharmacy brand that has not been well identified, yet. A common factor is the phone banner containing the contact phone numbers,
+1-866-2140125 +1-386-2437714
This is encoded in a gif to avoid being scooped up by Google, with a name like this
http://www.pill-deals.com/cache/1352204401.inv_logo_10834_phone_88_2140125.gif

If you google a domain name, you find that they keep all of the site out of search engines

One common factor on all sites is the hosting IP address: 185.9.17.234
The owner is OvalTech Internet Ltd with contact details
person: Matt Brown
address: Unit 5,
address: Wallingfen Business Park, 236 Main Road,
address: Brough,
address: HU15 2RH
phone: +44 1482 772792

Another common factor on all sites, besides the phone numbers and IP address, is the list of categories.
However, these are excluded from search engines, as noted above.
The contents vary a little from one site to another, indicating that the web pages are generated from a set of basic templates

-----
Our Categories

Men's Sexual Health
ED Trial Packs
Antibiotics
Women's Sexual Health
Asthma Relief & Management
Antidepressants
Blood Pressure
Men's Health
Heart & Cholesterol
Digestive Health & Nausea
Diabetes Treatment
Sleep Aids
Weight Loss
Hair Loss Treatment
Muscle Relaxants
ADHD
Women's Health
Smoking Cessation
Anticonvulsants
Anti-fungal and Parasites
Allergy Relief
Cancer Symptoms Relief
Skin Care & Dermatology
Pain Relief
Anti-anxiety
Detox
Anti-inflammatory
Thyroid Health
Mental Health
Antipsychotic Treatment

-----

Signs of fraud

From http://www.pill-deals.net/company.php


When you enter your credit card information, you expect to be on a secure page, identified as https instead of the insecure http
http://www.pill-deals.com/shopping_cart.php#billing_info

That proves the site security claim is blatantly false.

Here is a subset of the domain names used by this brand of frauds.

best-rx.net
buy-pharmacy.com
medical-orders.com
meds-net.net
meds-orders.net
mega-medical.com
order-pharm.com
pharm-offers.com
pharma-offers.com
pill-deals.com
pill-orders.com
pillsorders.com
rx-center.com
toprxmeds.com
toprxpills.net

They were created between Nov 16 2012 and Dec 6 2012

All were registered with the same registrar, NETLYNX INC

They all use the same name servers also registered with NETLYNX INC

ns1.greenwarm.net
ns2.greenwarm.net

EDIT - All suspended by the registrar

A further indication that this is just another brand of fraud domains, is that the perpetrators have followed the under-hand technique of not exposing the target domain names in spam. They hope that such a subterfuge will prevent the fewer hidden domains from being reported to the registrar, who would suspend them for breaking their terms of service.

Examples of disposable spammed domain names that secretly redirect to the hidden domain names are

andromachejacenta.com - Location: http://meds-net.net/?affid=39823933
talyahnora.com - Location: http://meds-orders.net/?affid=38383938
ailishaun.com - Location: http://pharm-offers.com/?affid=39656236
aimeeelfie.com - Location: http://order-pharm.com/?affid=38383938
alenainez.com - Location: http://pill-deals.com/?affid=39823933

Total operation wiped out.

On Feb 16 all of these domains and the name server were suspended by NETLYNX.
If anyone sees any more pharma sites with those phone numbers, please append here.




Similar action from REGTIME (Russia) -
Domain Name: 1ST-ONLINE-MEDS.COM
Registrar: REGTIME LTD.
Whois Server: whois.webnames.ru
Status: clientHold
Updated Date: 11-feb-2013
Creation Date: 17-dec-2012

"+1 386-2437714 is a general support line for multiple web services"

Support line offered by whom?
http://phones.whitepages.com/386-243

VoIP phone from Lake City, FL
http://www.whitepages.com/phone/1-386-243-7714

They would not tell me. But when I told them I could not get through to a pharmacy web site, they offered to take my order right then.

On name servers registered with INTERNET.BS CORP.

ns1.snowbold.net (has address 185.9.18.78)
ns2.snowbold.net (has address 185.9.18.78)

Fraud pharmacies on the same IP, (185.9.18.78) registered with NETLYNX in March, 2013

1stmeds.net
buy-pill.net
buy-rx.net
buyrxmeds.net
directrxpills.net
genericrxpills.net
medicalorders.net
net-pharmacy.net
orderpharmacy.net
pharm-orders.net
pill-sales.net
pills-net.net
prime-pills.net
prime-rx.net

The IP address is owned by

OvalTech Internet Ltd
Matt Brown
Unit 5,
Wallingfen Business Park, 236 Main Road,
Brough,
HU15 2RH
+44 1482 772792
abuse-mailbox: [email protected]

These sites have both the template structure and the formulary of RxProfits.

- Stefan

Thanks, Stefan. I can see the public RXProfits affiliate program description. But there is a lack of more specific information.

1. Who is behind it
2. Where is it headquartered
3. Sample templates of sites

Domain Name: RXPROFITS.COM
Registrar: DNC HOLDINGS, INC.
Creation Date: 09-jan-2012

Hosted - rxprofits.com has address 178.33.228.12
OVH ISP, Paris, France

Name servers -
one on same IP as above, the other, 46.165.194.76
ORG-nA8-RIPE
Leaseweb Germany GmbH
LIR
Leaseweb Germany GmbH Kleyer Strasse 79 / Tor 13 60326 Frankfurt Germany

Who owns that phone number?

http://www.whitepages.com/people/Rob-Paige/San-Diego-CA/db13bwp
Rob Paige
(386) 243-7714
San Diego, CA 92103

> 3. Sample templates of sites
There are tons of distinct templates. For example: http://www.all-pharma.com/ is one, http://www.meds-sales.com/ is another. Basically you can google for:
"images/template_x" viagra
where you replace X with a number. I've seen template numbers up to 90 in use.

- Stefan

These are some live examples that follow the same pattern.

DOMAIN NAME	NAME SERVER	REGISTRAR	HOST IP ADDRESS
1st-pills.com	teckbeans.com	DOMAIN.COM	178.238.138.123
cheap-pharm.com	teckbeans.com	MONIKER	178.238.138.123
rx-mall.com	teckbeans.com	MONIKER	178.238.138.123
direct-pills.com	teckbeans.com	MONIKER	178.238.138.123
genericmedscenter.com	teckbeans.com	MONIKER	178.238.138.123
order-pharma.com	teckbeans.com	MONIKER	178.238.138.123
pharm-deals.com	teckbeans.com	NAMESILO	178.238.138.123
ultra-pharma.com	teckbeans.com	NAMESILO	178.238.138.123
meds-sales.com	teckbeans.com	NAMESILO	178.238.138.123
1stmeds.net	snowbold.net	NETLYNX	185.9.18.78
buy-pill.net	snowbold.net	NETLYNX	185.9.18.78
buy-rx.net	snowbold.net	NETLYNX	185.9.18.78
buyrxmeds.net	snowbold.net	NETLYNX	185.9.18.78
directrxpills.net	snowbold.net	NETLYNX	185.9.18.78
genericrxpills.net	snowbold.net	NETLYNX	185.9.18.78
medicalorders.net	snowbold.net	NETLYNX	185.9.18.78
net-pharmacy.net	snowbold.net	NETLYNX	185.9.18.78
orderpharmacy.net	snowbold.net	NETLYNX	185.9.18.78
pharm-orders.net	snowbold.net	NETLYNX	185.9.18.78
pill-sales.net	snowbold.net	NETLYNX	185.9.18.78
pills-net.net	snowbold.net	NETLYNX	185.9.18.78
prime-pills.net	snowbold.net	NETLYNX	185.9.18.78
prime-rx.net	snowbold.net	NETLYNX	185.9.18.78
	ns1.teckbeans.com	DNC HOLDINGS	5.9.156.233
	ns2.teckbeans.com	DNC HOLDINGS	178.238.138.123
	ns1.snowbold.net	INTERNET.BS	185.9.18.78
	ns2.snowbold.net	INTERNET.BS	185.9.18.78