Description[]
ED Pill Store previously was associated with the "Exquisite Replica" scam replica sites. Now it shares nameservers and IP addresses with penile enlargement brands linked to SanCash.
 Version 1 |
 Version 2 |
 Version 3 |
  Version 4 |
  Version 5 |
  Version 6 |
Samples of the spam[]
ED Pill Store spammers are famous for their inability to include in their spams the URL they want you to visit. About half the time they do manage to do it, and since they send massive bursts of similar spams, it's usually possible to see what they were trying to do with the ones that failed.
From: "FreeViagra" <Hrickety@adobe.com>
Subject: Always be ready to perform in bed
Tireed of peying ridic{|oous prices for Viagra & Cialis?
How about a 100% free Viagra & Cialis?
http://www.difjioi.cn
From: "FreeViagra" <3mooney@personalizeitpapersandgifts.com> Subject: This is what she REALLY wants Tired of paying ridiculuus ~rices for Viagraa & Cialiis? How about a 100% frej Viiagra & Cialis? http://www.iemkwqe.cn
Analysis of the spam[]
The domain difjioi.cn is one of hundreds for ED Pill Store. Scam brands aren't trying to build customer loyalty; they're trying to avoid being found by previous dissatisfied customers. In addition, they need to have new sites to spam as fast as others are shut down.
Currently, ED Pill Store domains are registered with a country code top level domain, ".cn" (China). TLD's other than the common .com, .net, .org etc. ones managed by ICANN don't require much information identifying the registrant. It hardly makes a difference when the registrant is imaginary:
Domain Name: difjioi.cn Registrant Organization: ??? Registrant Name: ??? Administrative Email: ghrttryty67@qq.com Sponsoring Registrar: ?????????????? Name Server:ns1.cosageos.com Name Server:ns2.cosageos.com Registration Date: 2008-12-31 16:04 Expiration Date: 2009-12-31 16:04
For name servers ns1.cosageos.com and ns2.cosageos.com, you do get registrant information because of the .com TLD. The address information is a bit improbable, though:
Domain Name: cosageos.com Registrar: HICHINA ZHICHENG TECHNOLOGY LTD. Whois Server: grs.hichina.com Status: clientHold Expiration Date: 2010-02-15 Creation Date: 2009-02-15 Last Update Date: 2009-03-02 Name Servers: ns1.cosageos.com ns2.cosageos.com Registrant Name ................. CHEN XIN Registrant Organization ......... CHENXIN Registrant Address .............. PUDONGBEILU27 Registrant City ................. sh Registrant Province/State ....... sh Registrant Postal Code .......... 200019 Registrant Country Code ......... CN Registrant Phone Number ......... +86.13770561847 - Registrant Fax .................. +86.13770561847 - Registrant Email ................ CHENXIN@SOGOU.CN
This points up two important things to understand: One is that domain registrations are automated. Even though this was registered with a Chinese registrar, this fake Chinese address slipped through because no human being actually looks at most registrations. That's the case with most registrars -- the volume they handle is very high.
The second point is that although this domain is listed as Status: clientHold and can't function as a website, it is still able to function as a nameserver. To inactivate a nameserver, you have to either completely delete the domain name (not a good way to do it -- the spammer can then re-register it with another registrar) or else set the nameservers' "glue records" (IP addresses) to ones not under control of the spammers ("black hole" addresses). Then the nameserver is set to clientUpdateProhibited, clientTransferProhibited, clientDeleteProhibited, and finally clientHold to prevent the spammer from changing anything back.
History[]
First reported sightings Dec 2006.
Second version of the web site layout appeared in May, 2007.
Analysis[]
The site (version 1 and version 2) claims to be secure, with a "Secure Server" logo at the bottom of the page: 
.
But when you go to the checkout page, you are asked to provide your ID and credit card details over a non secure http page, not a secure https page. In a transparent attempt to defraud customers into believing they are on a secure page, the banner at the top portrays a padlock image, simulating a secure page. 
.
Version 3 is a different case. It runs on a secure site, with https. This version has an SSL certificate from GeoTrust. 
|
  |
  |
Sample site for analysis: fodrx.com
Looking up the registrant details at http://www.dnsstuff.com/tools/whois.ch?ip=fodrx.com&email=on we find
DNS Servers: NS1.CHAMBOGOS.COM NS2.CHAMBOGOS.COM
Registrant Contact
Name: paul gregoire
Address: 175 Montreal Road
304
vanier, on K1L 6E4
CA
Email Address: paulgregoire@coldmail.ca
Phone Number: (613)255-2162
Spamhaus lists Paul Gregoire as a known alias for Alex Polyakov at http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7159
Looking up the registrant details for the Name Servers for fodrx.com at http://www.dnsstuff.com/tools/whois.ch?ip=chambogos.com&email=on we find
DNS Servers: NS1.DNSGOLDONE.COM NS2.DNSGOLDONE.COM
Registrant [1649]:
Gregory William gregw@coldmail.ca
1808 Bowen road
109
Nanaimo
British Columbia
V9S 5W4
CA
Spamhaus lists dnsgoldone.com as a domain registered by Alex Polyakov at http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6934
Gregory William is another frequent alias for Alex Polyakov, and he has used the same Montreal Rd address:
Domain Name: HOROSCOPEFORCAATS.COM Administrative Contact: Gregory William gregw@popaccount.com Protected Domains Inc. 175 Montreal Road 304 Vanier ON K1L 6E4 CA Phone: 1-613-482-5333
The building at that address is actually a Playmate strip club.
In the March 2009 "Free Today" site setup, there is no secure ordering, only a prominent banner falsely claiming to have it:
Looking at the address in the browser shows it is "http," not "https:"
So every computer this order passes through on its way across the internet can record who is ordering these pills, what they're ordering, and what their credit card numbers are.
How to Report this Spam[]
The Complainterator is configured to report this spam to the registrars. It automates the process described here.
Do a whois lookup on the domain name spamvertized, to discover the registrar of the web site. Email a complaint requesting that the illegal site be removed.
Do a whois lookup on the domain names used by the name servers that resolve access to the web site. Again, discover the registrar(s) that are sponsoring the access to the web site. Email a complaint to the sponsoring registrar.
Removal instructions
To remove them as name servers, the Address records for ns1 and ns2 need to be changed to a non-routable address, such as 0.0.0.0 or a blackhole address within their own address space.
The registrar then needs to set the status of each of these domains to
- clientUpdateProhibited
- clientDeleteProhibited
- clientTransferProhibited
- clientHold
For evidence, you can simply provide this page's URL
http://www.spamtrackers.eu/wiki/index.php?title=ED_Pill_Store
Related spam operations[]
Most closely related scam sites are the Herbal King clones Dr. Maxman, Max Gentleman, and Power Gain+.
They share the exact same set of name servers, and are registered at the same time. See for example the most recent registrations at the spam tracking site for vayup.com.
Sponsor Organization[]
SanCash (in early 2008 known as "Etranzmu", the underground sponsor affiliate program related to Genbucks) was shut down by law enforcement agencies in the US, Australia and New Zealand in late 2008, but their brands soon reappeared in defiance of that. Obviously, there is a sponsor paying all those affiliates to spam for these sites. The successor to Sancash is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.