Online Pharmacy SSL - hijacker

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Online Pharmacy SSL - hijacker

Postby Red Dwarf » Sat Mar 14, 2015 7:38 pm

There is a fake pharmacy calling itself Online Pharmacy SSL

The prmiary site appears to be ONLINE-PHARMACY-SSL.NET

Registration details:
Domain Name: ONLINE-PHARMACY-SSL.NET
Registrar: TODAYNIC.COM, INC.
Creation Date: 14-aug-2014
Name: Robert R. Kirk
Organization: Robert R. Kirk
Street: 271 Cerullo Road
City: Owenton
Province/state: KT
Postal Code: 40359
Country: US
Phone: +1.5024638437
Phone EXT:
Fax: +1.5024638437
Fax EXT:
Email: canadianreg@gmail.com

That phone number does not exist, so the domain name breaks the terms of the ICANN Registrar Accreditation Agreement.

You can find the other sites with a Google search on "Online Pharmacy SSL" naturally enough. But you will notice something curious. All the hits have URLs that indicate they are hijacked web sites:
Code: Select all
latechurch.net/priligy-online-pharmacy/
sodaspeaks.com/clomid-online-pharmacy/
chd2009.com/cialis-india-pharmacy/
aaate2015.eu/proscar-online-pharmacy/
www.nvvtg.nl/nexium-online-pharmacy/
www.nvvtg.nl/clomid-online-pharmacy/
iseo2013.hu/priligy-online-pharmacy/
haenet2013.hu/canadian-pharmacy-cialis/
imp2010.org/generic-viagra-online/


You can load the Online PharmacyS SL page from the links found in your Google search, but not directly. Presumably the sites need a valid referrer, in this case Google.

The legitimate web sites which have been compromised are
Code: Select all
latechurch.net
sodaspeaks.com
chd2009.com
aaate2015.eu
www.nvvtg.nl
www.nvvtg.nl
iseo2013.hu
onlinepharmacyreviews.org
haenet2013.hu
imp2010.org


The pattern is simple. The domain name is the hijacked web site, and what follows is the directory path to the additional hijacked code for the Online Pharmacy SSL.

The contact number is always the same:
    24/7 CUSTOMER SUPPOR
    T US +1(855)827-83-87
    UK +44(808)189-02-16

The person answering the call will tell you that the operation is located in London, and shipments are from India. That matches the FAQ
Where are the pills you offer shipped from?

The pills we offer are produced by Indian manufacturers. To make sure our entire product list is in stock, the orders are sent out directly by our manufacturer. It would usually takes around two weeks for an order to be delivered to your location, up to three weeks in some rare cases.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am

Re: Online Pharmacy SSL - hijacker

Postby Red Dwarf » Sat Mar 14, 2015 9:04 pm

Looking at the registrant email address, canadianreg@gmail.com we can find other sites registered by someone using this contact. Live ones are

SEIZED, registered with TODAYNIC.COM, INC.
canadianpharmacy-online.net Seized by FDA CcIU
topone-canadianpharmacy.net Seized by FDA CcIU
online-canadianpharmacy.net Seized by FDA CcIU
24h-canadian-pharmacy.net Seized by FDA CcIU
top-canadianpharmacy.net Seized by FDA CcIU
open-canadian-pharmacy.net Seized by FDA CcIU
real-canadian-pharmacy.net Seized by FDA CcIU

DEAD, registered with TODAYNIC.COM, INC.
authkey.com - NS1.VDS-72-128.CUSTDNS.COM.DIRECTIDELETEDDOMAIN.COM
gvardeloop.com
picekato.net

ALIVE
online-pharmacy-ssl.net
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10431
Joined: Tue Jun 27, 2006 2:01 am


Return to Fight Spammers

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron