ED Express

Description

ED Express

ED Express 2011

ED Express was first noticed in October 2007. It displays a copyright statement for Canadian Pharmacy.

However, there is sufficient evidence to attribute this spam brand to Vincent Chan - the author of the ED Choice brand.

Variants

ED Express sites have a variety of appearances. It also may be called "Pills for Men" or "United ED Meds." All variants load images from a common domain, such as waklazr.net, or a common IP address (212.95.37.136 or 94.229.65.172). They also share a common "monthly special" marketing device.

ED Express variant 1	ED Express variant 2	ED Express variant 3	ED Express variant 4
ED Express variant 5	ED Express variant 6	ED Express variant 7	ED Express variant 8
ED Express variant 9

False Pretenses

False: "Safe as Fort Knott" secure link claim

In a laughable display of ignorance, the spam site developer repeats the same error as seen in other scams including ED Choice. Once again he confuses the US gold repository with the Knott's Berry Farm family entertainment site near Disneyland in Los Angeles, in an attempt to impress people with the site's security.

To make it worse, he refers to "world wide known processor MyPaySystems.com" which is unfortunately known for all the wrong reasons.

• They went out of service in 2004 when they were discovered to be a false front for scammers.
• RipOffReport has this report against sister site ED Choice, and their lack of service or reliable products.

But it gets even worse than that. When you go to their checkout page you are expected to enter your identity details and your full credit card information on a page using non-secure http instead of secure https despite the previous assurances of security - another example of fraud.

False: Claim to be Canadian

The copyright notice would lead you to believe that this site is somehow related to Canada. But in the Frequently Asked Questions link there is some conflicting information:

Spam Examples

Subject: "Re: ClALnlS - $ 1.45 (arrears superpose) VilAGRA - $ 1.29"

Subject: "RE: CltALlS : $ 2.53; VlAGRtA : $ 1.34 quest"

Spam emails include a footnote promoting a legitimate site. That URL may be picked up by Spamcop.net and reported as a spammed URL if the reporter is not alert when confirming the report.

Redirections

Microsoft spaces.live.com

In February 2010, spammers began using redirection abuse on Microsoft's free hosting service Spaces.live.com. The redirection target was canadapharmsite.com registered on INTERNET.BS CORP by Registrant

   Ksenia Siniceva
   Kondrikova str. 6-219
   620143 Zavoljsk
   Russia
   Tel: +7.3912488322

Storm Trojan

As at March 21, 2008, Storm Trojan infected machines were found to be redirecting to four different fake pharmacy sites using the format http://xxx.xxx.xxx.xxx/anything/

• Pharmacy Express
• ED Express
• United ED Meds
• Canadian Pharmacy

For ED Express, the redirection sites detected were

• superwildside.com
• darksidehq.com

Sponsoring Registrars

Name Servers

• ns2.edutechjournal.com [200.153.184.37] Registrar = Beijing Innovative Linkage Technology
• ns1.edutalkonline.com [81.198.156.22] Registrar = Beijing Innovative Linkage Technology
• ns1.chinadotedu.com = Registrar Beijing Innovative Linkage Technology
• ns2.greateducaton.com = Registrar Beijing Innovative Linkage Technology

Spamvertized Sites

• Site = theloglady.com Beijing Innovative Linkage Technology (Uses image server oleoneg.info)
• Site = dovewoodmj.cn Registrar = 厦门华商盛世网络有限公司 = Bizcn
• Site = theregulusesworld.com Registrar = Beijing Innovative Linkage Technology (Uses image server waklazr.net)

Some of the other multiple domains spammed within a three day period:

• ansarcg.cn
• chevybl.cn
• limperda.cn
• eggfishbd.cn
• yourgovgrants.com
• puttruelandlate.com
• eshowdesign.com

These examples from March 2009 use two name servers registered with Russian providers

• * ns1.hostpharmacytechnician.com (Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU)
• * ns2.cheapfaxserver.com (Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY)

• goodcarecard.at
• fullwelfare.at
• fullshoppinglist.at
• fullspectrumdirect.at
• globalfitlist.at
• globalairmed.at
• gisro.at
• globalindexcast.at
• globalcoachlist.at
• globalindexus.at
• fullmedicalnetworks.at
• fullmedicalhelp.at
• fullmedicalcare.at

Web site registrant details:

personname:     Aleksandr Belkov
organization:
street address: Molodezhnaya str. d.9 kv.1
postal code:    152061
city:           Sereda
country:        Russland
phone:          +74853161263
fax-no:         +74853161263
e-mail:         sashabel@ipanda.info

Image Servers

• Site = waklazr.net Registrar = MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE for Yahoo.com

waklazr.net has address 68.142.212.117, 68.142.212.118, 68.142.212.119, 68.142.212.120, 68.142.212.121, 68.142.212.122
waklazr.net mail is handled by mx5.biz.mail.yahoo.com and mx1.biz.mail.yahoo.com.

• Site = oleoneg.info Registrar = blog.com Digital Communications Inc.

Typical Fake WHOIS Contact Information

Domain Name.......... bestbobleonard.com
 Creation Date........ 2008-01-27 13:28:05
 Registration Date.... 2008-01-27 13:28:05
 Expiry Date.......... 2009-01-27 13:28:05
 Organisation Name.... Sevila FC
 Organisation Address. Spain City
 Organisation Address.
 Organisation Address. Bulgaria
 Organisation Address. 45214
 Organisation Address. WG
 Organisation Address. BG

How to report this spam

The Complainterator is configured to request removal of these fraudulent sites. Add a link to this page as evidence. Image servers should be reported directly to the responsible registrar.

Evidence to include:

• Any violations of your country's anti-spam laws (such as forged "from" fields or lack of contact information/unsubscribe information in the U.S.)
• Violations of terms of service of registrar (many of the image servers have been on Yahoo servers and are quickly taken down by that company for acceptable use violations)
• Advertising counterfeit generic versions of drugs that are still under patent (patent law violation)
• Use of the name/image of those drugs without authorization from the manufacturers (trademark violations)
• False whois information, if you are able to contact the person listed in the whois info by phone or mail (not email)
• If there is any evidence of botnet activity, as shown by sites with multiple/frequently changing IP addresses (although not observed for this site, it is a common occurrence with the site "Canadian Pharmacy")

Related spam operations

The "Fort Knott security" gaffe can be used as a "fingerprint" to locate other spam brands most likely from the same author.

• dovewoodmj.cn Pills for Men
• savssatbc.cn United ED Meds
• 2oqwplqcp8qgllkvpkkv7k22.crevicedin.cn ED Choice

ED Choice is the fore-runner to this spam brand. All of the above related spam operations are attributable to the same source, Vincent Chan.

Sharing the same IP Address

• Pharmacy Express
• ED Express
• Viagra Express

No known relation: ED Pill Store

Refer to the captured screen image. In 2011, spammer affiliates who registere with the Mailien spamming program were presented with pharmacy operations to select from. These included

• Canadian Pharmacy
• ED Express
• Pharmacy_Express