LegitScript is working with Chinese registrar BIZCN to help them take down fraud pharmacies.
The article discusses Eva Pharmacy's method of geo-targeting, in which certain IP addresses or even whole countries get a different result when loading the same web site.
The cyber-criminals want to make various authorities believe that their sites do not exist. So they put together a block list of IP addresses and ranges corresponding to the people they want to fool. For example, we have previously detected that they have listed the credit card companies (VISA, AmEx, Mastercard) the FDA, FBI, and pharmaceutical watchdogs like LegitScript, CIPA and PharmacyChecker. In addition, they have added all addresses in China and Russia to their block list.
Even more interesting. If an IP addresses loads many of their sites in quick succession, they regard this as an attempt to verify or investigate their fraud sites, and that IP address will be added to the block list. Of course, the Tor network offers a means of obfuscating the true source IP address. So they block all of those as well. Public proxy sites are also routinely blocked.
When anyone on the block list tries to load any of the thousands of rogue pharmacy domains the response is a "404 Error - not found" message, or a Time Out message, which is meant to delude the investigator into believing that the site is no longer operational.
LegitScript wrote:Recently, LegitScript reached out to BizCN with a list of domain names that were used to host rogue Internet pharmacies. As BizCN was processing our abuse notification, it became apparent that among a specific group of websites there was a discrepancy in the websites’ displayed content — what our analysts and the rest of the world could see, BizCN could not.
For example, on BizCN’s end, the websites in this specific group appeared to merely provide a “404 Not Found” error.
It is a safe bet that these cyber-criminals will have added ICANN's IP addresses to the block list, to fool ICANN investigators into thinking that registrars have taken appropriate action on the fraud domain names. One would hope that ICANN is not that easily fooled.