InBoxRevenge KS Forum

This is a topic to provide statistics on the effectiveness of the campaign to remove Eva Pharmacy domains.
The campaign is documented here at viewtopic.php?f=1&t=4894
Registrar compliance ratings are in a table at viewtopic.php?f=1&t=5905&p=61164

What is Eva Pharmacy?
It is a Russian/Ukrainian pharmacy fraud operation, described in detail in the evidence at the spamtrackers.eu wiki entry

Why is there a campaign?
This affiliate program is clearly a fraud, as seen in the evidence link. It has been able to run continuously for several years, undergoing several different guises over that time, but always surviving. It has operated under various affiliate program names, such as Yambo Financials, Bulker Biz, then Eva Pharmacy until mid last year. It has been a constant annoyance in spam volumes, and presents risks to the community. These risks include

* Identity theft
* Credit card theft
* No quality control in the shipments
* Seizure of medications at customs
* Combinations of medications which may prove fatal when used in combination
* Unknown quality control at the manufacture

Therefore, the campaign has set out to notify the registrars of the domain names that the registrants are Russian criminals, who are using the domains for unlawful purposes. Registrars across the world have terms of service agreements which prohibit unlawful use of domain names, and allow for immediate termination under the circumstances where there is a reasonable degree of evidence.

REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to [email protected]
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to [email protected]
185.5.99.145
report to [email protected]
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to [email protected]
134.60.13.251
report to [email protected]
75.98.230.254
report to [email protected]
88.190.218.27
[email protected]
85.31.101.202
report to [email protected]

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: [email protected]

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones

The FDA, DOJ, International Customs and Interpol combine on an annual basis to take action against fake pharmacies in Operation Pangea.

You can contact them at

Office of Criminal Investigations
7500 Standish Place
Rockville, MD 20855

The web page for reporting criminal activity is at
http://www.accessdata.fda.gov/scripts/email/oc/oci/contact.cfm

August 22, 2013
The last 2 days have been very good for some registrars. The number of fraud domains suspended has been high.

235 by NETLYNX (India)
253 by PSI-USA InterNetX (Germany)
302 by NAMESILO (Phoenix, AZ)
100 by TRUNKOZ (India)

Total = 890

Hey

Red and I had a summit skype phonecall regarding a few things and I thought I would contribute something since I wasn't aware that some people thought Eva disappeared completely for some period of time. They did not. They just don't send *us* spam now, primarily.

Lately they are relying on still more hacked servers, but this time using any public exploit against Apache, Wordpress, Joomla, or anything else they can find. They do this to place their redirects specific to Eva domains.

Some examples:

Spammed urls:

http://www.pregnancywyze.com/fairness_cream.html
http://tloves.webchuyennghiep.net/adefovir.html
http://seesawscene.com/lovastatin.html
http://ludivepo.angelfire.com/fusidic_acid.html

Each of these is a hacked website and domain. They bruteforce the html files on to the server, and it redirects the user. These are useful for (at most) only a single day, but probably less, after which the domain is trapped by most spam filters.

For each of those pages the corresponding landing domains are:

pregnancywyze.com => rxhealthmeds.ru [CH&CM]
tloves.webchuyennghiep.net => drugstoremeds.ru [CH&CM]
seesawscene.com => pillstabletspharmacy.ru [MCP]
ludivepo.angelfire.com => medicinerxtablets.ru [MCP]

And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I have to dig around to find spam for these from my friends, who are pretty happy to keep providing these domains to me. So if you haven't seen any Eva spam lately, it's possibly because you contribute to this forum. It's a form of success I suppose.

SiL

I can't find evidence of that. To me it looks like they are now using just the one server for pages and images. Are you seeing something different?
In Firefox I use the View Page Info option, and click on Media


I would like to have a feed of Eva domains. Currrently I have to resort to all sorts of data mining tools to find them, and they are running dry.

Yup. A browser won't give you nearly enough info. The unix "dig" command is your friend:


In this case all three ip addresses are the same, but in 90% of cases, they are all different.

So for example:


So: one main http host and two dns hosts

91.204.162.83
61.178.118.4
91.226.116.66

This indicates that "91.204.162.83" is a pretty important ip for them.


91.204.162.83
200.110.137.11
125.16.213.251

(91.204.162.83 again. Suuuuper important.)

(Note that "medicinerxtablets.ru" one is the domain from your posting way back on Feb. 20th. It's still live.)


That will only show you the "front facing" domain, not which actual IP delivered the image content to your browser.

Me too. Mine are all sporadically reported by friends who all know I'm still researching this.

I must have made some kind of impact over at Eva because they finally scrubbed their lists of all my addresses except one. It's something I honestly never expected to see take place.

SiL

That clears it up. I thought you were including the image server IPs, which they have now dispensed with.

So you are saying that in general there is now a set of 3 IPs - hosting site and 2 name servers - all of which are hijacked I presume.

Yeah, that appears to have been disposed of in mid-2009.

Welllll.... sssssort of yes / no.

In general, as often as possible, they use hacked / hijacked servers around the world, usually in sets of three (web host + 2 dns hosts.)

But not always.

Sometimes it's one IP address for all three. In some cases that IP address is either hacked / hijacked, or it's actually "owned" by whoever it is at EvaPharmacy. In the latter case, very often that "owned" server has still been paid for using some unsuspecting person's credit card data. Etc. It's a mish-mash.

SiL

It is interesting to see the patterns used by this operation. In most cases there are only two DNS resolvers, using domains selected from two different registrars. There are some variations which we can look at here. Let's focus on the registrars and the IP addresses.

From my database of detected Eva Phamacy sites over the past 9 months, these are the most used registrars sorted by number of domains

4046 PSI-USA, INC. DBA DOMAIN ROBOT
3911 TRUNKOZ TECHNOLOGIES PVT LTD.
2779 NETLYNX, INC.
2138 NAMESILO, LLC
936 CLOUD GROUP LIMITED
644 NAUNET-REG-RIPN
552 NICS TELEKOMUNIKASYON TICARET LTD.STI.
421 REGRU-REG-RIPN
402 REGISTRYGATE GMBH
347 UNITED-DOMAINS AG
193 KEY-SYSTEMS GMBH
156 DOMAINCONTEXT, INC.
112 HTTP.NET INTERNET GMBH

SPAMMED DOMAIN = HOST
Most times the spammed domain name resolves to the IP address of the hosting site. At any one time there will be less than 15 IP addresses in use for the thousands of domains.

SPAMMED DOMAIN = REDIRECTOR
But there are also many cases where the spammed domain names redirect to a target domain that is not spammed, in an attempt to hide from blacklisting services.

EXCEPTIONS
One exception to the pattern described above is the recent emergence of a single registrar, a single redirection target and a single IP address across the board. DOMAINCONTEXT sponsors all the redirectors, the target and the name servers and they all run on the one IP at 146.185.247.40 in Russia. The registrations come from a partner registrar at RU-TLD.RU [e-mail: [email protected] and icq: 900004]

This is a picture of the most abused registrars, showing their compliance with suspension requests



Four registrars stand out - although some suspensions have taken place, there are over 880 domains still sponsored by these four.

* NAUNET in Russia
* PSI-USA / InterNetX in Germany
* NameSilo in the US
* HTTP.NET in Germany

This shows the number of live Eva Pharmacy fraud domains provided by the top registrars. If these registrars were to suspend these fraudulent domains this Russian scam operation would be less successful.



Dateline: November 15, 2003

OCTOBER 14, 2013
REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to [email protected]
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to [email protected]
185.5.99.145
report to [email protected]
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to [email protected]
134.60.13.251
report to [email protected]
75.98.230.254
report to [email protected]
88.190.218.27
[email protected]
85.31.101.202
report to [email protected]

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: [email protected]

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones

Eva Pharmacy generates thousands of domain names. Typically the registrants have names, addresses, phone numbers from all over the world.
The addresses and phone numbers look genuine, up to a point. In actual fact, they are invariably fakes.

* The street name, suburb and city may ll exist, but often the street number is higher than the number of locations in that street. It is randomly generated.
* The suburb is usually in the same city as the street, however the street is often actually in an adjacent suburb.
* The phone number starts with the correct prefix code for the country and suburb (land-line) or phone provider (cell). But the rest of the phone number is randomly generated, and usually does not exist

Question: How are these thousands of registrant details created?
Answer: http://www.fakenamegenerator.com

There you will find that this cute little random person ID generator follows exactly along the lines described above.

A pointer to this site is at http://pctechmag.com/2014/02/this-guy-creates-billions-of-fake-identities-every-month/

That's how it slips past the most rudimentary checks applied by registrars, if they look at them at all.

Let's work an example. A fake ID generated for a French name in France gave




Now look up an EvaPharmacy domain, jacquelynnvikki.com


It is clear that the structure of what is generated at fakenamegenerator.com matches the format of the data used in the domain registration. Note that for France the same entry is used for both Registrant City and Registrant State/Province. That's because the generator does not generate both fields.
The same occurs with Finland, Hungary, Poland.
But other countries supply both fields, for example Australia, Brazil, Canada, Germany, Spain, Italy, Netherlands, New Zealand, US

Highest abused IP addresses - end of March 2014

In descending order of abuse, with sample fraud hosting domains as recorded on March 25, 2014

Results will vary, as the Eva Pharmacy crooks rotate these regularly

[377] 107.6.41.96 ([email protected])
viviannejonie.com
walylaryssa.com
wilhelminaessie.com
willytara.com

[27] 187.217.198.114 ([email protected])
viagracanadatoronto.com
viagradietgroup.com
viagralevitragroup.com
viagraopioid.com

[25] 178.21.20.130 ([email protected])
thepilldrugstore.com
medicaidmeds.com
greatpharmacytech.ru
caretabletspills.ru

[21] 95.84.156.43 (NCNET NCC Operations, National Cable Netwiork, RU, +7 495 6859542
thepilldrugstore.com
theviagramedical.com
thewelnesshealthcare.com
vivietasha.com

[18] 196.196.8.41 ([email protected])
medicaidmeds.com
medscanadagroup.net
modestarafaelita.com
newdrugstorerx.net

[11] 94.185.84.80 ([email protected])
salesmeds.com
tabssale.com
themedprescription.com
theviagracialis.net

[9] 196.196.8.42 ([email protected])
chromedical.com
drugpharmacymed.com
drugstoremedsopioid.com
medicationsupplements.com

[7] 200.58.119.215 ([email protected])
loalydyxdo.com
quvgehocom.com
tuhvabwyju.com
yehwipmilsa.com

[4] 217.153.35.199 ([email protected])
buyviagracanada.com
dietviagragroup.com
genericschemistsshop.com
healthcarepharmacygroup.com

[4] 196.196.8.40 ([email protected])
levitratabkorsinsky.com
medicarewelbizness.net
mytabletdrugstore.net
pharmacymedgroup.com

ISPs should investigate these IP addresses used for illegal activity, and blackhole or null route them