Description[]
ED Express was first noticed in October 2007. It displays a copyright statement for Canadian Pharmacy.
However, there is sufficient evidence to attribute this spam brand to Vincent Chan - the author of the ED Choice brand.
Variants[]
ED Express sites have a variety of appearances. It also may be called "Pills for Men" or "United ED Meds." All variants load images from a common domain, such as waklazr.net, or a common IP address (212.95.37.136 or 94.229.65.172). They also share a common "monthly special" marketing device.
False Pretenses[]
False: "Safe as Fort Knott" secure link claim[]
In a laughable display of ignorance, the spam site developer repeats the same error as seen in other scams including ED Choice. Once again he confuses the US gold repository with the Knott's Berry Farm family entertainment site near Disneyland in Los Angeles, in an attempt to impress people with the site's security.
To make it worse, he refers to "world wide known processor MyPaySystems.com" which is unfortunately known for all the wrong reasons.
- They went out of service in 2004 when they were discovered to be a false front for scammers.
- RipOffReport has this report against sister site ED Choice, and their lack of service or reliable products.
But it gets even worse than that. When you go to their checkout page you are expected to enter your identity details and your full credit card information on a page using non-secure http instead of secure https despite the previous assurances of security - another example of fraud.
False: Claim to be Canadian[]
The copyright notice would lead you to believe that this site is somehow related to Canada. But in the Frequently Asked Questions link there is some conflicting information:
Spam Examples[]
Subject: "Re: ClALnlS - $ 1.45 (arrears superpose) VilAGRA - $ 1.29"
Subject: "RE: CltALlS : $ 2.53; VlAGRtA : $ 1.34 quest"
Spam emails include a footnote promoting a legitimate site. That URL may be picked up by Spamcop.net and reported as a spammed URL if the reporter is not alert when confirming the report.
Redirections[]
Microsoft spaces.live.com[]
In February 2010, spammers began using redirection abuse on Microsoft's free hosting service Spaces.live.com. The redirection target was canadapharmsite.com registered on INTERNET.BS CORP by Registrant
Ksenia Siniceva Kondrikova str. 6-219 620143 Zavoljsk Russia Tel: +7.3912488322
Storm Trojan[]
As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/
- Pharmacy Express
- ED Express
- United ED Meds
- Canadian Pharmacy
For ED Express, the redirection sites detected were
- superwildside.com
- darksidehq.com
Sponsoring Registrars[]
Name Servers[]
- ns2.edutechjournal.com [200.153.184.37] Registrar = Beijing Innovative Linkage Technology
- ns1.edutalkonline.com [81.198.156.22] Registrar = Beijing Innovative Linkage Technology
- ns1.chinadotedu.com = Registrar Beijing Innovative Linkage Technology
- ns2.greateducaton.com = Registrar Beijing Innovative Linkage Technology
Spamvertized Sites[]
- Site = theloglady.com Beijing Innovative Linkage Technology (Uses image server oleoneg.info)
- Site = dovewoodmj.cn Registrar = 厦门华商盛世网络有限公司 = Bizcn
- Site = theregulusesworld.com Registrar = Beijing Innovative Linkage Technology (Uses image server waklazr.net)
Some of the other multiple domains spammed within a three day period:
- ansarcg.cn
- chevybl.cn
- limperda.cn
- eggfishbd.cn
- yourgovgrants.com
- puttruelandlate.com
- eshowdesign.com
These examples from March 2009 use two name servers registered with Russian providers
- * ns1.hostpharmacytechnician.com (Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU)
- * ns2.cheapfaxserver.com (Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY)
- goodcarecard.at
- fullwelfare.at
- fullshoppinglist.at
- fullspectrumdirect.at
- globalfitlist.at
- globalairmed.at
- gisro.at
- globalindexcast.at
- globalcoachlist.at
- globalindexus.at
- fullmedicalnetworks.at
- fullmedicalhelp.at
- fullmedicalcare.at
Web site registrant details:
personname: Aleksandr Belkov organization: street address: Molodezhnaya str. d.9 kv.1 postal code: 152061 city: Sereda country: Russland phone: +74853161263 fax-no: +74853161263 e-mail: sashabel@ipanda.info
Image Servers[]
- Site = waklazr.net Registrar = MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE for Yahoo.com
waklazr.net has address 68.142.212.117, 68.142.212.118, 68.142.212.119, 68.142.212.120, 68.142.212.121, 68.142.212.122 waklazr.net mail is handled by mx5.biz.mail.yahoo.com and mx1.biz.mail.yahoo.com.
- Site = oleoneg.info Registrar = blog.com Digital Communications Inc.
Typical Fake WHOIS Contact Information[]
Domain Name.......... bestbobleonard.com Creation Date........ 2008-01-27 13:28:05 Registration Date.... 2008-01-27 13:28:05 Expiry Date.......... 2009-01-27 13:28:05 Organisation Name.... Sevila FC Organisation Address. Spain City Organisation Address. Organisation Address. Bulgaria Organisation Address. 45214 Organisation Address. WG Organisation Address. BG
How to report this spam[]
The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence. Image servers should be reported directly to the responsible registrar.
Evidence to include:
- Any violations of your country's anti-spam laws (such as forged "from" fields or lack of contact information/unsubscribe information in the U.S.)
- Violations of terms of service of registrar (many of the image servers have been on Yahoo servers and are quickly taken down by that company for acceptable use violations)
- Advertising counterfeit generic versions of drugs that are still under patent (patent law violation)
- Use of the name/image of those drugs without authorization from the manufacturers (trademark violations)
- False whois information, if you are able to contact the person listed in the whois info by phone or mail (not email)
- If there is any evidence of botnet activity, as shown by sites with multiple/frequently changing IP addresses (although not observed for this site, it is a common occurrence with the site "Canadian Pharmacy")
Related spam operations[]
The "Fort Knott security" gaffe can be used as a "fingerprint" to locate other spam brands most likely from the same author.
- dovewoodmj.cn Pills for Men
- savssatbc.cn United ED Meds
- 2oqwplqcp8qgllkvpkkv7k22.crevicedin.cn ED Choice
ED Choice is the fore-runner to this spam brand. All of the above related spam operations are attributable to the same source, Vincent Chan.
Sharing the same IP Address
- Pharmacy Express
- ED Express
- Viagra Express
No known relation: ED Pill Store
Refer to the captured screen image. In 2011, spammer affiliates who registere with the Mailien spamming program were presented with pharmacy operations to select from. These included
- Canadian Pharmacy
- ED Express
- Pharmacy_Express