Eva Pharmacy campaign

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Eva Pharmacy campaign

Postby Red Dwarf » Wed Feb 20, 2013 8:01 pm

This is a topic to provide statistics on the effectiveness of the campaign to remove Eva Pharmacy domains.
The campaign is documented here at viewtopic.php?f=1&t=4894
Registrar compliance ratings are in a table at viewtopic.php?f=1&t=5905&p=61164

What is Eva Pharmacy?
It is a Russian/Ukrainian pharmacy fraud operation, described in detail in the evidence at the spamtrackers.eu wiki entry

Why is there a campaign?
This affiliate program is clearly a fraud, as seen in the evidence link. It has been able to run continuously for several years, undergoing several different guises over that time, but always surviving. It has operated under various affiliate program names, such as Yambo Financials, Bulker Biz, then Eva Pharmacy until mid last year. It has been a constant annoyance in spam volumes, and presents risks to the community. These risks include

    * Identity theft
    * Credit card theft
    * No quality control in the shipments
    * Seizure of medications at customs
    * Combinations of medications which may prove fatal when used in combination
    * Unknown quality control at the manufacture
Therefore, the campaign has set out to notify the registrars of the domain names that the registrants are Russian criminals, who are using the domains for unlawful purposes. Registrars across the world have terms of service agreements which prohibit unlawful use of domain names, and allow for immediate termination under the circumstances where there is a reasonable degree of evidence.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Mon Apr 22, 2013 12:43 am

REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to abuse@home.pl
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to abuse@pinspb.ru
185.5.99.145
report to abuse@biznes-host.pl
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to abuse@cy.net
134.60.13.251
report to abuse@uni-ulm.de
75.98.230.254
report to abuse@cera.net
88.190.218.27
abuse@proxad.net
85.31.101.202
report to abuse@nano.lv

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: abuse@cox.net

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sun Jul 14, 2013 6:37 pm

The FDA, DOJ, International Customs and Interpol combine on an annual basis to take action against fake pharmacies in Operation Pangea.

You can contact them at
    Office of Criminal Investigations
    7500 Standish Place
    Rockville, MD 20855
The web page for reporting criminal activity is at
http://www.accessdata.fda.gov/scripts/email/oc/oci/contact.cfm
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Thu Aug 22, 2013 10:30 pm

August 22, 2013
The last 2 days have been very good for some registrars. The number of fraud domains suspended has been high.

235 by NETLYNX (India)
253 by PSI-USA InterNetX (Germany)
302 by NAMESILO (Phoenix, AZ)
100 by TRUNKOZ (India)

Total = 890
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby spamislame » Tue Aug 27, 2013 4:02 pm

Hey

Red and I had a summit skype phonecall regarding a few things and I thought I would contribute something since I wasn't aware that some people thought Eva disappeared completely for some period of time. They did not. They just don't send *us* spam now, primarily.

Lately they are relying on still more hacked servers, but this time using any public exploit against Apache, Wordpress, Joomla, or anything else they can find. They do this to place their redirects specific to Eva domains.

Some examples:

Spammed urls:

http://www.pregnancywyze.com/fairness_cream.html
http://tloves.webchuyennghiep.net/adefovir.html
http://seesawscene.com/lovastatin.html
http://ludivepo.angelfire.com/fusidic_acid.html

Each of these is a hacked website and domain. They bruteforce the html files on to the server, and it redirects the user. These are useful for (at most) only a single day, but probably less, after which the domain is trapped by most spam filters.

For each of those pages the corresponding landing domains are:

pregnancywyze.com => rxhealthmeds.ru [CH&CM]
tloves.webchuyennghiep.net => drugstoremeds.ru [CH&CM]
seesawscene.com => pillstabletspharmacy.ru [MCP]
ludivepo.angelfire.com => medicinerxtablets.ru [MCP]

And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I have to dig around to find spam for these from my friends, who are pretty happy to keep providing these domains to me. So if you haven't seen any Eva spam lately, it's possibly because you contribute to this forum. :) It's a form of success I suppose.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Thu Sep 19, 2013 7:36 pm

spamislame wrote:And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I can't find evidence of that. To me it looks like they are now using just the one server for pages and images. Are you seeing something different?
In Firefox I use the View Page Info option, and click on Media
I have to dig around to find spam for these from my friends, who are pretty happy to keep providing these domains to me. So if you haven't seen any Eva spam lately, it's possibly because you contribute to this forum. :) It's a form of success I suppose.


I would like to have a feed of Eva domains. Currrently I have to resort to all sorts of data mining tools to find them, and they are running dry.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby spamislame » Mon Sep 23, 2013 5:42 pm

Red Dwarf wrote:
spamislame wrote:And from there you get the typical 3-hacked-unix-server setup which has been documented previously.

I can't find evidence of that. To me it looks like they are now using just the one server for pages and images. Are you seeing something different?

Yup. A browser won't give you nearly enough info. The unix "dig" command is your friend:

Code: Select all
%dig medicinerxtablets.ru

; <<>> DiG 9.9.3-P2 <<>> medicinerxtablets.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16817
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;medicinerxtablets.ru.          IN      A

;; ANSWER SECTION:
medicinerxtablets.ru.   600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
medicinerxtablets.ru.   600     IN      NS      ns1.medicinerxtablets.ru.
medicinerxtablets.ru.   600     IN      NS      ns2.medicinerxtablets.ru.

;; ADDITIONAL SECTION:
ns1.medicinerxtablets.ru. 600   IN      A       91.204.162.83
ns2.medicinerxtablets.ru. 600   IN      A       91.204.162.83

In this case all three ip addresses are the same, but in 90% of cases, they are all different.

So for example:

Code: Select all
%dig wour.ru

; <<>> DiG 9.9.3-P2 <<>> wour.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wour.ru.                       IN      A

;; ANSWER SECTION:
wour.ru.                600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
wour.ru.                600     IN      NS      ns1.wour.ru.
wour.ru.                600     IN      NS      ns2.wour.ru.

;; ADDITIONAL SECTION:
ns1.wour.ru.            600     IN      A       61.178.118.4
ns2.wour.ru.            600     IN      A       91.226.116.66

;; Query time: 595 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 23 17:38:34 EDT 2013
;; MSG SIZE  rcvd: 120

So: one main http host and two dns hosts

91.204.162.83
61.178.118.4
91.226.116.66

This indicates that "91.204.162.83" is a pretty important ip for them.

Code: Select all
%dig octh.ru

; <<>> DiG 9.9.3-P2 <<>> octh.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20846
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;octh.ru.                       IN      A

;; ANSWER SECTION:
octh.ru.                600     IN      A       91.204.162.83

;; AUTHORITY SECTION:
octh.ru.                600     IN      NS      ns1.octh.ru.
octh.ru.                600     IN      NS      ns2.octh.ru.

;; ADDITIONAL SECTION:
ns1.octh.ru.            600     IN      A       200.110.137.11
ns2.octh.ru.            600     IN      A       125.16.213.251

;; Query time: 527 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 23 17:39:38 EDT 2013
;; MSG SIZE  rcvd: 120

91.204.162.83
200.110.137.11
125.16.213.251

(91.204.162.83 again. Suuuuper important.)

(Note that "medicinerxtablets.ru" one is the domain from your posting way back on Feb. 20th. It's still live.)

Red Dwarf wrote:In Firefox I use the View Page Info option, and click on Media

That will only show you the "front facing" domain, not which actual IP delivered the image content to your browser.
Red Dwarf wrote:I would like to have a feed of Eva domains. Currrently I have to resort to all sorts of data mining tools to find them, and they are running dry.

Me too. Mine are all sporadically reported by friends who all know I'm still researching this.

I must have made some kind of impact over at Eva because they finally scrubbed their lists of all my addresses except one. It's something I honestly never expected to see take place.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Mon Sep 23, 2013 7:06 pm

That clears it up. I thought you were including the image server IPs, which they have now dispensed with.

So you are saying that in general there is now a set of 3 IPs - hosting site and 2 name servers - all of which are hijacked I presume.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby spamislame » Wed Sep 25, 2013 3:39 pm

Red Dwarf wrote:That clears it up. I thought you were including the image server IPs, which they have now dispensed with.

Yeah, that appears to have been disposed of in mid-2009.
Red Dwarf wrote:So you are saying that in general there is now a set of 3 IPs - hosting site and 2 name servers - all of which are hijacked I presume.

Welllll.... sssssort of yes / no.

In general, as often as possible, they use hacked / hijacked servers around the world, usually in sets of three (web host + 2 dns hosts.)

But not always.

Sometimes it's one IP address for all three. In some cases that IP address is either hacked / hijacked, or it's actually "owned" by whoever it is at EvaPharmacy. In the latter case, very often that "owned" server has still been paid for using some unsuspecting person's credit card data. Etc. It's a mish-mash.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5056
Joined: Tue May 09, 2006 9:18 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Sep 25, 2013 5:46 pm

It is interesting to see the patterns used by this operation. In most cases there are only two DNS resolvers, using domains selected from two different registrars. There are some variations which we can look at here. Let's focus on the registrars and the IP addresses.

From my database of detected Eva Phamacy sites over the past 9 months, these are the most used registrars sorted by number of domains

4046 PSI-USA, INC. DBA DOMAIN ROBOT
3911 TRUNKOZ TECHNOLOGIES PVT LTD.
2779 NETLYNX, INC.
2138 NAMESILO, LLC
936 CLOUD GROUP LIMITED
644 NAUNET-REG-RIPN
552 NICS TELEKOMUNIKASYON TICARET LTD.STI.
421 REGRU-REG-RIPN
402 REGISTRYGATE GMBH
347 UNITED-DOMAINS AG
193 KEY-SYSTEMS GMBH
156 DOMAINCONTEXT, INC.
112 HTTP.NET INTERNET GMBH

SPAMMED DOMAIN = HOST
Most times the spammed domain name resolves to the IP address of the hosting site. At any one time there will be less than 15 IP addresses in use for the thousands of domains.

SPAMMED DOMAIN = REDIRECTOR
But there are also many cases where the spammed domain names redirect to a target domain that is not spammed, in an attempt to hide from blacklisting services.

EXCEPTIONS
One exception to the pattern described above is the recent emergence of a single registrar, a single redirection target and a single IP address across the board. DOMAINCONTEXT sponsors all the redirectors, the target and the name servers and they all run on the one IP at 146.185.247.40 in Russia. The registrations come from a partner registrar at RU-TLD.RU [e-mail: support@ru-tld.ru and icq: 900004]
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Mon Oct 07, 2013 10:57 pm

This is a picture of the most abused registrars, showing their compliance with suspension requests

Image

Four registrars stand out - although some suspensions have taken place, there are over 880 domains still sponsored by these four.

    * NAUNET in Russia
    * PSI-USA / InterNetX in Germany
    * NameSilo in the US
    * HTTP.NET in Germany

This shows the number of live Eva Pharmacy fraud domains provided by the top registrars. If these registrars were to suspend these fraudulent domains this Russian scam operation would be less successful.

Image

Dateline: November 15, 2003
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sun Oct 13, 2013 3:53 pm

OCTOBER 14, 2013
REPORTING ABUSED IP ADDRESSES
The most frequently used IP addresses for hosts and name servers is shown below. It would be useful if someone would volunteer to report these. I don't usually value the black-holing of IP addresses, because the miscreants who use them can rapidly switch to new addresses.

The advantage of reporting these ones is that there are many name servers that have been placed on hold, but the registrar has failed to change the "glue" records, so the name servers still resolve names. If the addresses are changed, then hundreds of sites will be taken down at once.

Highest used IP addresses (sorted into most frequent first)

188.128.242.130
report to abuse@home.pl
31.184.241.32
Budko Dmutro, UKR, +380958382755
195.2.240.144
report to abuse@pinspb.ru
185.5.99.145
report to abuse@biznes-host.pl
85.95.236.188
Rasim Akkoyunlu +905763457689
82.114.63.171
report to abuse@cy.net
134.60.13.251
report to abuse@uni-ulm.de
75.98.230.254
report to abuse@cera.net
88.190.218.27
abuse@proxad.net
85.31.101.202
report to abuse@nano.lv

208.73.211.28
91.198.137.39
88.191.160.232
88.151.99.156
85.31.101.203
208.91.197.66

HOW TO REPORT
When reporting these, it is necessary to give evidence that they are used for unlawful purposes. This has been done already. To view the evidence, you just need to form the URL as shown here. Take the ip address and append it to http://www.abuseipdb.com/report-history/

For example, take the one of the highly used IPs from the list:
Evidence: http://www.www.abuseipdb.com/report-history/24.234.252.189

When you look at that site, you may find a useful link to the WHOIS information, in a box called [Whois 24.234.252.189]. When you go there, you might find the abuse reporting addresses.
If not, look it up at http://who.is
http://who.is/whois-ip/ip-address/24.234.252.189 which reports
OrgAbuseEmail: abuse@cox.net

You can send a request to the abuse addresses, asking that the IP address be null-routed because it is being used for unlawful purposes, linking to the evidence as shown above.

Updated October 10 2013 - addresses refreshed with current ones
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Tue Feb 04, 2014 7:50 pm

Eva Pharmacy generates thousands of domain names. Typically the registrants have names, addresses, phone numbers from all over the world.
The addresses and phone numbers look genuine, up to a point. In actual fact, they are invariably fakes.

* The street name, suburb and city may ll exist, but often the street number is higher than the number of locations in that street. It is randomly generated.
* The suburb is usually in the same city as the street, however the street is often actually in an adjacent suburb.
* The phone number starts with the correct prefix code for the country and suburb (land-line) or phone provider (cell). But the rest of the phone number is randomly generated, and usually does not exist

    Question: How are these thousands of registrant details created?
    Answer: http://www.fakenamegenerator.com
There you will find that this cute little random person ID generator follows exactly along the lines described above.

A pointer to this site is at http://pctechmag.com/2014/02/this-guy-creates-billions-of-fake-identities-every-month/

That's how it slips past the most rudimentary checks applied by registrars, if they look at them at all.

Let's work an example. A fake ID generated for a French name in France gave


Galatee Hughes
29, rue des lieutemants Thomazo
83300 DRAGUIGNAN
Phone:
04.41.33.49.88
Email Address:
GalateeHughes@armyspy.com
This is a real email address. Click here to activate it!


Now look up an EvaPharmacy domain, jacquelynnvikki.com
Registrant Name: Eleanor Dandonneau
Registrant Organization: Eleanor Dandonneau
Registrant Street: 21 rue des lieutemants Thomazo
Registrant City: Draguignan
Registrant State/Province: Draguignan
Registrant Postal Code: 83300
Registrant Country: FR
Registrant Phone: +33.0407242406
Registrant Email: waldman@jacquelynnvikki.com


It is clear that the structure of what is generated at fakenamegenerator.com matches the format of the data used in the domain registration. Note that for France the same entry is used for both Registrant City and Registrant State/Province. That's because the generator does not generate both fields.
The same occurs with Finland, Hungary, Poland.
But other countries supply both fields, for example Australia, Brazil, Canada, Germany, Spain, Italy, Netherlands, New Zealand, US
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Highest abused IP addresses

Postby Red Dwarf » Tue Mar 25, 2014 8:00 pm

Highest abused IP addresses - end of September 2014

In descending order of abuse, with sample fraud hosting domains as recorded on 18 September, 2014

Results will vary, as the Eva Pharmacy crooks rotate these regularly


ISPs should investigate these IP addresses used for illegal activity, and blackhole or null route them
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Sep 17, 2014 7:45 pm

All registrars have agreed to suspend fraud domains used by Eva Pharmacy, except for one. That is R01.RU, located in Russia.

Image

This request to Russian registrar R01.RU summarizes the situation in November, 2014:

R01.RU
Dear Registrar

Another registrar is Russia is NAUNET. This registrar has suspended 340 fraud domains in the last 6 months.
You can see information about NAUNET at http://www.spamtrackers.eu/wiki/index.p ... T-REG-RIPN

R01 is also a registrar in Russia. There are over 3300 fraud domains registered at R01.
You can see information about R01.RU at http://www.spamtrackers.eu/wiki/index.php/R01.ru
All of the illegal domains are listed there.

I request you to suspend the illegal domains in the same way as NAUNET.

CRIMINAL EVIDENCE
The heading links at the public web page provide the evidence of fraud. Other registrars have acted responsibly and suspended them. R01.Ru is fast getting a reputation for supporting crime. NAUNET has gained a reputation for being an ethical business.

ACTION
Set the status to NOT DELEGATED on all of the domains listed. This will ensure that R01 gains a good reputation, and will result in more business success.

Thank you for your efforts to reduce crime and to keep criminals from abusing your terms of service.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10436
Joined: Tue Jun 27, 2006 2:01 am

Next

Return to Fight Spammers

Who is online

Users browsing this forum: No registered users and 2 guests

cron