Eva Pharmacy campaign

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Re: Eva Pharmacy campaign

Postby Red Dwarf » Fri Mar 13, 2015 6:12 pm

How often is each Eva Pharmacy brand used? Sequenced by the number of live sites per fraud brand, we have

Code: Select all
  1771 RxExpressOnline
   537 Canadian Health&Care Mall
   409 RxMedications
   379 My Canadian Pharmacy
    45 Canadian Neighbor Pharmacy
    28 Canadian Family Pharmacy
    19 CanadianPharmacy
     3 Toronto Drugstore
     2 US Drugs
     1 Trusted Tabs
     1 International Legal RX


What registrars provide a domain name registration service to these fraud domains?

Code: Select all
 3133 R01-RU
   15 Key-Systems GmbH
   10 NAMESILO, LLC
   10 IP MIRROR PTE LTD
    6 PAKNIC (PRIVATE) LIMITED
    4 TODAYNIC.COM, INC.
    4 Registrar.eu
    4 NANJING IMPERIOSUS TECHNOLOGY CO. LTD.
    1 TRUNKOZ TECHNOLOGIES PVT LTD.
    1 REGRU-RU
    1 REGISTRAR OF DOMAIN NAMES REG.RU LLC
    1 NETLYNX, INC.
    1 NAUNET-REG-RIPN
    1 GUANGDONG NAISINIKE INFORMATION TECHNOLOGY CO LTD
    1 EURODNS S.A
    1 DOMAINSATCOST.CA CORP
    1 ADVANCED INTERNET TECHNOLOGIES, INC.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Fri Oct 02, 2015 5:53 pm

A recent development in IP addresses for Eva pharmacy host. They have changed from putting many sites on the same IP address, to spreading some sites (10%) over a 254 range -
198.18.1.1 to 198.18.1.254

This range was previously reserved
IANA wrote:NetRange: 198.18.0.0 - 198.19.255.255
CIDR: 198.18.0.0/15
NetName: SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
NetHandle: NET-198-18-0-0-1
Parent: NET198 (NET-198-0-0-0-0)
NetType: IANA Special Use
Comment: Addresses starting with "198.18." or "198.19." are set aside for use in isolated laboratory networks used for benchmarking and performance testing.
They should never appear on the Internet and if you see Internet traffic using these addresses, they are being used without permission.
Comment:
Comment: This assignment was made by the IETF, the organization that develops Internet protocols, in RFC 2544, which can be found at:
Comment: http://datatracker.ietf.org/doc/rfc2544
Ref: http://whois.arin.net/rest/net/NET-198-18-0-0-1


Their preferred hosting addresses are currently

Count - IP Address - abuse complaint

377 91.210.106.11 abuse-mailbox: abuse@hostkey.com
104 80.243.189.35 abuse@redstation.com
102 198.144.158.53 peterk@yesup.com
89 91.200.12.88 abuse@vhoster.net
64 95.84.156.43 abuse@ncnet.ru
60 45.125.192.19 support@readyserver.sg
50 82.221.133.152 abuse@orangewebsite.com
50 81.21.193.70 abuse@kki-bci.pl
33 82.221.133.150
26 148.251.157.140
21 81.21.193.71
13 93.189.41.138
13 198.144.158.52
11 88.150.227.68
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sat Oct 03, 2015 1:24 am

I have been thinking.

While the domains have their IP address set to one of those 198.18.1.*, they are out of action, because their IP addresses are not routable.

I assume that for some reason the sites are being temporarily taken offline, then put back online. I can't figure out why. If you are changing IP address you usually replace one good one with another. I saw 175 domains offline at once. Weird.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sat Oct 03, 2015 5:13 am

Further analysis shows that for these domains, one name server returns a routable IP address, and the other returns one that is not routable.

Here's an example. yourpillmart.be has two name servers, ns1 and ns2. The first is OK, the second seems to be malfunctioning.


Code: Select all
50.0% of queries will be returned by 202.78.227.138 (ns1.yourpillmart.be)
yourpillmart.be.   600   IN   A   185.24.235.201
50.0% of queries will be returned by 212.154.209.10 (ns2.yourpillmart.be)
yourpillmart.be.   0   IN   A   198.18.1.150


A few seconds later
Code: Select all
50.0% of queries will be returned by 202.78.227.138 (ns1.yourpillmart.be)
yourpillmart.be.   600   IN   A   185.24.235.201
50.0% of queries will be returned by 212.154.209.10 (ns2.yourpillmart.be)
yourpillmart.be.   0   IN   A   198.18.1.43


The address returned on consecutive lookups by 212.154.209.10 (ns2.yourpillmart.be) is always non-routable.
That troubled name server resides in Kazakhstan. Its results are reducing the stability of the Eva pharmacy operation :-)

Note that the "time-to-live" on this faulty second name server is 0 seconds instead of 600 seconds for the good name server. The faulty one is set up as fast flux for the range 198.18.1.1 - 198.18.1.254.

Mind you, if I had a machine on the Internet, and I discovered that some Russian crooks had compromised it and were using it as a name server, I couldn't imagine a better plan to stuff up their bizness than to reconfigure it to give invalid results for the name resolutions it is performing.
:twisted:
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby AlphaCentauri » Sat Oct 03, 2015 6:30 pm

I recall a time when what was then Bulker.biz domains had three nameservers when you checked a passive domain name server: the two real ones, and a ns3._____ nameserver that listed IP addresses that were improbable, like the CIA or FBI. They seem to be recycling an old trick, whatever its purpose.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sat Oct 03, 2015 11:01 pm

I think that in this case, the resolution of the domain name to an IP address is giving a 50% failure rate or worse.

I can't prove it definitively, but I have found that when I load such a domain it sometimes times out, but if I try it again immediately it succeeds.
If this is right, then the 50% failure rate represents a disadvantage to the Eva gang.

Here are a few currently live samples

Code: Select all
securemedicaremall.be
securepharmeshop.xyz
sgnxecbp.in
thecuringgroup.xyz


When I test these using a DNS traversal, I see a report of a 50% error rate in resolving the name to an address, causing a browser to time out. Occasionally I will get a 75% error rate, such as sgnxecbp.in

Code: Select all
DNS check results for sgnxecbp.in:

Results

** 25.0% of queries will end in failure at 198.18.1.25 (ns1.deabwqlm.ru) - query timed out

** 25.0% of queries will end in failure at 198.18.1.42 (ns2.fajmtolz.xyz) - query timed out

25.0% of queries will be returned by 103.6.207.121 (ns1.deabwqlm.ru)
sgnxecbp.in.   600   IN   A   46.29.248.153

** 25.0% of queries will be returned by 212.154.209.10 (ns2.fajmtolz.xyz)
sgnxecbp.in.   0   IN   A   198.18.1.16


In this case, one of the name servers (ns1.deabwqlm.ru) is also being afflicted with the same bad resolution.

Another failing at 75% of the time: thecuringgroup.xyz
Code: Select all
DNS check results for thecuringgroup.xyz:

Results

25.0% of queries will end in failure at 198.18.1.96 (ns1.upceovvo.in) - query timed out

25.0% of queries will be returned by 103.13.228.186 (ns1.upceovvo.in)
thecuringgroup.xyz.   600   IN   A   46.29.248.153
50.0% of queries will be returned by 212.154.209.10 (ns2.fajmtolz.xyz)
thecuringgroup.xyz.   0   IN   A   198.18.1.197
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Oct 07, 2015 3:19 pm

As of today, they have diagnosed the problem with the disabled name server at that address, (212.154.209.10 in Kazakstan) and reconfigured their network to avoid it. By my reckoning there were at lease 580 ns2.***** Eva name servers using it.

This whole episode shows what could be done to destroy their infrastructure if the owners of compromised machines which have been taken over to provide domain name server resolution are reconfigured to screw up their name resolution.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Oct 07, 2015 3:44 pm

Since March, the list of most frequent brands and most abused registrars have changed. Here are today's results. The counts include both live and suspended domains over the past 12 months.

END OF SEPTEMBER 2015
Most used brands
Code: Select all
 1218 Canadian Health&Care Mall
  822 RxExpressOnline
  396 CanadianPharmacy
  373 My Canadian Pharmacy
  262 Canadian Neighbor Pharmacy
  168 RxMedications
   81 Canadian Family Pharmacy
   53 Men's Health
   43 Toronto Drugstore
   14 US Drugs
    5 International Legal RX
    2 WikiPharmacy
    2 Trusted Tabs
    1 Unknown
    1 Online Drugstore


Most used registrars
Code: Select all
 1705 R01-RU
  348 TRUNKOZ TECHNOLOGIES PVT LTD.
  342 Key-Systems GmbH
  275 NAMESILO, LLC
  254 BIZCN.COM, INC.
  192 NETLYNX, INC.
  156 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
   36 CV. JOGJACAMP
   26 Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
   26 KHEWEUL.COM SA
   17 LOGICBOXES NAMING SERVICES LTD
   16 InterNetworX Ltd. & Co. KG
    8 IP MIRROR PTE LTD
    9 PDR Ltd. d/b/a PublicDomainRegistry.com
    4 ACTIVE REGISTRAR, INC.
    3 TODAYNIC.COM, INC.
    3 ADVANCED INTERNET TECHNOLOGIES, INC.


Omitting the suspended domains, the registrars providing support for live domains today are:
Code: Select all
bait>grep -v [*] evaext|  cut -f 3  | sort | uniq -c | sort -r
 841 R01-RU
 247 BIZCN.COM, INC.
  10 NAMESILO, LLC
   5 Webiq Domains Solutions Pvt. Ltd.


END OF MARCH 2015
Red Dwarf wrote:How often is each Eva Pharmacy brand used? Sequenced by the number of live sites per fraud brand, we have

Code: Select all
  1771 RxExpressOnline
   537 Canadian Health&Care Mall
   409 RxMedications
   379 My Canadian Pharmacy
    45 Canadian Neighbor Pharmacy
    28 Canadian Family Pharmacy
    19 CanadianPharmacy
     3 Toronto Drugstore
     2 US Drugs
     1 Trusted Tabs
     1 International Legal RX


What registrars provide a domain name registration service to these fraud domains?

Code: Select all
 3133 R01-RU
   15 Key-Systems GmbH
   10 NAMESILO, LLC
   10 IP MIRROR PTE LTD
    6 PAKNIC (PRIVATE) LIMITED
    4 TODAYNIC.COM, INC.
    4 Registrar.eu
    4 NANJING IMPERIOSUS TECHNOLOGY CO. LTD.
    1 TRUNKOZ TECHNOLOGIES PVT LTD.
    1 REGRU-RU
    1 REGISTRAR OF DOMAIN NAMES REG.RU LLC
    1 NETLYNX, INC.
    1 NAUNET-REG-RIPN
    1 GUANGDONG NAISINIKE INFORMATION TECHNOLOGY CO LTD
    1 EURODNS S.A
    1 DOMAINSATCOST.CA CORP
    1 ADVANCED INTERNET TECHNOLOGIES, INC.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Mon Dec 21, 2015 10:45 pm

Can anyone load these? They appear to be blocking most of the usual Internet IPs. I'd like to know what brand they are

bestcarequality.ru
bestorganicreward.ru
genericmedsoutlet.ru
goodhealthcareinc.ru
goodmedicatingmart.ru
homecuringreward.ru
homeherbalinc.ru
luckyaideshop.ru
medicalsmartreward.ru
naturaltabsgroup.ru
onlinecareshop.ru
organicfirstreward.ru
perfectpilleshop.ru
privateaideshop.ru
remedialdrugsupply.ru
securehealthmall.ru
securemedicalshop.ru
yourmedicalassist.ru
canadianfastgroup.com
curingsecurestore.com
familydrugassist.com
firstmedicalbargain.be
goodorganicbargain.xyz
healingaidstore.be
healingtrustedshop.eu
herbalonlinedeal.be
herbalwelnessshop.be
homegenericsale.be
hotmedicatingtrade.be
iglobaltransaction.com
luckyherbalelement.be
luckypillsmarket.be
magiccuringmarket.be
mymedicarewebmart.xyz
naturalonlineshop.be
naturalremedysupply.be
newnaturaldeal.eu
newpharmaceuticshop.be
newtabletdeal.eu
onlinedrugcompany.be
onlinedrugvalue.com
organicdrugsmart.be
organicglobalmall.com
perfectherbsreward.xyz
pureremedialvalue.xyz
purerxstore.be
safetabletelement.be
securepillswebmart.com
smarthealthpurchase.xyz
thehealingtrade.be
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Nodus » Tue Dec 22, 2015 12:32 pm

Red Dwarf wrote:Can anyone load these?

Didn't seem to be a problem anymore. I guess you can load them yourself now as well.

bestcarequality.ruMy Canadian Pharmacy
bestorganicreward.ruCanadian Pharmacy
genericmedsoutlet.ruCanadian Health&Care Mall
* goodhealthcareinc.ruCanadian Family Pharmacy
goodmedicatingmart.ruCanadian Health&Care Mall
homecuringreward.ruCanadian Health&Care Mall
* homeherbalinc.ruMy Canadian Pharmacy
luckyaideshop.ruCanadian Health&Care Mall
medicalsmartreward.ruCanadian Health&Care Mall
naturaltabsgroup.ruCanadian Health&Care Mall
onlinecareshop.ruMy Canadian Pharmacy
organicfirstreward.ruCanadian Neighbor Pharmacy
perfectpilleshop.ruCanadian Health&Care Mall
privateaideshop.ruMy Canadian Pharmacy
remedialdrugsupply.ruCanadian Health&Care Mall
securehealthmall.ruError 404
securemedicalshop.ruError 404
yourmedicalassist.ruRX Medications
canadianfastgroup.comCanadian Health&Care Mall
curingsecurestore.comCanadian Health&Care Mall
familydrugassist.comCanadian Health&Care Mall
firstmedicalbargain.beCanadian Health&Care Mall
goodorganicbargain.xyzCanadian Health&Care Mall
healingaidstore.beCanadian Health&Care Mall
healingtrustedshop.euCanadian Health&Care Mall
herbalonlinedeal.beCanadian Health&Care Mall
herbalwelnessshop.beCanadian Health&Care Mall
homegenericsale.beCanadian Health&Care Mall
hotmedicatingtrade.beCanadian Health&Care Mall
iglobaltransaction.comCanadian Health&Care Mall
luckyherbalelement.beCanadian Health&Care Mall
luckypillsmarket.beCanadian Health&Care Mall
magiccuringmarket.beCanadian Health&Care Mall
mymedicarewebmart.xyzCanadian Pharmacy
naturalonlineshop.beCanadian Health&Care Mall
naturalremedysupply.beCanadian Health&Care Mall
newnaturaldeal.euCanadian Health&Care Mall
newpharmaceuticshop.beCanadian Health&Care Mall
newtabletdeal.euCanadian Health&Care Mall
onlinedrugcompany.beCanadian Health&Care Mall
onlinedrugvalue.comU.S. Drugs
organicdrugsmart.beCanadian Health&Care Mall
organicglobalmall.comClientHold
perfectherbsreward.xyzCanadian Health&Care Mall
pureremedialvalue.xyzCanadian Pharmacy
purerxstore.beCanadian Health&Care Mall
safetabletelement.beCanadian Health&Care Mall
securepillswebmart.comCanadian Pharmacy
smarthealthpurchase.xyzCanadian Pharmacy
thehealingtrade.beCanadian Health&Care Mall
Arf, she said
User avatar
Nodus
Spammer Obliterator
 
Posts: 2287
Joined: Fri Jun 15, 2007 7:05 pm

Previous

Return to Fight Spammers

Who is online

Users browsing this forum: No registered users and 1 guest

cron