Key-Systems is a registrar in Germany.
Description of the Registrar[]
Key-Systems is an international IT company that currently manages more than 4 million domains for more than 100,000 retail/corporate customers and 2,300 resellers worldwide. Key-Systems' headquarters are located in St. Ingbert/Germany. Furthermore, the company runs a subsidiary in the USA. Key-Systems’ business areas include the retail customer portal domaindiscount24, the reseller portal RRPproxy and the corporate domain portal BrandShelter. Furthermore, the company runs the TIER III Key-Systems DataCenter and a service for registry operation (KSregistry). Key-Systems is member of the CentralNic Group PLC.
Anti-Spam Position[]
Official Position[]
http://www.key-systems.net/deutsch/registrierungsvereinbarung.html
Ein registrierter Domainname kann vorübergehend gesperrt oder deaktiviert werden, wenn der Kunde durch die darunter verfügbar gemachten Inhalte in schwerwiegender Weise gegen geltendes Recht oder diese Vereinbarung verstößt bzw. ein solcher Verstoß glaubhaft gemacht wurde, und auf die Aufforderung, diese Inhalte nicht zu entfernen oder anzupassen nicht entsprechend reagiert.
Soweit einzelne Domainnamen durch den Kunden, wegen Verstoß gegen die Registrierungsbedingungen, aufgrund verbindlicher Entscheidungen in Domainstreitigkeiten, oder aufgrund sonstiger in diesen Bedingungen genannten Gründen gekündigt oder übertragen werden, besteht kein Anspruch auf Beantragung einer unentgeltlichen Ersatzdomain oder eine sonstige Erstattung, sofern nicht die Kündigung durch Registrar vorsätzlich oder grob fahrlässig widerrechtlich verschuldet worden ist. Dies gilt ebenso für sonstige Leistungen oder zusätzlich gebuchte Optionen hinsichtlich de betroffene Domainnamen.
http://www.key-systems.net/english/registration-agreement.html
A registered domain name can be temporarily blocked or disabled if the customer offends applicable law or this arrangement in a serious manner through the content made available under the domain name or if such an offence was made plausible and Customer does not react to the request to remove or adapt the content accordingly.
As far as a single domain name is canceled or transferred by Customer, due to violation of the registration agreement, due to binding decisions in domain name disputes or due to other causes specified in these conditions, no right to request for a free replacement domain or other reimbursement exists, provided that the termination was not caused illegally by Registrar in a culpable or grossly negligent manner. This also applies to other services or additionally booked options regarding the affected domain names.
Actual Behavior[]
This registrar has previously acted decisively to remove illegal sites.
Registrar responsiveness[]
Showing all registrars including R01.RU
Showing all registrars excluding R01.RU
Piechart showing the crime sponsoring contribution by each registrar.
The comparison between this registrar and others can be seen on the graphs.
It shows how many domains have not been suspended by various registrars over the past year. The higher the column, the more domains are sponsored by the registrar.
Currently the most abused registrar is Russia's R01.ru. This registrar sponsors the vast majority (often over 60%) of the fraud domains used within the Eva Pharmacy group.
The second most abused registrar is Russia's REG.RU REG.RU at over 25%
The next most abused registrar is GKG GKG at 4%.
The next most abused registrar is The Netherlands' Hosting Concepts aka OpenProvider at 3%.
These are followed by Russia's ARDIS, India's PublicDomainRegistry PDR, China's CNOBIN, Canada's Tucows, and Pakistan's PakNIC.
Outside of Russia, most registrars have been quick to terminate the service contracts with these cyber-criminals upon seeing the obvious evidence of fraud.
Examples of domains used for fraud[]
These domains were tested on August 14, 2016 and found to be live. The cyber-criminals behind these scams use IP blocking to try to prevent verification of their sites. They block known law enforcement addresses, pharmaceutical company addresses, VISA, Mastercard, Paypal and American Express addresses, registrar addresses, and any IP address that repetitively loads a series of their domains in quick succession. They often use disposable domains whose sole purpose is to redirect to illegal pharmacies running on bullet-proof domains registered in Russia. Most competent registrars have the skills to circumvent these blocking methods, using tunnels, proxies and external IP addresses. Key-Systems appear to lack this ability.
The headings below link to evidence that each domain is being used for fraud.
Some examples taken at random are shown on the right. These were screen captured, using a proxy service to avoid their IP blocking of law enforcement and registrar IP addresses. These may serve other fraud sites at other times, or from other geographies. But any site served is still an illegal fraud pharmacy.
.png){kind=link}
Live example Aug 16 yournaturalstore.eu
.jpg){kind=link}
Aug 16 2016 fraud sample globalherbassist.be
.jpg){kind=link}
Aug 16 2016 fraud sample herbalhealthmart.be
.jpg){kind=link}
Aug 16 2016 fraud sample naturlfirstmall.be
.jpg){kind=link}
Aug 16 2016 fraud sample healingaidstore.be
.jpg){kind=link}
Aug 16 2016 fraud sample janeendinajolie.be
.jpg){kind=link}
Aug 16 2016 fraud sample Redirection marjoriesonja.be
.jpg){kind=link}
Aug 16 2016 fraud sample Redirection pollyannabobbette.be
.jpg){kind=link}
Aug 16 2016 fraud sample Redirection debbiehephzibah.be
.jpg){kind=link}
Aug 16 2016 fraud sample Redirection claretapersis.be
See current live list at Key-Systems_GmbH_list
Canadian Health&Care Mall Suspended[]
curativebestbargain.be (suspended) curingcaremarket.eu (suspended) fastnaturalservices.eu (suspended) flxqokqn.be (suspended) globalgenericgroup.eu (suspended) globalpillsmarket.eu (suspended) homeherbstrade.be (suspended) homenaturalquality.be (suspended) luckyorganicassist.be (suspended) magicpillgroup.be (suspended) medicalsmartstore.be (suspended) medicalwelnessshop.eu (suspended) medicatingfastmart.be (suspended) naturalfirstmarket.eu (suspended) remedialtrustedinc.eu (suspended) secureherbalbargain.be (suspended) smartremedyinc.be (suspended) yourorganicprogram.be (suspended) assistantheadcoach.be (suspended) besthealthreward.be (suspended) bestmedicalbargain.eu (suspended) bodycarerx.eu (suspended) canadiandrugreward.eu (suspended) dfnfoskt.be (suspended) familyhealthquality.be (suspended) genericglobalmart.be (suspended) goodremedialmart.be (suspended) healingsmartgroup.be (suspended) herbalsecuremart.eu (suspended) luckyhealingshop.be (suspended) mybiologicalquality.be (suspended) naturaldrugsmall.be (suspended) nhlbqyuc.eu (suspended) organicsmartbargain.eu (suspended) perfectaideshop.be (suspended) pogjlbwb.eu (suspended) remedialpillmart.be (suspended) ruaohjji.be (suspended) rwmxlkwn.eu (suspended) vrswovjt.be (suspended) vzbhtapi.eu (suspended) pureremedyinc.eu (suspended) smartpharmshop.eu (suspended) yourmedicatingtrade.eu (suspended) firstmedsservice.eu (suspended) globalmedicinaldeal.eu (suspended) healingprivatemall.be (suspended) herbaldruggroup.be (suspended) curingfastprogram.be (suspended) bestmedswebmart.be (suspended) goodfitnesswebmart.be (suspended) hotgenericspurchase.eu (suspended) magiccaredeal.eu (suspended) mycuringeshop.eu (suspended) newtreatmentprogram.eu (suspended) curativesmartmallorca.be (suspended) medicinaldrugsinc.eu (suspended) organicsafesale.eu (suspended) perfectherbalmart.be (suspended) remedialglobalmart.eu (suspended) svxoskid.be (suspended) curativesmartmallorca.be (suspended) curingtrustedoutlet.eu (suspended) fastgenericsupply.be (suspended) globaldrugsgroup.eu (suspended) globalnaturalmarket.be (suspended) herbalherbpurchase.eu (suspended) herbalrxpurchase.eu (suspended) jdjlpdcq.be (suspended) luckygenericmart.be (suspended) magictableteshop.eu (suspended) medicalrxgroup.be (suspended) mudttflg.eu (suspended) newpillsinvestment.be (suspended) newwelnessshop.eu (suspended) privateremedyoutlet.eu (suspended) safemedicinalmall.eu (suspended) familyremedysale.be (suspended) genericbestgood.eu (suspended) globalmedicaresale.be (suspended) naturalrxdeal.eu (suspended) safemedicativevalue.be (suspended) thepharmacyservice.eu (suspended) bestcanadianprogram.eu suspended fastmedicinalshop.be (suspended) genericpillservice.be (suspended) globaltreatmentshop.be (suspended) klfwyqzo.eu (suspended) newsupplementmall.eu (suspended) remedialglobalstore.eu suspended safewelnessgroup.eu (suspended) yourcuringsupply.eu (suspended)
Canadian Neighbor Pharmacy Suspended[]
trustedaiddeal.be (suspended) herbalfirstmall.eu (suspended)
CanadianPharmacy[]
annualhealthcareconference.be (suspended) bestherbreward.eu (suspended) bestremedialmart.be (suspended) bestremedialquality.eu (suspended) healingtablettrade.eu (suspended) hotremedystore.eu (suspended) medicalpharmacysales.eu (suspended) mypharmvalue.be (suspended)
My Canadian Pharmacy Suspended[]
curativesmartvalue.eu (suspended) fastmedicalgive.eu (suspended) yourdrugtrade.eu (suspended) homemedseshop.eu (suspended) homeremedysale.eu (suspended) hotherbalpurchase.eu (suspended) hotremedialquality.eu (suspended) hotrxtrade.eu (suspended) luckyherbalwebmart.eu (suspended) mydrugsale.be (suspended) naturaltrustedgroup.eu (suspended) onlinedrugvalue.eu (suspended) organicfirstreward.be (suspended) safedrugstrade.eu (suspended) saferxgroup.eu (suspended) trustedhealthassist.eu (suspended) canadianaidmart.eu (suspended) hotremedyelement.eu (suspended) canadianfirstshop.eu (suspended) trustedrxinc.eu (suspended) pxlckfxe.eu (suspended) yourmedicaleshop.be (suspended)
RxExpressOnline Suspended[]
mypillsassist.eu (suspended) onlineherbalmarket.eu (suspended) medicalonlinesupply.be (suspended) curativehealthsale.eu (suspended)
RxMedications Suspended[]
mynaturaldealdirect.be (suspended) securemedsinc.be (suspended)
Toronto Drugstore Suspended[]
bestgenericmarket.eu (suspended)
US Drugs[]
excellentherbsupply.be Name is available.
Common IP addresses[]
A quick way to verify these sites is to examine the hosting addresses. Note that * items have been removed. Many compromised hosts used for this operation during September 2020 - May 2021 were located at these IPs.
| - - - - - - - - - - - | - - - - - - - - - - - | - - - - - - - - - - - | - - - - - - - - - - - | - - - - - - - - - - |
|---|---|---|---|---|
| Live | ||||
| ---- | ||||
| 2.184.67.164 | 5.101.140.77 | 5.188.211.29 | 37.46.135.24 | 51.222.136.197* |
| 51.89.151.227 | 84.15.139.143 | 84.200.77.180 | 95.165.145.236 | 95.165.149.124 |
| 95.165.27.205 | 95.31.40.41 | 103.117.141.163 | 103.121.91.117 | 103.126.6.161 |
| 103.127.31.154* | 103.135.128.72* | 103.139.42.59 | 103.146.23.100 | 103.147.153.123* |
| 103.147.153.126* | 103.157.224.90 | 103.228.114.93 | 103.236.150.106* | 103.236.201.228 |
| 103.92.25.124 | 103.242.117.197 | 103.28.149.174 | 103.30.246.103 | 103.83.192.109 |
| 103.9.158.67 | 103.92.25.124 | 185.182.105.220 | 185.182.105.221 | 185.227.136.203 |
| 185.24.232.98 | 185.227.136.205 | 198.211.33.45 | 200.55.243.166* | 202.145.2.67 |
| Removed | ||||
| ---------- | ||||
| 5.133.12.16* | 5.181.158.179* | 5.181.158.181* | 5.187.52.1* | 5.187.52.12* |
| 5.187.52.13* | 5.187.52.9* | 5.2.89.72* | 5.253.62.111* | 5.45.82.242* |
| 31.132.1.40* | 37.61.211.187* | 37.61.211.188* | 37.61.211.189* | 45.119.41.11* |
| 45.119.41.12* | 45.119.41.14* | 45.125.65.93* | 45.131.83.10* | 45.137.21.144* |
| 45.137.21.166* | 45.67.116.219* | 45.86.163.7* | 51.158.23.140* | 51.210.134.178* |
| 51.38.80.31* | 58.64.137.69* | 62.141.56.196* | 78.157.200.139* | 80.233.134.248* |
| 80.233.134.249* | 81.4.110.230* | 82.199.101.248* | 82.199.101.44* | 82.199.104.3* |
| 85.17.219.96* | 85.183.104.125* | 85.254.72.7 * | 87.120.253.209* | 89.105.221.82* |
| 89.222.128.42* | 91.199.41.51* | 91.199.41.53* | 91.199.41.55* | 93.119.105.5* |
| 94.126.173.105* | 94.152.214.31* | 94.156.175.107* | 101.53.147.97* | 101.99.90.111* |
| 103.108.117.18* | 103.117.141.184* | 103.130.218.113* | 103.138.96.86* | 103.142.25.210* |
| 103.160.144.64* | 103.160.62.153* | 103.221.220.169* | 103.42.58.61* | 103.56.148.90* |
| 103.6.207.162* | 103.8.26.45* | 103.86.51.178* | 103.92.30.110* | 109.232.240.24* |
| 111.90.158.205* | 112.78.10.214* | 119.59.123.55* | 119.59.123.55* | 128.1.60.6* |
| 130.185.72.89* | 134.119.186.27* | 134.119.186.29* | 141.98.10.125* | 141.98.10.136* |
| 141.98.10.142* | 141.98.10.225* | 146.247.49.105* | 146.88.26.167* | 159.148.186.165* |
| 159.148.187.4* | 159.148.187.6* | 167.114.188.36* | 170.130.173.37* | 171.244.143.163* |
| 173.213.80.216* | 176.123.9.67* | 178.239.177.183* | 178.255.40.234* | 179.43.149.28* |
| 180.131.147.100* | 185.105.109.213* | 185.108.128.181* | 185.128.42.106* | 185.128.42.107 * |
| 185.128.43.18* | 185.128.43.21* | 185.128.43.54* | 185.130.206.6* | 185.140.249.133* |
| 185.183.104.123* | 185.216.8.156* | 185.227.136.206* | 185.24.232.118* | 185.24.232.134* |
| 185.24.232.76* | 185.9.158.36* | 185.99.3.68* | 185.99.3.80* | 194.5.179.140* |
| 195.123.247.36* | 198.27.110.97* | 209.127.28.5* | 209.97.184.221* | 212.34.158.134* |
| 212.34.158.134* | 213.226.100.10* |
Where to contact the compromised hosting ISP:
Abuse contact for '5.2.88.0 - 5.2.89.255' is 'alvaro.montero@ipcore.com' Abuse contact for '5.45.80.0 - 5.45.83.255' is 'abuse@ispiria.net' Abuse contact for '5.101.140.64 - 5.101.140.95' is 'abuse@ukservers.com' Abuse contact for '5.181.158.0 - 5.181.158.255' is 'abuse@mivocloud.com' Abuse contact for '5.133.8.0 - 5.133.15.255' is 'abuse@artnet.pl' Abuse contact for '5.187.48.0 - 5.187.55.255' is 'abuse@artnet.pl' Abuse contact for '5.188.211.0 - 5.188.211.255' is 'abuse@pindc.ru' Abuse contact for '5.253.60.0 - 5.253.63.255' is 'abuseto@adminvps.ru' (Removed) Abuse contact for '27.124.80.0 - 27.124.95.255' is 'abuse@medialink.net.id' Abuse contact for '31.200.247.0 - 31.200.247.255' is 'ripe@unelink.com' Abuse contact for '37.46.132.0 - 37.46.135.255' is 'abuse@abusehost.ru' Abuse contact for '45.67.116.0 - 45.67.116.255' is 'abuse@itns.md' Abuse contact for '45.86.163.0 - 45.86.163.255' is 'support@crowncloud.net' Abuse contact for '45.125.65.0 - 45.125.65.255' is 'abuse@tele-asia.net' Abuse contact for '45.131.83.0 - 45.131.83.255' is 'abuse@sered.net' Abuse contact for '51.89.148.0 - 51.89.151.255' is 'abuse@ovh.net' Abuse contact for '79.172.193.0 - 79.172.193.255' is 'abuse@deninet.hu' (Removed) Abuse contact for '80.233.134.0 - 80.233.134.255' is 'abuse@telia.lv' Abuse contact for '82.199.104.0 - 82.199.107.254' is 'abuse@seven-sky.net' Abuse contact for '84.15.136.0 - 84.15.143.255' is 'abuse@bi.lt' Abuse contact for '84.200.77.0 - 84.200.77.255' is 'abuse@accelerated.de' (Removed) Abuse contact for '85.254.72.0 - 85.254.72.255' is 'support@serveria.com' Abuse contact for '87.120.253.0 - 87.120.253.255' is 'abuse@neterra.net' Abuse contact for '89.105.192.0 - 89.105.223.255' is 'abusedesk@novoserve.com' Abuse contact for '89.222.128.0 - 89.222.131.255' is 'abuse@netorn.net' 'abuse@netorn.ru' Abuse contact for '80.233.134.0 - 80.233.134.255' is 'abuse@telia.lv' Abuse contact for '93.119.104.0 - 93.119.105.255' is 'abuse@virtono.com' Abuse contact for '94.152.0.0 - 94.152.255.255' is 'abuse@kei.pl' Abuse contact for '94.156.175.0 - 94.156.175.255' is 'abuse@iws.co' Abuse contact for '95.24.0.0 - 95.31.255.255' is 'abuse-b2b@beeline.ru' Abuse contact for '95.84.128.0 - 95.84.159.255' is 'abuse@rt.ru' Abuse contact for '95.165.128.0 - 95.165.255.255' is 'abuse@spd-mgts.ru' Abuse contact for '103.6.204.0 - 103.6.207.255' is 'yogie@redwhite.co.id' Abuse contact for '103.9.156.0 - 103.9.159.255' is 'cuong.trinh@vnso.vn' Abuse contact for '103.28.148.0 - 103.28.149.255' is 'support@easyway.co.id' Abuse contact for '103.56.148.0 - 103.56.149.255' is 'abuse@jagoanhosting.com' Abuse contact for '103.86.48.0 - 103.86.48.255' is 'abuse@bangmodhosting.com' Abuse contact for '103.92.24.0 - 103.92.27.255' is 'hm-changed@vnnic.vn' 'system@tlsoft.vn' Abuse contact for '103.117.141.0 - 103.117.141.255' is 'abuse@casbay.com' Abuse contact for '103.121.88.0 - 103.121.91.255' is 'tampd@bkns.vn' Abuse contact for '103.126.6.0 - 103.126.7.255' is 'shazim@serverstack.in' Abuse contact for '103.138.96.0 - 103.138.96.255' is 'hello@hostitsmart.in' Abuse contact for '103.146.22.0 - 103.146.23.255' is 'duc@lanit.com.vn' Abuse contact for '103.147.152.0 - 103.147.153.255' is 'abuse@shineservers.com' Abuse contact for '103.221.220.0 - 103.221.223.255' is 'hoanglong@azdigi.com' Abuse contact for '103.236.201.0 - 103.236.201.255' is 'admin@idcloudhost.com' Abuse contact for '111.90.128.0 - 111.90.159.255' is 'abuse@shinjiru.com.my' Abuse contact for '112.78.0.0 - 112.78.15.255' is 'vanht@ods.vn' Abuse contact for '130.185.72.0 - 130.185.72.255' is 'report@parspack.com' Abuse contact for '119.59.96.0 - 119.59.127.255' is 'abuse@metrabyte.cloud' Abuse contact for '141.98.10.0 - 141.98.10.255' is 'admin@serveroffer.lt' Abuse contact for '146.247.49.0 - 146.247.49.255' is 'abuse@netcetera.co.uk' Abuse contact for '159.148.186.0 - 159.148.186.255' is 'support@serveria.com' Abuse contact for '159.148.0.0 - 159.148.255.255' is 'abuse@latnet.eu' Abuse contact for '171.224.0.0 - 171.255.255.255' is 'hm-changed@vnnic.vn' 'soc@viettel.com.vn' Abuse contact for '176.123.0.0 - 176.123.11.255' is 'abuse@alexhost.com' Abuse contact for '178.239.176.0 - 178.239.177.255' is 'abuse@irideos.it' Abuse contact for '178.255.40.232 - 178.255.40.235' is 'abuse@artnet.pl' Abuse contact for '179.43.149.0/26' is 'support@privatelayer.com' Abuse contact for '180.131.144.0 - 180.131.147.255' is 'abuse@nawala.org' Abuse contact for '185.24.232.0 - 185.24.232.255' is 'abuse@servebyte.com' Abuse contact for '185.128.40.0 - 185.128.43.255' is 'abuse@rackend.net' Abuse contact for '185.130.206.0 - 185.130.207.255' is 'abuse@as61317.net' Abuse contact for '185.140.248.0 - 185.140.249.255' is 'contact@buzinessware.com' Abuse contact for '185.183.104.0 - 185.183.104.255' is 'abuse@m247.ro' Abuse contact for '194.5.176.0 - 194.5.179.255' is 'berbid238@gmail.com' Abuse contact for '200.55.243.166' is 'radhios@gmail.com' syt.com web page Abuse contact for '202.145.0.0 - 202.145.3.255' is 'abuse@uninet.net.id' Abuse contact for '209.127.0.0 - 209.127.138.255' is 'abuse@servermania.com'
Example of the highest used IP addresses from November 2020
Where to send abuse complaints[]
abuse@key-systems.net
Web site http://www.domaindiscount24.com/en/company/contact
Please send your complaint to: Fax: +49-6894 93 96 851 E-Mail: abuse@key-systems.net for all abuse reports Or call us on: +49-6894 93 96 850
Additional Contact Information[]
Postal address[]
Key-Systems GmbH, Im Oberen Werk 1, St. Ingbert, 66386, Germany
Key-Systems USA, Inc., 604 S. King Street, Leesburg, VA, 20175, USA
Registration Information[]
Telephone and FAX[]
Telephone +49 689 4939 6850
Fax +49 689 4939 6851
Related information[]
Pharmacy fraud operations
- Canadian_Health&Care_Mall
- Canadian_Neighbor_Pharmacy
- My_Canadian_Pharmacy
- Toronto_Drug_Store
- Canadian_Family_Pharmacy
- WikiPharmacy
- International_Legal_RX
- US_Drugs
- Men Health
- RxMedications
- RxExpressOnline
- OEM Software
Affiliate program coordinator employing spammers
Sources for this article[]
Independent[]
Interview[]
Corporate[]
Facebook http://www.facebook.com/KeySystems
Twitter http://www.facebook.com/KeySystems
Company Homepage http://www.key-systems.net