Clicky
Last visit was: Sat Jul 05, 2014 6:07 pm
It is currently Sat Jul 05, 2014 6:07 pm

Eva Pharmacy campaign


All times are UTC - 5 hours [ DST ]


 [ 14 posts ] 
Author Message
 PostPosted: Wed Feb 20, 2013 8:01 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
This is a topic to provide statistics on the effectiveness of the campaign to remove Eva Pharmacy domains.
The campaign is documented here at viewtopic.php?f=1&t=4894
Registrar compliance ratings are in a table at viewtopic.php?f=1&t=5905&p=61164

What is Eva Pharmacy?
It is a Russian/Ukrainian pharmacy fraud operation, described in detail in the evidence at the spamtrackers.eu wiki entry

Why is there a campaign?
This affiliate program is clearly a fraud, as seen in the evidence link. It has been able to run continuously for several years, undergoing several different guises over that time, but always surviving. It has operated under various affiliate program names, such as Yambo Financials, Bulker Biz, then Eva Pharmacy until mid last year. It has been a constant annoyance in spam volumes, and presents risks to the community. These risks include

    * Identity theft
    * Credit card theft
    * No quality control in the shipments
    * Seizure of medications at customs
    * Combinations of medications which may prove fatal when used in combination
    * Unknown quality control at the manufacture
Therefore, the campaign has set out to notify the registrars of the domain names that the registrants are Russian criminals, who are using the domains for unlawful purposes. Registrars across the world have terms of service agreements which prohibit unlawful use of domain names, and allow for immediate termination under the circumstances where there is a reasonable degree of evidence.


Top
 Profile WWW  
 PostPosted: Mon Apr 22, 2013 12:43 am   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to [email protected]
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to [email protected]
185.5.99.145
report to [email protected]
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to [email protected]
134.60.13.251
report to [email protected]
75.98.230.254
report to [email protected]
88.190.218.27
[email protected]
85.31.101.202
report to [email protected]

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: [email protected]

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones


Top
 Profile WWW  
 PostPosted: Sun Jul 14, 2013 6:37 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
The FDA, DOJ, International Customs and Interpol combine on an annual basis to take action against fake pharmacies in Operation Pangea.

You can contact them at
    Office of Criminal Investigations
    7500 Standish Place
    Rockville, MD 20855
The web page for reporting criminal activity is at
http://www.accessdata.fda.gov/scripts/email/oc/oci/contact.cfm


Top
 Profile WWW  
 PostPosted: Thu Aug 22, 2013 10:30 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
August 22, 2013
The last 2 days have been very good for some registrars. The number of fraud domains suspended has been high.

235 by NETLYNX (India)
253 by PSI-USA InterNetX (Germany)
302 by NAMESILO (Phoenix, AZ)
100 by TRUNKOZ (India)

Total = 890


Top
 Profile WWW  
 PostPosted: Tue Aug 27, 2013 4:02 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Hey

Red and I had a summit skype phonecall regarding a few things and I thought I would contribute something since I wasn't aware that some people thought Eva disappeared completely for some period of time. They did not. They just don't send *us* spam now, primarily.

Lately they are relying on still more hacked servers, but this time using any public exploit against Apache, Wordpress, Joomla, or anything else they can find. They do this to place their redirects specific to Eva domains.

Some examples:

Spammed urls:

http://www.pregnancywyze.com/fairness_cream.html
http://tloves.webchuyennghiep.net/adefovir.html
http://seesawscene.com/lovastatin.html
http://ludivepo.angelfire.com/fusidic_acid.html

Each of these is a hacked website and domain. They bruteforce the html files on to the server, and it redirects the user. These are useful for (at most) only a single day, but probably less, after which the domain is trapped by most spam filters.

For each of those pages the corresponding landing domains are:

pregnancywyze.com => rxhealthmeds.ru [CH&CM]
tloves.webchuyennghiep.net => drugstoremeds.ru [CH&CM]
seesawscene.com => pillstabletspharmacy.ru [MCP]
ludivepo.angelfire.com => medicinerxtablets.ru [MCP]

And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I have to dig around to find spam for these from my friends, who are pretty happy to keep providing these domains to me. So if you haven't seen any Eva spam lately, it's possibly because you contribute to this forum. :) It's a form of success I suppose.

SiL


Top
 Profile  
 PostPosted: Thu Sep 19, 2013 7:36 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
spamislame wrote:
And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I can't find evidence of that. To me it looks like they are now using just the one server for pages and images. Are you seeing something different?
In Firefox I use the View Page Info option, and click on Media
Quote:
I have to dig around to find spam for these from my friends, who are pretty happy to keep providing these domains to me. So if you haven't seen any Eva spam lately, it's possibly because you contribute to this forum. :) It's a form of success I suppose.


I would like to have a feed of Eva domains. Currrently I have to resort to all sorts of data mining tools to find them, and they are running dry.


Top
 Profile WWW  
 PostPosted: Mon Sep 23, 2013 5:42 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Red Dwarf wrote:
spamislame wrote:
And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I can't find evidence of that. To me it looks like they are now using just the one server for pages and images. Are you seeing something different?

Yup. A browser won't give you nearly enough info. The unix "dig" command is your friend:

Code:
%dig medicinerxtablets.ru

; <<>> DiG 9.9.3-P2 <<>> medicinerxtablets.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16817
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;medicinerxtablets.ru.          IN      A

;; ANSWER SECTION:
medicinerxtablets.ru.   600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
medicinerxtablets.ru.   600     IN      NS      ns1.medicinerxtablets.ru.
medicinerxtablets.ru.   600     IN      NS      ns2.medicinerxtablets.ru.

;; ADDITIONAL SECTION:
ns1.medicinerxtablets.ru. 600   IN      A       91.204.162.83
ns2.medicinerxtablets.ru. 600   IN      A       91.204.162.83

In this case all three ip addresses are the same, but in 90% of cases, they are all different.

So for example:

Code:
%dig wour.ru

; <<>> DiG 9.9.3-P2 <<>> wour.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wour.ru.                       IN      A

;; ANSWER SECTION:
wour.ru.                600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
wour.ru.                600     IN      NS      ns1.wour.ru.
wour.ru.                600     IN      NS      ns2.wour.ru.

;; ADDITIONAL SECTION:
ns1.wour.ru.            600     IN      A       61.178.118.4
ns2.wour.ru.            600     IN      A       91.226.116.66

;; Query time: 595 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 23 17:38:34 EDT 2013
;; MSG SIZE  rcvd: 120

So: one main http host and two dns hosts

91.204.162.83
61.178.118.4
91.226.116.66

This indicates that "91.204.162.83" is a pretty important ip for them.

Code:
%dig octh.ru

; <<>> DiG 9.9.3-P2 <<>> octh.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20846
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;octh.ru.                       IN      A

;; ANSWER SECTION:
octh.ru.                600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
octh.ru.                600     IN      NS      ns1.octh.ru.
octh.ru.                600     IN      NS      ns2.octh.ru.

;; ADDITIONAL SECTION:
ns1.octh.ru.            600     IN      A       200.110.137.11
ns2.octh.ru.            600     IN      A       125.16.213.251

;; Query time: 527 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 23 17:39:38 EDT 2013
;; MSG SIZE  rcvd: 120

91.204.162.83
200.110.137.11
125.16.213.251

(91.204.162.83 again. Suuuuper important.)

(Note that "medicinerxtablets.ru" one is the domain from your posting way back on Feb. 20th. It's still live.)

Red Dwarf wrote:
In Firefox I use the View Page Info option, and click on Media

That will only show you the "front facing" domain, not which actual IP delivered the image content to your browser.
Red Dwarf wrote:
I would like to have a feed of Eva domains. Currrently I have to resort to all sorts of data mining tools to find them, and they are running dry.

Me too. Mine are all sporadically reported by friends who all know I'm still researching this.

I must have made some kind of impact over at Eva because they finally scrubbed their lists of all my addresses except one. It's something I honestly never expected to see take place.

SiL


Top
 Profile  
 PostPosted: Mon Sep 23, 2013 7:06 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
That clears it up. I thought you were including the image server IPs, which they have now dispensed with.

So you are saying that in general there is now a set of 3 IPs - hosting site and 2 name servers - all of which are hijacked I presume.


Top
 Profile WWW  
 PostPosted: Wed Sep 25, 2013 3:39 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022
Red Dwarf wrote:
That clears it up. I thought you were including the image server IPs, which they have now dispensed with.

Yeah, that appears to have been disposed of in mid-2009.
Red Dwarf wrote:
So you are saying that in general there is now a set of 3 IPs - hosting site and 2 name servers - all of which are hijacked I presume.

Welllll.... sssssort of yes / no.

In general, as often as possible, they use hacked / hijacked servers around the world, usually in sets of three (web host + 2 dns hosts.)

But not always.

Sometimes it's one IP address for all three. In some cases that IP address is either hacked / hijacked, or it's actually "owned" by whoever it is at EvaPharmacy. In the latter case, very often that "owned" server has still been paid for using some unsuspecting person's credit card data. Etc. It's a mish-mash.

SiL


Top
 Profile  
 PostPosted: Wed Sep 25, 2013 5:46 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
It is interesting to see the patterns used by this operation. In most cases there are only two DNS resolvers, using domains selected from two different registrars. There are some variations which we can look at here. Let's focus on the registrars and the IP addresses.

From my database of detected Eva Phamacy sites over the past 9 months, these are the most used registrars sorted by number of domains

4046 PSI-USA, INC. DBA DOMAIN ROBOT
3911 TRUNKOZ TECHNOLOGIES PVT LTD.
2779 NETLYNX, INC.
2138 NAMESILO, LLC
936 CLOUD GROUP LIMITED
644 NAUNET-REG-RIPN
552 NICS TELEKOMUNIKASYON TICARET LTD.STI.
421 REGRU-REG-RIPN
402 REGISTRYGATE GMBH
347 UNITED-DOMAINS AG
193 KEY-SYSTEMS GMBH
156 DOMAINCONTEXT, INC.
112 HTTP.NET INTERNET GMBH

SPAMMED DOMAIN = HOST
Most times the spammed domain name resolves to the IP address of the hosting site. At any one time there will be less than 15 IP addresses in use for the thousands of domains.

SPAMMED DOMAIN = REDIRECTOR
But there are also many cases where the spammed domain names redirect to a target domain that is not spammed, in an attempt to hide from blacklisting services.

EXCEPTIONS
One exception to the pattern described above is the recent emergence of a single registrar, a single redirection target and a single IP address across the board. DOMAINCONTEXT sponsors all the redirectors, the target and the name servers and they all run on the one IP at 146.185.247.40 in Russia. The registrations come from a partner registrar at RU-TLD.RU [e-mail: [email protected] and icq: 900004]


Top
 Profile WWW  
 PostPosted: Mon Oct 07, 2013 10:57 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
This is a picture of the most abused registrars, showing their compliance with suspension requests

Image

Four registrars stand out - although some suspensions have taken place, there are over 880 domains still sponsored by these four.

    * NAUNET in Russia
    * PSI-USA / InterNetX in Germany
    * NameSilo in the US
    * HTTP.NET in Germany

This shows the number of live Eva Pharmacy fraud domains provided by the top registrars. If these registrars were to suspend these fraudulent domains this Russian scam operation would be less successful.

Image

Dateline: November 15, 2003


Top
 Profile WWW  
 PostPosted: Sun Oct 13, 2013 3:53 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
OCTOBER 14, 2013
REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to [email protected]
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to [email protected]
185.5.99.145
report to [email protected]
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to [email protected]
134.60.13.251
report to [email protected]
75.98.230.254
report to [email protected]
88.190.218.27
[email protected]
85.31.101.202
report to [email protected]lv

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: [email protected]

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones


Top
 Profile WWW  
 PostPosted: Tue Feb 04, 2014 7:50 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Eva Pharmacy generates thousands of domain names. Typically the registrants have names, addresses, phone numbers from all over the world.
The addresses and phone numbers look genuine, up to a point. In actual fact, they are invariably fakes.

* The street name, suburb and city may ll exist, but often the street number is higher than the number of locations in that street. It is randomly generated.
* The suburb is usually in the same city as the street, however the street is often actually in an adjacent suburb.
* The phone number starts with the correct prefix code for the country and suburb (land-line) or phone provider (cell). But the rest of the phone number is randomly generated, and usually does not exist

    Question: How are these thousands of registrant details created?
    Answer: http://www.fakenamegenerator.com
There you will find that this cute little random person ID generator follows exactly along the lines described above.

A pointer to this site is at http://pctechmag.com/2014/02/this-guy-creates-billions-of-fake-identities-every-month/

That's how it slips past the most rudimentary checks applied by registrars, if they look at them at all.

Let's work an example. A fake ID generated for a French name in France gave


Quote:
Galatee Hughes
29, rue des lieutemants Thomazo
83300 DRAGUIGNAN
Phone:
04.41.33.49.88
Email Address:
GalateeHughes@armyspy.com
This is a real email address. Click here to activate it!


Now look up an EvaPharmacy domain, jacquelynnvikki.com
Quote:
Registrant Name: Eleanor Dandonneau
Registrant Organization: Eleanor Dandonneau
Registrant Street: 21 rue des lieutemants Thomazo
Registrant City: Draguignan
Registrant State/Province: Draguignan
Registrant Postal Code: 83300
Registrant Country: FR
Registrant Phone: +33.0407242406
Registrant Email: waldman@jacquelynnvikki.com


It is clear that the structure of what is generated at fakenamegenerator.com matches the format of the data used in the domain registration. Note that for France the same entry is used for both Registrant City and Registrant State/Province. That's because the generator does not generate both fields.
The same occurs with Finland, Hungary, Poland.
But other countries supply both fields, for example Australia, Brazil, Canada, Germany, Spain, Italy, Netherlands, New Zealand, US


Top
 Profile WWW  
 PostPosted: Tue Mar 25, 2014 8:00 pm   
You are kiillllling-a my bizinisss!
User avatar

Joined: Tue Jun 27, 2006 2:01 am
Posts: 9227
Highest abused IP addresses - end of March 2014

In descending order of abuse, with sample fraud hosting domains as recorded on March 25, 2014

Results will vary, as the Eva Pharmacy crooks rotate these regularly

[377] 107.6.41.96 ([email protected])
viviannejonie.com
walylaryssa.com
wilhelminaessie.com
willytara.com

[27] 187.217.198.114 ([email protected])
viagracanadatoronto.com
viagradietgroup.com
viagralevitragroup.com
viagraopioid.com

[25] 178.21.20.130 ([email protected])
thepilldrugstore.com
medicaidmeds.com
greatpharmacytech.ru
caretabletspills.ru

[21] 95.84.156.43 (NCNET NCC Operations, National Cable Netwiork, RU, +7 495 6859542
thepilldrugstore.com
theviagramedical.com
thewelnesshealthcare.com
vivietasha.com

[18] 196.196.8.41 ([email protected])
medicaidmeds.com
medscanadagroup.net
modestarafaelita.com
newdrugstorerx.net

[11] 94.185.84.80 ([email protected])
salesmeds.com
tabssale.com
themedprescription.com
theviagracialis.net

[9] 196.196.8.42 ([email protected])
chromedical.com
drugpharmacymed.com
drugstoremedsopioid.com
medicationsupplements.com

[7] 200.58.119.215 ([email protected])
loalydyxdo.com
quvgehocom.com
tuhvabwyju.com
yehwipmilsa.com

[4] 217.153.35.199 ([email protected])
buyviagracanada.com
dietviagragroup.com
genericschemistsshop.com
healthcarepharmacygroup.com

[4] 196.196.8.40 ([email protected])
levitratabkorsinsky.com
medicarewelbizness.net
mytabletdrugstore.net
pharmacymedgroup.com

ISPs should investigate these IP addresses used for illegal activity, and blackhole or null route them


Top
 Profile WWW  
 [ 14 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Wayback machine and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008