Canadian Health&Care Mall is part of the Eva Pharmacy fraud.
Description[]
Canadian Health&Care Mall is another Bulker.biz property. (Also previously thought to be managed by Alex Polyakov The same group of scam pharmacy brands is referred to as "Eva Pharmacy" by Knujon and LegitScript and as "Yambo Financials" by Spamhaus.)
© 2001–2013 Canadian Health&Care Mall. All rights reserved.
Our online ordering system uses the latest in Secure Encryption Technology. All personal and credit card information is submitted with the highest level of security and precautions. In fact, when you go to Checkout you are on a non-secure http page hosted by feeblemindedkow.com! When last tested (Aprl, 2007) the links to "Verisign Secured", "FDA", "CPA Approved" and "American Quality" all failed, as well as the "View License". Canadian Health&Care Mall, in common with Polyakov's other fake pharmacy operations, has no licenses, approval, quality guarantees, security or site awards. Under "Our Address" the site for this "Canadian" pharmacy lists addresses in Monroe, LA and New Delhi, India. Neither of these addresses are in Canada. |
Each domain name resolves to an IP address of a hijacked host.
Each name server used to resolve the domain name to the IP address is also run on yet another hijacked host.
 Awards |
Fake License 1[]
The actual Minnesota Board of Pharmacy has stated clearly that the license on this site is a fake, and even have a page devoted to Canadian Health&Care Mall on their websites's FAQ. They provided a statement to our investigators, pointing out all of the discrepancies in it.
Comment from the Minnesota Board of Pharmacy:
We are very much aware of this issue. It has been an ongoing issue for over a year. I have turned over information to our state's attorney general office and have had conversations with FDA investigators. The problem, as you are probably aware, is that it appears that whoever is behind this is operating outside the United States. The fake "license" shows clear indications that it is not valid. There are misspellings, sentences run together, Board of Pharmacy is not capitalized. Anyone who did some comparison shopping would also find that the websites charge several times more for drugs than legitimate websites. For example, tramdol sells for $0.64 on Walgreens.com but $2.17 on bestusdrugs.com. I will consider putting a statement on our website. Not sure what good it will do because I have a hunch that many people who actually try to purchase drugs from these websites already know they aren't legitimate - and don't care. As long as there are people willing to respond to spam that they know is illegitimate, the spammers will keep operating. Cody Wiberg, Pharm.D., R.Ph. Executive Director Minnesota Board of Pharmacy
Fake License 2[]
Fake Doctors[]
About Us
The "About Us" section of Canadian Health&Care Mall sites includes a heartwarming description of its beginnings as a "store of so-called 'useful things,'" written in rather clumsy English. They brag about selling "medication of the best possible quality, licensed and working." And since we've already seen what their license is worth, we conclude the likelihood of getting any drugs that work is ... ?
Canadian Health&Care Mall started as a multistore based in Toronto and Ottawa in early 90s. Operating not just as a family pharmacy but also as a store of so- called "useful things" Health&Care chain store system grew from year to year and resulted in current online project. We tried to make use of our previous experience and to create a really competing online resource for absolutely any customer. Though the idea is standard you may be absolutely sure that the filling is unique and has no analogues all over the Internet. We would like to admit that our online store is operating independently from the offline store system.
The site lists its medical staff as "Dr. Edward B. Armington" and "Dr. William Grant," both with impressive resumés. Apparently they and their team also have time on the side for modeling, as gettyimages.com is selling some of the same stock photos:
|
|
| www.gettyimages.com
image #: 200354730-001 [1] |
www.gettyimages.com
image #: 200335242-004 [2] |
These same fake credentials are found on the "Global Canadian Online" spam brand.
This is a common trait across most of the Yambo Financials sites. My Canadian Pharmacy also uses stock photos as portraits of their so-called "physicians" and "staff."
Additionally, the original picture of the female doctor is also found in Getty Images. Its modified version, used in Canadian Health&Care Mall, is found in the website of CapitalAir Corporation, Ontario. The model is unlikely to be a real physician, as another picture of hers in Getty Images suggests.
 |
 |
 |
|---|---|---|
| www.capitalaircorp.com
Medical Centres [3] |
www.gettyimages.com dv1881002 [4] |
www.gettyimages.com dv1881008 [5] |
Fake Offices[]
The "contacts" page includes addresses for offices in Ontario, Louisiana, and New Delhi, as well as photos of the buildings they claim to occupy at those locations. They even offer to provide a "face to face audience" with one of their managers to anyone who wishes to visit them on site.
But comparing the buildings in the photos to Google Maps satellite images of those addresses shows residential areas with no sign of large buildings like these:
|
  |
| "2110 Oak Aly, Monroe LA" | "2110 Oak St., Monroe LA" (although, admittedly Oak St. does appear to terminate at 21st St., so perhaps this could be called "Oak Alley." But not "Oak Aly." Please. |
In more recent sites, the same building has been teleported to Kingston, ON, Canada:
  |
  |
| satellite view of 186 Brock St., Kingston, ON | "186 Brock St. Kingston, ON" is part of the Hotel Dieu Hospital, which occupies the entire block. |
The address in Waterloo, ON turns out to be a residential neighborhood:
|
  |
| "121 Hawkswood, Kitchener Waterloo, Ontario, Canada" | "121 Hawkswood Dr, Kitchener, ON N2K, Canada" |
The third location, an address in New Delhi, is too inexact for Google maps to locate it; it is unclear if such an address actually exists.
Fake VeriSign certificate[]
Fake FDA certificate[]
Fake Security[]
Some sites have an SSL certificate to encrypt the transmission of sensitive daata such as credit card information, others do not. In either case the site claims to provide encryption with a 256-bit level. Here is an example of a false claim. On the right is a padlock icon representing an encrypted link, together with a false claim to be using encryption. On the left, the browser reveals the true status - no encryption
Fake Registration[]
Like other Yambo family sites, CH&CM uses identity theft to register its sites. Anyone who finds their personal information used in the registration information of a spam website should review the Whois identity theft information article..
In 2014 the method changed from using stolen identities, to using a fake name generator service, such as the one found at http://www.fakenamegenerator.com. These fake ID sites will generate real looking names, addresses, phone numbers and credit cards to simulate real identities. The aim is to make it more difficult for registrars to identify fake registrant data. Only the email address will be true, so that the registrant can handle information requests from the registrars.
Sample Spam[]
Hi there, this is your chance to Heal your healt! We have various medicament that will assistance you For the real men we have our special proposal Just CLICK here! Come on start a new life with our medicament!!!
As our customer you have a chance to check out first to anybody our new page! Only primal high-grade pharmaceutics at a price you can afford!! 20% guaranteed reduction is for you only!!! Take notice what said our pleased clients: From: Brian Zalewski Subject: Simply Thank you! "Thank you very much you rendered me festal rebates & your special offers that preserve time and greens, offering only medicinal agents of highest quality. You're of my minions, I shall tell about your drugstore without fail all my buddies!" Note some more testimonials at our site!
Sample sites and registrars who were sponsoring them[]
BIZCN.COM, INC.[]
bestrxmarket.com firsthotbargain.com magicpharmmart.com mycuringtrade.com mymedsgroup.com naturaltabsdeal.com newbestpurchase.com securedrugsmall.com trustedmedsmart.com youraidquality.com yourtabsoutlet.com
Key-Systems GmbH[]
albertinabren.eu bestcareservice.eu bestpharmwebmart.eu cicilyhalette.eu connypearline.eu corendaaudry.eu dannaliane.eu electracorly.eu fastsmartbargain.eu fayedyshell.eu herbalherbsvalue.eu ileaneanastasia.eu jeniffertanya.eu lissierinn.eu maenarakoral.eu marielroslyn.eu medicalcarevalue.eu newgenericeshop.eu pureglobaldeal.eu rosaliejennica.eu rosiesidoney.eu sonyaanstice.eu thepillshop.eu ulrikaumekoshawna.eu ulrikedoralyn.eu valedakylila.eu zonnyasheelagh.eu
PDR LTD.[]
bessiepaule.trade bethtobe.trade daisietessie.win homedrugservice.win junebethina.trade karleenkakalina.win kinnakirsti.trade mybestmart.trade mypillsstore.win myremedymall.trade newhealthstore.win phaidraerda.win rasianeille.trade tanaenrica.trade teresamelodee.win thecaremarket.trade
R01-REG-FID[]
enrichettakoralle.su firstfasttrade.su ledacorella.su mytabsshop.su safetabsservices.su
R01-RU[]
anjanetterobinette.ru belviageorgianne.ru besttrustedinc.ru canadianbestmall.ru cissykelcie.ru curingtabsstore.ru dorrybarry.ru fastpharmelement.ru goodfastsupply.ru goodherbvalue.ru goodmedicaredeal.ru harrialene.ru herbalhotservice.ru hjtpcpxv.ru homedrugsassist.ru homefirstelement.ru homefirstelement.ru homemedicalmall.ru homeremedymart.ru hotsafeassist.ru juliannenicky.ru lettyelnavita.ru lissyaubrette.ru luckypillstrade.ru luckypillstrade.ru magicdrugssale.ru maviskarina.ru mycuringelement.ru mycuringsale.ru mygenericinc.ru myherbelement.ru myhotmarket.ru naturalpillvalue.ru newdrugssale.ru newrxservice.ru onlineherbinc.ru onlinehotsupply.ru privatesafedeal.ru purebestmarket.ru safebestservice.ru safehealingsale.ru secureherbsale.ru sibbyjacquelyn.ru sibellamalynda.ru smartpillwebmart.ru stephiejunia.ru tameraapril.ru thecarebargain.ru thedrugmarket.ru thetabstrade.ru trustedmedsmart.ru ubepewpx.ru yolandedorian.ru yourbestpurchase.ru ytqudyxq.ru
R01-SU[]
bestbestservices.su bestremedialsale.su bestsmartassist.su blythekellia.su canadiansafeshop.su curingfirstgroup.su fastprivatesale.su firstherbstrade.su goodremedysupply.su healingherbsmall.su herbalglobalshop.su herbalpillsmart.su hotdrugreward.su hotremedywebmart.su magicpillservice.su medicalhealthinc.su medicalhotstore.su medicinesstore.su medicinesstore.su mydrugsmarket.su myonlinestore.su myorganicdeal.su mypilloutlet.su myrxreward.su onlinetabsstore.su privaterxelement.su purehotshop.su purewelnessstore.su rafaelitacamella.su safepillsservice.su securecareoutlet.su securefasteshop.su securerxtrade.su smartrxshop.su thecanadianmall.su thecuringmarket.su thepillstrade.su thetabsservices.su thetrustedinc.su willabellatammie.su yourbestgroup.su yourglobaltrade.su
REGRU-REG-FID[]
bestamysale.su bestwebx.su bestwebx.su bestweby.su bestweby.su bestwebz.su bestwebz.su mytargetwebx.su mytargetwebx.su mytargetweby.su mytargetweby.su mytargetwebz.su mytargetwebz.su targetgweb.su
REGRU-RU[]
fastorganictrade.ru omecuringshop.ru
TUCOWS DOMAINS INC.[]
canadianrxsale.com luckyhotvalue.com magicpillassist.com newcanadiansale.com newprivatestore.com pureherbelement.com purepillwebmart.com securedrugsmart.com smartorganicinc.com yourrxdeal.com
Sample IP Addresses of their websites[]
Their websites tend to move from one IP to another at short intervals. These were in use in mid August 2017.
| IP Address | IP Location | Abuse reports |
|---|---|---|
| 78.107.252.174 | Russia | abuse@beeline.ru |
| 82.193.208.211 | Brazil | abuse@metronet.hr |
| 84.200.211.128 | ||
| 91.242.163.166 | Russia | info@sys-media.ru |
| 95.31.22.193 | ||
| 185.16.212.35 | Russia | abuse@pw-service.com |
| 185.24.235.201 | ||
| 185.107.80.194 | ||
| 194.58.112.174 | Russia | abuse@reg.ru |
| 195.22.126.196 | ||
| 195.22.126.197 | ||
| 195.22.126.198 | ||
| 222.122.81.79 |
History[]
History of the Spam - followed on from My Canadian Pharmacy. They have since abandoned the use of image servers.
In the past they have used the same process of running name servers, web site servers and image servers on hijacked hosts.
For example, examining the html source of a sample web page at any one time will have found
src="http://82.240.202.162:8080/e/ch/images/spacer.gif" src="http://201.28.121.171:8080/e/ch/images/aw_verisign.gif" src="http://217.6.21.195:8080/e/ch/images/aw_fda.gif" src="http://148.223.209.19:8080/e/ch/images/aw_cpa.gif" src="http://142.217.131.166:8080/e/ch/images/aw_aq.gif"
for a web site running on 222.161.21.110
The four name servers are meanwhile running on 200.62.226.85 and 80.191.123.206
In total there were 8 different IP addresses involved, all running a trojan proxy name server or web server without their owners' consent.
This method has now been abandoned after a comcerted campaign to report these hijacked hosts and to have them cleaned.
Look-alike sites[]
MycanadarxStore appeared in late October 2007. Its "about us" section is highly similar to that of Canadian Health&Care Mall, including the photos of "Dr. Edward B. Armington" and "Dr. William Grant." However, it differs from the other Yambo sites in that it does not share the image server IP address(es) they all use. It shares its nameservers with Prestige Replicas, not any Yambo sites. So this appears to be a case of plagiarism rather than affiliation.
How to Report this Spam[]
The Complainterator is configured to report this spam to the registrars. It performs a "whois" lookup on the domain names used by the name servers that resolve access to the web site. It discovers the registrars that are sponsoring the access to the web site. It prepares a complaint to the sponsoring registrars.
Removal instructions
web site domains
- the registrar needs to set the status of the domain to
- clientHold
- clientUpdateProhibited
- clientDeleteProhibited
- clientTransferProhibited
name server domains
- the registrar needs to set the status of each of the name server domains to
- clientHold
- clientUpdateProhibited
- clientDeleteProhibited
- clientTransferProhibited
In addition, to remove them as name servers, the subdomain address records (eg for ns1 and ns2) need to be changed to a non-routable address, such as 0.0.0.0 or a blackhole address within their own address space.
Sponsor Organization[]
Bulker.biz is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.