RXProfits - Identifying 866-2140125 386-2437714

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

RXProfits - Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 10, 2013 5:33 pm

Template 1 header
Image

Template 2 header
Image


There is a pharmacy brand that has not been well identified, yet. A common factor is the phone banner containing the contact phone numbers,
+1-866-2140125 +1-386-2437714
This is encoded in a gif to avoid being scooped up by Google, with a name like this
http://www.pill-deals.com/cache/1352204401.inv_logo_10834_phone_88_2140125.gif

If you google a domain name, you find that they keep all of the site out of search engines
Code: Select all
<meta name="robots" content="noindex, nofollow" />
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 10, 2013 5:43 pm

One common factor on all sites is the hosting IP address: 185.9.17.234
The owner is OvalTech Internet Ltd with contact details
person: Matt Brown
address: Unit 5,
address: Wallingfen Business Park, 236 Main Road,
address: Brough,
address: HU15 2RH
phone: +44 1482 772792

Another common factor on all sites, besides the phone numbers and IP address, is the list of categories.
However, these are excluded from search engines, as noted above.
The contents vary a little from one site to another, indicating that the web pages are generated from a set of basic templates

-----
Our Categories
    Men's Sexual Health
    ED Trial Packs
    Antibiotics
    Women's Sexual Health
    Asthma Relief & Management
    Antidepressants
    Blood Pressure
    Men's Health
    Heart & Cholesterol
    Digestive Health & Nausea
    Diabetes Treatment
    Sleep Aids
    Weight Loss
    Hair Loss Treatment
    Muscle Relaxants
    ADHD
    Women's Health
    Smoking Cessation
    Anticonvulsants
    Anti-fungal and Parasites
    Allergy Relief
    Cancer Symptoms Relief
    Skin Care & Dermatology
    Pain Relief
    Anti-anxiety
    Detox
    Anti-inflammatory
    Thyroid Health
    Mental Health
    Antipsychotic Treatment
-----
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 10, 2013 6:06 pm

Signs of fraud

From http://www.pill-deals.net/company.php
Site Security

We take measures to protect our customers' information. All medical and financial transactions occur over encrypted communication channels utilizing a 256-bit SSL certificate.


When you enter your credit card information, you expect to be on a secure page, identified as https instead of the insecure http
http://www.pill-deals.com/shopping_cart.php#billing_info

That proves the site security claim is blatantly false.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 10, 2013 6:53 pm

Here is a subset of the domain names used by this brand of frauds.

best-rx.net
buy-pharmacy.com
medical-orders.com
meds-net.net
meds-orders.net
mega-medical.com
order-pharm.com
pharm-offers.com
pharma-offers.com
pill-deals.com
pill-orders.com
pillsorders.com
rx-center.com
toprxmeds.com
toprxpills.net

They were created between Nov 16 2012 and Dec 6 2012

All were registered with the same registrar, NETLYNX INC

They all use the same name servers also registered with NETLYNX INC
    ns1.greenwarm.net
    ns2.greenwarm.net

EDIT - All suspended by the registrar
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 10, 2013 7:37 pm

A further indication that this is just another brand of fraud domains, is that the perpetrators have followed the under-hand technique of not exposing the target domain names in spam. They hope that such a subterfuge will prevent the fewer hidden domains from being reported to the registrar, who would suspend them for breaking their terms of service.

Examples of disposable spammed domain names that secretly redirect to the hidden domain names are
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sat Feb 16, 2013 3:32 pm

Total operation wiped out.

On Feb 16 all of these domains and the name server were suspended by NETLYNX.
If anyone sees any more pharma sites with those phone numbers, please append here.

Red Dwarf wrote:Here is a subset of the domain names used by this brand of frauds.

best-rx.net
buy-pharmacy.com
medical-orders.com
meds-net.net
meds-orders.net
mega-medical.com
order-pharm.com
pharm-offers.com
pharma-offers.com
pill-deals.com
pill-orders.com
pillsorders.com
rx-center.com
toprxmeds.com
toprxpills.net

They were created between Nov 16 2012 and Dec 6 2012

All were registered with the same registrar, NETLYNX INC

They all use the same name servers also registered with NETLYNX INC
    ns1.greenwarm.net
    ns2.greenwarm.net

Netlynx wrote:Dear sir,

Needful has been done.



Thanks & Regards,
Prashant
Support Team I NETLYNX TECHNOLOGIES PVT. LTD.,


Similar action from REGTIME (Russia) -
Domain Name: 1ST-ONLINE-MEDS.COM
Registrar: REGTIME LTD.
Whois Server: whois.webnames.ru
Status: clientHold
Updated Date: 11-feb-2013
Creation Date: 17-dec-2012
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sat Feb 16, 2013 4:08 pm

"+1 386-2437714 is a general support line for multiple web services"
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby g7w » Sun Feb 17, 2013 12:41 pm

Red Dwarf wrote:"+1 386-2437714 is a general support line for multiple web services"

Support line offered by whom?
http://phones.whitepages.com/386-243

VoIP phone from Lake City, FL
http://www.whitepages.com/phone/1-386-243-7714
Opto, ergo sum
User avatar
g7w
Spam Reporter
 
Posts: 136
Joined: Thu May 20, 2010 12:29 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Feb 17, 2013 3:37 pm

They would not tell me. But when I told them I could not get through to a pharmacy web site, they offered to take my order right then.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Sun Apr 07, 2013 3:33 pm

On name servers registered with INTERNET.BS CORP.
    ns1.snowbold.net (has address 185.9.18.78)
    ns2.snowbold.net (has address 185.9.18.78)

Fraud pharmacies on the same IP, (185.9.18.78) registered with NETLYNX in March, 2013
    1stmeds.net
    buy-pill.net
    buy-rx.net
    buyrxmeds.net
    directrxpills.net
    genericrxpills.net
    medicalorders.net
    net-pharmacy.net
    orderpharmacy.net
    pharm-orders.net
    pill-sales.net
    pills-net.net
    prime-pills.net
    prime-rx.net
The IP address is owned by
    OvalTech Internet Ltd
    Matt Brown
    Unit 5,
    Wallingfen Business Park, 236 Main Road,
    Brough,
    HU15 2RH
    +44 1482 772792
    abuse-mailbox: noc@ovaltech.net
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby stefansavage » Tue Apr 09, 2013 12:56 am

These sites have both the template structure and the formulary of RxProfits.

- Stefan
stefansavage
New member
 
Posts: 8
Joined: Fri May 20, 2011 10:33 pm

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Tue Apr 09, 2013 1:27 am

Thanks, Stefan. I can see the public RXProfits affiliate program description. But there is a lack of more specific information.

1. Who is behind it
2. Where is it headquartered
3. Sample templates of sites

Domain Name: RXPROFITS.COM
Registrar: DNC HOLDINGS, INC.
Creation Date: 09-jan-2012

Hosted - rxprofits.com has address 178.33.228.12
OVH ISP, Paris, France

Name servers -
one on same IP as above, the other, 46.165.194.76
ORG-nA8-RIPE
Leaseweb Germany GmbH
LIR
Leaseweb Germany GmbH Kleyer Strasse 79 / Tor 13 60326 Frankfurt Germany
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Tue Apr 09, 2013 1:46 am

Who owns that phone number?

http://www.whitepages.com/people/Rob-Paige/San-Diego-CA/db13bwp
Rob Paige
(386) 243-7714
San Diego, CA 92103
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Re: Identifying 866-2140125 386-2437714

Postby stefansavage » Tue Apr 09, 2013 2:08 am

> 3. Sample templates of sites
There are tons of distinct templates. For example: http://www.all-pharma.com/ is one, http://www.meds-sales.com/ is another. Basically you can google for:
"images/template_x" viagra
where you replace X with a number. I've seen template numbers up to 90 in use.

- Stefan
stefansavage
New member
 
Posts: 8
Joined: Fri May 20, 2011 10:33 pm

Re: Identifying 866-2140125 386-2437714

Postby Red Dwarf » Tue Apr 09, 2013 4:11 am

These are some live examples that follow the same pattern.

DOMAIN NAMENAME SERVERREGISTRARHOST IP ADDRESS
1st-pills.comteckbeans.comDOMAIN.COM178.238.138.123
cheap-pharm.comteckbeans.comMONIKER178.238.138.123
rx-mall.comteckbeans.comMONIKER178.238.138.123
direct-pills.comteckbeans.comMONIKER178.238.138.123
genericmedscenter.comteckbeans.comMONIKER178.238.138.123
order-pharma.comteckbeans.comMONIKER178.238.138.123
pharm-deals.comteckbeans.comNAMESILO178.238.138.123
ultra-pharma.comteckbeans.comNAMESILO178.238.138.123
meds-sales.comteckbeans.comNAMESILO178.238.138.123
1stmeds.netsnowbold.netNETLYNX185.9.18.78
buy-pill.netsnowbold.netNETLYNX185.9.18.78
buy-rx.netsnowbold.netNETLYNX185.9.18.78
buyrxmeds.netsnowbold.netNETLYNX185.9.18.78
directrxpills.netsnowbold.netNETLYNX185.9.18.78
genericrxpills.netsnowbold.netNETLYNX185.9.18.78
medicalorders.netsnowbold.netNETLYNX185.9.18.78
net-pharmacy.netsnowbold.netNETLYNX185.9.18.78
orderpharmacy.netsnowbold.netNETLYNX185.9.18.78
pharm-orders.netsnowbold.netNETLYNX185.9.18.78
pill-sales.netsnowbold.netNETLYNX185.9.18.78
pills-net.netsnowbold.netNETLYNX185.9.18.78
prime-pills.netsnowbold.netNETLYNX185.9.18.78
prime-rx.netsnowbold.netNETLYNX185.9.18.78
ns1.teckbeans.comDNC HOLDINGS5.9.156.233
ns2.teckbeans.comDNC HOLDINGS178.238.138.123
ns1.snowbold.netINTERNET.BS185.9.18.78
ns2.snowbold.netINTERNET.BS185.9.18.78
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10448
Joined: Tue Jun 27, 2006 2:01 am

Next

Return to Fight Spammers

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

cron