InBoxRevenge KS Forum

Eva Pharmacy has created thousands of domain names. Previous research has shown that they often register with stolen credit cards. Anyone who places an order with these criminals is open to having their credit card abused.

Sometimes the Eva pharmacy crooks try to "fly under the radar" of blacklists, by using these disposable domains in spam, but the domain actually transfers the user to another one, which is never spammed.

Listed below is a set of examples. Some of these domains, shown in red, have been suspended by the compliant registrars, others await their attention.

* RxMedications - see http://spamtrackers.eu/wiki/index.php/RxMeds
b101 b101.walgreentab.at b101.drugstoremagnacca.com b101.prescriptionmedicalgroup.at
o100 o100.healthrxshop.ru
o101 o101.storemedicare.net o101.smartrendviagra.com
o102 o102.rxcarepatient.com o102.drugtorehealthcare.ru
o244 o244.theviagrahealthcare.com o244.nursingmeds.net o244.remediespharm.in o244.drugtorerxassays.ru
m100 m100.newpharmacycanada.at m100 switched to My Canadian Pharmacy
m102 m102.docmedprescription.com m102.allmedicalquestion.at (NIC.AT) m102.pillopioid.at m102.medicinexus.in m102.drugtorehealthcare.ru -> m102 switched to My Canadian Pharmacy
m105 m105.dietpillcialis.com

* My Canadian Pharmacy
o100 o100.welnessasale.com o100.pertab.com
o102 o102.medicinepillreckitt.com
m100 m100.viagracialec.com m100.dietpillsmedicine.at m100.medsdietpills.com
m102 m102.pharmbiotechnology.at m102.newpharmacymedicine.com m102.apptabletmed.com m102.medicinepillreckitt.com

* Canadian Health&Care Mall
c100 c100.pssviagramedical.com c100.prescriptionhealthcenter.at c100.drugstorepharmaceutics.com c100.medsdrugprescription.net c100.prescriptioncaregroup.com c100.thehealthcareprescription.eu c100.rxhealthprescriptions.com c100.canrxstore.ru
c102 c102.healthcareviagrabiotech.net c102.pillsciaslis.com c102.rxhealthcarejobs.com c102.myviagragenerics.com c102.dietpillmed.at c102.thepillsmedicine.eu c102.healthpharmacists.eu c102.pharmacyalberta.com c102.rxdrugprescriptions.com c102.tabletsrx.ru

* RxExpressOnline
e100 e100.thelevitrarx.com e100.mypillgenerics.in e100.rxcaregroup.be
e101 e101.viagrafood.com
e102 e102.healthrxpharmacycare.ru e102.torontotab.in e102.carcareprescription.net e102.rxhealthremedies.com
e105 e105.kickedmedia.in e105.walgreenspills.com e105.thetabdrugstore.net
e244 e244.autocarepharmacy.com e244.medicarepillpatients.eu e244.caretabletspills.ru
private private.prescriptionspills.com

Note: Red means that the domain has been suspended by the registrar for breaking their terms of service

LIVE at March 3, 2014

c100.canrxstore.ru	Canadian Health&Care Mall	NAUNET-REG-RIPN
* c100.rxhealthprescriptions.com	Canadian Health&Care Mall	PSI-USA, INC. DBA DOMAIN ROBOT
* c102.mypharmcare.be	Canadian Health&Care Mall	Key-Systems GmbH
c102.tabletsrx.ru	Canadian Health&Care Mall	NAUNET-REG-RIPN
* e100.easyrxpharmacy.ru	RxExpressOnline	NAUNET-REG-RIPN
* e100.mypillgenerics.in	RxExpressOnline	NETLYNX, INC
* e101.viagrafood.com	RxExpressOnline	PSI-USA, INC. DBA DOMAIN ROBOT
* e102.bestpharmacydirect.ru	My Canadian Pharmacy	NAUNET-REG-RIPN
* e105.thetabdrugstore.net	RxExpressOnline	PSI-USA, INC. DBA DOMAIN ROBOT
e244.caretabletspills.ru	RxExpressOnline	NAUNET-REG-RIPN
* m100.medsdietpills.com	My Canadian Pharmacy	HTTP.NET INTERNET GMBH
m102.drugtorehealthcare.ru	RxMedications	NAUNET-REG-RIPN
* m102.healthpharmacyinc.com	RxExpressOnline	NETLYNX, INC.
* m105.canadaspharm.be	?	NETLYNX, INC
m105.superrxstore.ru	RxMedications	NAUNET-REG-RIPN
o100.healthrxshop.ru	RxMedications	NAUNET-REG-RIPN
o102.drugtorehealthcare.ru	RxMedications	NAUNET-REG-RIPN
o244.drugtorerxassays.ru	RxMedications	NAUNET-REG-RIPN
* private.prescriptionspills.com	RxExpressOnline	NETLYNX, INC.

Nov 21, 2013. Each has address 109.163.234.73 on Voxility.net, Libertyville, IL 60048. [email protected]
Nov 22, 27, 29 and Dec 1, 2013. Each has address 91.198.137.39 in Froendenberg, Germany . . . [email protected]
Nov 25, 28 and Dec 3, 2013. Each has address 193.107.89.251 in Poland . . . [email protected]
Dec 6, 11, 19, 26, 27 Each has address 141.255.190.93 in Sweden . . . [email protected]
Dec 10, 20, Jan 6 to 12 Each has address 212.83.140.187 in France . . . [email protected]
Jan 23 Each has address 192.95.20.120 in Canada . . . [email protected]
Jan 30 Each has address 62.210.123.61 in France . . . [email protected]
Jan 31 Each has address 62.210.131.192 in France . . . [email protected]
Feb 2 -11 Each has address 193.105.245.9 in Russia . . . Goryachev Evgeniy Alexandrovich +7987 12 655
Feb 12 Each has address 195.154.117.178 in France . . . [email protected]
Feb 22 Each has address 109.236.85.242 in the Netherlands . . . [email protected]
Mar 3 Each has address 84.200.77.180 in Germany . . . Stephan Roeder +49 2632 9891513
Mar 25 Most have address 178.21.20.130 in the Netherlands - [email protected]

Another redirection scam is based on the abuse of registrars EvoPlus / EvoNames in Canada, and PSI-USA / InterNetX in Germany.

The name serversare often suspended, but the miscreants move on to others. In December 2013, the current name servers were on NVIKO87.com (PSI-USA / InterNetX). In January 2014, nsvilero.com sponsored by InterNetX in Germany

Examples of the redirector domains registered on EvoPlus Ltd. (R589-LRMS) subsequently suspended, were
amicroshetochkaprokrashi.com
auholopovshatntreshat.com
avoobshemndedofonaryaskoka.com
dapribudetsilakvakisnami.com
gonitkolegatebesdolikedfop.com

These in turn perform a redirection, thus:
> Location: http://ddw.bigrxdiscountmedstore.com

This is another Canadian Health&Care Mall fraud out of Russia, registered with sponsor PSI-USA / InterNetX in Germany
Location: http://ddw.bigrxdiscountmedstore.com (subsequently suspended)

In January the Name server was on nglns12.com (PSI-USA / InterNetX) with redirectors sponsored by EvoPlus and Domain Context registrars. Sample redirectors:

bandakolpikedasoi.com . . . DOMAINCONTEXT, INC.
bobbarbikoled.com . . . DOMAINCONTEXT, INC.
densvobodiisobornosti.com . . . EVOPLUS LTD
dilizansprohoditmimo.com . . . DOMAINCONTEXT, INC.
etapievrochempionafu.com . . . EVOPLUS LTD
etootlichniyvariantikolep.com . . . DOMAINCONTEXT, INC.
etovesmastarayainformaciu.com . . . EVOPLUS LTD
glazaotkrilspacibonoci.com . . . EVOPLUS LTD

Here are some sample live sites, with the disposable redirector on the left and the previous and current redirection targets on the right.

Sept 19 all redirectors shared the same address 24.234.252.189 which can be reported to [email protected]
Sept 26 all redirectors shared the same address 190.2.4.81 which can be reported to [email protected]
October 10 all redirectors shared the same address 134.60.13.251 which can be reported to [email protected]
November 1 all redirectors shared the same address 190.2.4.81 which can be reported to [email protected]
November 7 all redirectors shared the same address 5.134.114.220 which can be reported to [email protected]
November 15 all redirectors shared the same address 95.163.107.212 which can be reported to [email protected]
November 22 all redirectors shared the same address 216.27.27.21 which can be reported to [email protected]
December 3 all redirectors shared the same address 5.134.114.220 which can be reported to [email protected]
January 23, 2014 all redirectors shared the same address 192.95.20.120 which can be reported to [email protected]
Jan 30 all redirectors shared the same address 62.210.123.61 which can be reported to [email protected]

[Edit - the redirections and IP may change, but they still redirect to Eva frauds]
A snapshot taken in November, with a sample of redirectors

Redirector	Fraud type	Target	Registrar
antonettaalina.com	RxExpressOnline	e100.mypillgenerics.in	NETLYNX
bernymaude.com	My Canadian Pharmacy	m102.medicinepillreckitt.com	PSI-USA / InterNetX
brigitjennlinn.com	Canadian Health&Care Mall	c100.prescriptioncaregroup.com	BIZCN
brinamaritsa.com	RxMedications	o100.healthrxshop.ru	TRUNKOZ
juliettaagnola.com	Canadian Health&Care Mall	c100.prescriptioncaregroup.com	NAMESILO

The Sept 26 targets are registered with

NIC.AT
NAUNET-REG-RIPN
HTTP.NET INTERNET GMBH

The November 15 targets are registered with

HTTP.NET INTERNET GMBH
NAUNET-REG-RIPN
NETLYNX, INC.
TRUNKOZ TECHNOLOGIES PVT LTD.

The December 3 targets are registered with

HTTP.NET
Key-Systems
NAMESILO
NAUNET-REG-RIPN
NETLYNX
PSI-USA / InterNetX

The December 21 - January 21 targets are registered with sponsors

HTTP.NET
NAMESILO
NAUNET-REG-RIPN
NETLYNX
PSI-USA / InterNetX

A list of the Xn0n. prefix redirection targets
SUSPENDED BY REGISTRAR

mypillgenerics.in - NETLYNX - reinstated Feb 6, web site removed - Client Hold 7 June 2014
dietpillcialis.com - NETLYNX - reinstated Feb 6, web site removed Client Hold 10-apr-2014

allmedicalquestion.at - NIC.AT
apptabletmed.com - BIZCN.COM, INC.
autocarepharmacy.com - TRUNKOZ
canadatabletsurface.at - NIC.AT (CFP)
canadiancanadaviagra.com - TRUNKOZ TECHNOLOGIES PVT LTD.
carcareprescription.net - PSI-USA / InterNetX
dietpillmed.at - NIC.AT
dietpillsmedicine.at - NIC.AT
discountrxmedications.com - HTTP.NET INTERNET GMBH
docmedprescription.com - NETLYNX, INC.
druggenericsmeds.com - PSI-USA / InterNetX
drugstoremagnacca.com - TRUNKOZ TECHNOLOGIES PVT LTD.
drugstorepharmaceutics.com - PSI-USA / InterNetX
thelevitrarx.com - PSI-USA / InterNetX
healthcareviagrabiotech.net - PSI-USA / InterNetX
healthpharmacists.eu - Key-Systems GmbH
homemedicalrx.net - PSI-USA / InterNetX
kickedmedia.in - NETLYNX
kylalindsay.com - PSI-USA / InterNetX
medicarepillpatients.eu - Key-Systems GmbH
medicinexus.in - NETLYNX, INC.
medicinepillreckitt.com - HTTP.NET INTERNET GMBH
medsdrugprescription.net - PSI-USA / InterNetX
mymedicinerx.in - NETLYNX, INC.
myviagragenerics.com - NAMESILO, LLC
newpharmacycanada.at - NIC.AT
newpharmacymedicine.com - TRUNKOZ TECHNOLOGIES PVT LTD.
nursingmeds.net - PSI-USA / InterNetX
pertab.com - TRUNKOZ TECHNOLOGIES PVT LTD.
pharmacyalberta.com - PSI-USA / InterNetX
pharmbiotechnology.at - NIC.AT
pillopioid.at - NIC.AT
pillsciaslis.com - TRUNKOZ
prescriptioncarehome.in - NETLYNX, INC.
prescriptioncaregroup.com - TRUNKOZ
prescriptionhealthcenter.at - NIC.AT
prescriptionmedicalgroup.at - NIC.AT
pssviagramedical.com - NETLYNX, INC.
rxdrugprescriptions.com - PSI-USA, INC. DBA DOMAIN ROBOT
rxcaregroup.be - Key-Systems GmbH
rxhealthmedications.com -HTTP.NET INTERNET GMBH
rxhealthremedies.com - HTTP.NET INTERNET GMBH > TRUNKOZ TECHNOLOGIES PVT LTD
rxcarepatient.com - TRUNKOZ TECHNOLOGIES PVT LTD.
rxhealthcarejobs.com - NAMESILO, LLC
salesprescription.com - PSI-USA / InterNetX
smartrendviagra.com - TRUNKOZ
storemedicare.net - PSI-USA / InterNetX
thegenericsmeds.com - PSI-USA / InterNetX
thehealthcareprescription.eu - Key-Systems GmbH
thelevitrarx.com - PSI-USA / InterNetX
thepillsmedicine.eu - Key-Systems GmbH
theviagrahealthcare.com - TRUNKOZ TECHNOLOGIES PVT LTD.
torontotab.in - NETLYNX
viagracialec.com - NETLYNX, INC.
walgreentab.at - NIC.AT
walgreenspills.com - NETLYNX, INC
remediespharm.in - NETLYNX
healthrxpharmacycare.ru - NAUNET-REG-RIPN

List of current redirection targets
LIVE at June 16, 2014

c100.canrxstore.ru	Canadian Health&Care Mall	NAUNET-REG-RIPN
* c100.rxhealthprescriptions.com	Canadian Health&Care Mall	PSI-USA, INC. DBA DOMAIN ROBOT
* c102.mypharmcare.be	Canadian Health&Care Mall	Key-Systems GmbH
* c102.tabletsrx.ru	Canadian Health&Care Mall	NAUNET-REG-RIPN
* e100.easyrxpharmacy.ru	RxExpressOnline	NAUNET-REG-RIPN
* e100.mypillgenerics.in	RxExpressOnline	NETLYNX, INC
* e101.viagrafood.com	RxExpressOnline	PSI-USA, INC. DBA DOMAIN ROBOT
* e102.bestpharmacydirect.ru	My Canadian Pharmacy	NAUNET-REG-RIPN
* e105.thetabdrugstore.net	RxExpressOnline	PSI-USA, INC. DBA DOMAIN ROBOT
e244.caretabletspills.ru	RxExpressOnline	NAUNET-REG-RIPN
* m100.medsdietpills.com	My Canadian Pharmacy	HTTP.NET INTERNET GMBH
m102.drugtorehealthcare.ru	RxMedications	NAUNET-REG-RIPN
* m102.healthpharmacyinc.com	RxExpressOnline	NETLYNX, INC.
* m105.canadaspharm.be	not loading?	NETLYNX, INC
* m105.superrxstore.ru	RxMedications	NAUNET-REG-RIPN
o100.healthrxshop.ru	RxMedications	NAUNET-REG-RIPN
o102.drugtorehealthcare.ru	RxMedications	NAUNET-REG-RIPN
o244.drugtorerxassays.ru	RxMedications	NAUNET-REG-RIPN
* private.prescriptionspills.com	RxExpressOnline	NETLYNX, INC.
* refills.therxmed.com	RxExpressOnline	PSI-USA, INC. DBA DOMAIN ROBOT

Historical record of IP addresses and contacts
Nov 21, 2013. 109.163.234.73 on Voxility.net, Libertyville, IL 60048. [email protected]
Nov 22, 27, 29 and Dec 1, 2013. 91.198.137.39 in Froendenberg, Germany . . . [email protected]
Nov 25, 28 and Dec 3, 2013. 193.107.89.251 in Poland . . . [email protected]
Dec 6, 11, 19, 26, 27 141.255.190.93 in Sweden . . . [email protected]
Dec 10, 20, Jan 6 to 12 212.83.140.187 in France . . . [email protected]
Jan 23 192.95.20.120 in Canada . . . [email protected]
Jan 30 62.210.123.61 in France . . . [email protected]
Jan 31 62.210.131.192 in France . . . [email protected]
Feb 2 -11 193.105.245.9 in Russia . . . Goryachev Evgeniy Alexandrovich +7987 12 655
Feb 12 195.154.117.178 in France . . . [email protected]
Feb 22 109.236.85.242 in the Netherlands . . . [email protected]
Mar 3 84.200.77.180 in Germany . . . Stephan Roeder +49 2632 9891513
Mar 7 91.218.125.210 . . . [email protected]

Redirection targets from thousands of disposable spammed domains are always a delight to remove.

Recent examples

c102.thecanadameds.in
e100.dietpilldrugstore.com
e100.mypillgenerics.in
e102.thepillsmed.com
m100.thedietpharm.com
m102.thecanadameds.com
home.dietpillmed.com
private.healthsrx.com
refills.thedietrx.com
rx.viagrahealthplans.com
c102.tabletsrx.ru
m105.superrxstore.ru
o101.fitnesspharmacyrx.ru
pfizermedsrx.ru
private.mytablethealth.be
refilling.pillhealthgroup.net
refills.therxmed.com
rx.newpharmacysale.eu

Here are the host IP addresses commonly used by this Eva Pharmacy redirection method during June 2014. They are rotated regularly.

IP ADDRESS / COUNTRY / ABUSE COMPLAINT
46.165.219.14 / BE / abuse@leaseweb.de
81.0.124.75 / RU / abuse@invitel.net
84.200.77.180 / BE / abuse@accelerated.de
93.115.210.16 / RO / abuse@ip.ro
94.185.84.80 / SE / abuse@netrouting.com


Common live redirection targets

c100.canrxstore.ru
* c102.canadianmedsquality.com
* e100.dietpilldrugstore.com
e102.bestpharmacydirect.ru
* e102.storerxpills.com
e105.thecialispharmacy.com
e244.caretabletspills.ru
m100.canadiansmarttrade.com
* m100.canadianfaststore.com
* m100.thedietpharm.com
m102.drugtorehealthcare.ru
m102.mylevitrapill.com
* m102.perfectwelnessinc.com
o100.healthrxshop.ru
o101.pillhealthcaretenet.ru
o102.drugtorehealthcare.ru
o244.drugtorerxassays.ru
refills.netpillstore.com
rxpharmacysite.ru

By using cachecheck.opendns.com, I notice additional IP addresses reported by the sites' DNS. I don't know if the following addresses are actually involved in the redirection or are only diversions (so I've only listed a few of them below).

37.110.1.94 / RU / abuse@ncnet.ru
173.237.198.32 / US / abuse@bos.netriplex.com
178.216.96.106 / UA /
221.13.79.26 / CN / abuse@cnc-noc.net

Just to confirm:

Are these IP addresses used specifically for the hosting of the *actual* Eva sites? Or the redirections?

Just checking. I'm assuming the former.

SiL