Illicit e-pharmacy bolstered by ISPs?

Often in our everyday life we have to make decisions and it goes without saying that in most cases our decisions represent a choice not between the malignant and the heavenly but rather we select less adverse item among all the terrible. Now what is less adverse for you is a question of personal view. In the case with the online medicine purchase the situation is that we have to choose if we want undergo such a misfortune as to spend our money and time for traveling to the nearest brick-and-mortar pharmacy in order to buy necessary pills or solution or we would prefer staying at home and undergo a misfortune of being defrauded of your money when ordering medicine online and after that being poisoned by incorrectly proportioned or, which is even worse, improper medication.

It should be noted that customers do not deliberately support illegal pharmacy chains, yet, they can do it unpremeditatedly because there are such conditions that force them to resort to the Internet drugstores that sell foreign medicine at a much lower price than at the pharmacies in the USA. Many consumers in the United States just cannot afford purchasing local medication because as we have already noted in our previous article the U.S. government is almost the only government in the world that does not regulate and control medicine pricing in the country. Moreover, the government does not regulate business activity performed on the virtual space. Thus, ordinary residents of one of the most powerful countries, posing itself as a protector of human rights, are left alone to fight against violators of these rights neglected by their government.

It is an Internet community itself including journalists and independent researchers who really cares for what is going on within the cyber world. But all their efforts to deter onslaught of the crime is limited to the propaganda to warn people against pernicious schemes active on the Internet. They are not capable and authorized to stop the cybercrime, especially taking into account the fact that official and empowered agencies and ISPs do almost nothing to react on all the appeals of mass media to pull the plug on such dubious Internet players. The agencies are more interested in their revenues they get from those criminals rather than in welfare of ordinary citizens.

Super promotion: Pay for a drug, and you will get a virus for free!

Surely, you are not likely to meet such kind of advertisement anywhere on the web, but we cannot help presenting it exactly this way inasmuch as many online purchases or at least attempts to make a purchase of a medicine online turn into malware download onto your PC. The description of how it works already was already provided by Garth Bruen at KnujOn. Though it represents the scheme that operated through the domains registered with EstDomains that is currently not on the stage, however in light of the fact that most of the sites that were hosted with EstDomains transferred to other registrars it is still actual. Anyway you will have at least an approximate idea of how is works.

Several former steroids EstDomains sites have metadata that appears to offer Schedule 3 substances like Morphine, Testosterone, and Vicodin but redirects the user's browser to youtube-free-videos.com (also sponsored by EstDomains), a porn site that attempts download malware in the guise of a "player update." The scripting vigorously prevents the user from navigating away from the page or closing it. The content of youtube-free-videos.com is served from best-of-searcht.com (also sponsored by EstDomains), another porn site that has links to another fake pharmacy: world-pharmacy-online.com (also sponsored by EstDomains).


This EstDomains sponsored and PrivacyProtected domain asiangirlporn.net rotates different sites the user is redirected to. One site, movlabs.com, seems to feature films that depict rape scenes as well as attempting to download malware from aviupdate.com (also sponsored by EstDomains).

Another redirect landing launched from asiangirlporn.net links to fake virus/spyware scan site: security-scan-pc.com. This particular fake security software is actually one of the most insidious PC infections to date. It blocks access to the Control Panel, Registry Editor, hard drive, removable media, Task Manager, Run, and just about any utility someone might use to fix their PC or remove the malware. It also blocks installation and running of legitimate anti-virus packages. Once infected your PC can only be used as a botnet node or a doorstop.


Earlier this year IronPort® Systems, a leading provider of enterprise spam, virus and spyware protection, and now part of Cisco, conducted a research that was released in June. The study identified a link between originators of malware, such as Storm, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting their websites.

Patrick Peterson, vice president of technology at IronPort and a Cisco fellow, said:

"Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of $150 million per year."

IronPort's research revealed that more than 80 percent of Storm botnet spam advertises online pharmacy brands. This spam is sent by millions of consumers' personal computers, which have been infected by the Storm worm via a multitude of sophisticated social engineering tricks and web-based exploits. Further investigation revealed that spam templates, "spamvertized" URLs, website designs, credit card processing, product fulfillment and customer support were being provided by a Russian criminal organization that operates in conjunction with Storm. 

This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services. However, IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors.

The offerings of similar partner programs can be found at a well known Russian site designed for Webmasters. It is known as crutop.nu. Here on the Crutop forum illicit businesses share their experience and offer their services to help anyone who want to open an online pharmacy store. Look at these pictures below.
 
Here you can see that Rx-Commission is offering its partner program. They call it ‘partnyorka’.

Having consulted LegitScript we revealed that RX-Commission is a rogue Internet pharmacy. They say:

Unapproved Internet Pharmacy: LegitScript has reviewed this Internet pharmacy and determined that it does not meet LegitScript Internet pharmacy verification standards. 

Additionally, LegitScript has determined that this pharmacy website meets our definition of a "Rogue Internet Pharmacy". 

Rogue Internet pharmacy (definition):

A pharmacy website that intentionally or knowingly: 
•    violates, appears to violate, or encourages violation of Federal or state law or regulation;
•    does not adhere to accepted standards of medicine and/or pharmacy practice, including standards of safety;
•    and/or engages in fraudulent or deceptive business practices.

Website DetailsWebsite: http://rx-commission.com 
Registrar: DYNADOT, LLC 

Pharmacy Details
About Rx Commission

Rx-Commission is the network parent of a number of rogue online pharmacies. LegitScript considers this network of pharmacy website to be extremely dangerous.

We have been contacted by an individual who purchased a drug from one of this network’s online pharmacies and ended up in the hospital. The drug was fake Cialis. The individual had health problems for several months, and the company that makes the real drug tested the product sold by the online pharmacy to confirm that it is counterfeit.

The drugs ordered from one of these pharmacy websites, when we conducted a test order, came from India.

Rx Commission’s pharmacies also provide controlled substances without a prescription from overseas. As such, the network violates the law in several respects and sells products that are hazardous to people’s health.
Further we found numerous rx- affiliated pharmacy sites included into the list of “Not recommended sites” provided by NABP. These Internet drug outlets appear to be out of compliance with state and federal laws or NABP patient safety and pharmacy practice standards. They look like these:

www.rxdepotcentral.com
www.rxdrugsavenue.com
www.rxexchangeonline.com

On that same forum pharmacy businesses can find the information about domain registrars who will readily provide them with their services.

As Ecommerce-Journal checked it out NameCheap.com provides registration services to some organizations performing illicit activity on the Internet with rogue pharmacy included. One of the popular medicine websites known as trust-pharm.com was registered with NameCheap.com. And it should be noted that the ICANN registrar was ENOM Inc., a U.S. based registrar that LegistScript found to be in question, as we already mentioned in our first article on online pharmacy. Here is the screenshot of what whois tells about trust-pharm.com’s link to ENOM Inc.

Here is another screenshot of what whois tells about trust-pharm.com’s registrar NameCheap.com.


Interestingly, name servers of trust-pharm.com discovered by whois are these:
ns1.lion-rx.com
ns2.lion-rx.com

Looks familiar, isn’t it? Sure it is. As we noted above RX-Commission provides its partner services to multiple rogue pharmacy ‘start-ups’.


You think ICANN is competent?

As it is known this year such independent researchers as KnujOn, LegitScript, HostExploit and Brian Krebs from Security Fix of Washingtonpost.com along with other experts conducted deep studies of the cyber crime activity that linked together illegal pharmacy operating on the web and malicious software originators. In the course of their research it was revealed that a great number of illicit Internet medicine businesses were supported by the infamous registrar EstDomains. Under the pressure of these independent students the International Commission for Assigned Names and Numbers (ICANN) decided to terminate the traffic supply to EstDomains. It could have been taken as a victory if it hadn’t been just a respite. LegitScript notes:

But here’s the question: what happens to the 281,000 domain names currently registered with ESTDomains? ICANN policy requires that they be transferred to another DNR within the next several weeks. On the one hand, some websites are legitimate and we hope that their operations aren’t affected. But plenty are rogue sites engaged in illegal activities involving malware, counterfeit pharmaceuticals, and other illegal activity.

This is the perfect opportunity to get those websites terminated. Will it happen?

Will it happen or not, but we cannot just wait for ICANN’s actions that themselves are getting dubious much like the syndicates it is supporting. Interestingly, in November 1-7 INCANN held conference in Cairo entitled “Open Joint Session (GNSO, ccNSO, GAC, ALAC): Domain Name Space” that was opened by Patrick Sharry (ICANN ccNSO Consultant) with the words:

“We will try, as we do that, on the way through, to involve a little bit of at least conversation, if not a little bit of conflict or argument or heated debate or discussion or something like that is(sic) well. And we will see how we go then, bringing the audience into that conversation.”

But as it turned out in fact the discussion took the course acceptable to the interested parties that were present at the meeting. When the representative of KnujOn made an attempt to clarify the situation with compliance and the need for better controls within the expanding Internet, specifically in relation to criminal infiltration of the Domain Name space, Patrick Sharry interrupted and silenced him this way:

"I don't want to pursue it any more in this forum."

Garth Bruen of KnujOn notes:

This is somewhat reminiscent of Peter Dengate-Thrush’s response to questions from KnujOn’s Garth Bruen at the Washington D.C. ICANN Session entitled: “Improving Institutional Confidence consultation” KnujOn brought up issues of criminality, contract violations, and exclusion of the Internet consumer. Dengate-Thrush admonished Bruen that “this was not relevant to institutional confidence.” Later at this same session Dengate-Thrush told the audience that he did not “want to hear from any more angry IP lawyers.” Many of the attendees were attorneys representing brand holders being exploited by cyber-squatters and counterfeiters. The Intellectual Property community expressed its feeling of being marginalized by ICANN in favor of shadowy criminal interests.

The situation has never improved ever since. The Internet space is still abundant of violators, criminals and fraudsters trying to capitalize on people’s natural needs in what they are buying online. Earlier in 2007 at wendy.seltzer.org/blog it was noted:

ICANN should recognize that the reason for its registrar contracts is precisely to benefit third parties: domain name registrants and those who rely on the domain name system. ICANN is not (or shouldn’t be) accrediting registrars merely to have a larger pool of organizations paying fealty to it. Rather, it is imposing terms and conditions on registrars and, with an “ICANN accredited” seal, inviting the public to rely on those terms for a secure domain name registration.

Yet the real state of things proves to be ‘slightly’ different. Public that tries to enforce registrars to terminate illicit domains and sites gets either tactless ‘shut up’ like that of Patrick Sharry or even threats to be sued in the court for unreasonable insult and abuse of registrars’ reputation. Registrars seem less interested in cooperating with the public instead they pursue cooperation with the shady businesses that pay them for the traffic.

In the end

Surely, we didn’t manage to squeeze everything in one article, or better to say in two articles dedicated to the Internet pharmacy scam defrauding a great number of people today. Cases cited in our posts are not the only phenomena occurring on the web. They are numerous. And there are too little forces to trace all of them not to speak of coping with them. Previous year though the policy was lucky to capture the alleged mastermind behind the "Xpress Pharmacy" ring, Christopher Smith (aka Rizler) with a 30-year prison sentence. Authorities seized $4.2 million in assets, and claimed that "Xpress Pharmacy" had already generated $18 million in revenue half way through 2007 - an annual revenue potential in excess of $30 million. That was single instance while cyber crime instances are multiple. Along with “Xpress Pharmacy” ring Internet community has been revealing a great number of such dubious, illicit and pernicious schemes, among them “Canadian Pharmacy”. Fortinet Global Security Research conducted their independent study of the ring and found that over 7,700 computers belonged to the zombie botnet army utilized by Canadian Pharmacy. The operation of this army was quite sophisticated and thoroughly planned which allows them to avoid detection or full elimination. Fortinet notes:

Putting it all together, a picture can be painted of an operation with a successfully deployed a robust network that has proven to be resistant to take-down. Even worse, they keep adding and building to their stronghold by adding new networks and militia to their zombie botnet. By using a fast flux scheme with a selective algorithm, commanding a large volume of zombies, flexibility and scalability, this pharmacy ring will become larger and even more profitable if action is not taken.
While we are expecting any actions on the part of authorized institutions we should be very cautious when traveling through the unexplored spaces of the cyber world remembering that the first instance to protect you is yourself.