VIP Pharmacy

Description

Another fake pharmacy in the Bulker.biz (now bulkerbiz.com) tradition. Credit card information is unsafe. The site makes false claims:

• Awards are false.
• It claims to be a licensed online pharmacy, but displays no license.
• It claims to be secure, with a Thawte logo, but the ordering page is unsecure http.

False Pretenses

Like many fake sites, VIP Pharmacy makes false claims to use security when transferring credit card details

Please, enter all your billing information as it appears at your card. All fields are required. All the information you enter 
into this form will be sent to the server through 128-bit secure connection at the final step.

However, the site shows the page for entering sensitive credit card data as "http" - making this an obvious false claim.

Fake Registration

Like other Bulkerbiz.com family sites, VIP Pharmacy uses identity theft to register its domain names and stolen credit/debit cards to pay for those registrations. Victims whose personal information has been used to register one of these sites should follow the steps outlined here.

Sponsoring Registrars

Domains and name servers are typically registered across multiple registrars. While Xin Net and Moniker were previously regularly used for nameserver domain registrations, their increased responsiveness to abuse complaints appears to have encouraged Bulkerbiz.com to rely on Naunet, which does not suspend domains, and Beijing Innovative, which has spam filters on its abuse reporting mailboxes.

Example: domain wsrepredent.net Domain registered with The Name It Corp. d/b/a/ Nameservice.net (AITDomains)

• ns1.citelixir.com (Beijing Innovative Linkage Technology d/b/a dns.com.cn)
• ns1.dustkeeneyed.com (Xin Net)
• ns2.kindnessfus.ru (NAUNET-REG-RIPN)

Example: domain sclafermarch.com Domain registered with Enetica Pty. Ltd.

• ns1.forgerdub.com (Beijing Innovative Linkage Technology d/b/a dns.com.cn)
• ns2.fogsignalvoy.com (Beijing Innovative Linkage Technology d/b/a dns.com.cn)

History

Older VIP Pharmacy site	Newer VIP Pharmacy site	2009 Version
Older format	Newer format	2009 format
Uses hijacked host, eg	Also uses hijacked host, eg	Branded as Viagra Professional
http://217.170.77.210:8080/e/ct/images/mid_07.jpg	http://217.170.77.210:8080/e/cv/images/logo.gif	but copyright is for VIP Pharmacy
("mid_07" refers to its location in the
page's table format, not the date it was used)

As with all Bulkerbiz.com brands, the images can be accessed from any of the image servers that any of their other brands currently use (until such servers are disinfected of their trojan horse viruses). For example:
http://77.245.149.25:8080/e/ct/images/mid_07.jpg can be seen using the IP address of an active hijacked image server used by multiple other brands on multiple domains.

Related Brands

In early 2008, two brands began to be noted following the typical patterns of the other Bulkerbiz.com sites. Interestingly, these brands appear to have existed since early 2007, but the surviving older sites for these brands do not use the Bulkerbiz.com nameservers or image servers. However, in all cases, the words "VIP Pharmacy" appear at the bottom of the page to identify the brand, so it does not appear to be the case that the older sites are unrelated operations which were simply copied by Bulkerbiz.com. No spam for these related brands has been observed yet, but they are clearly part of the same operation.

Super Viagra Also Known as Cialis	Viagra Professional Tabs
S Viagra Also Known as Cialis	Viagra Professional Tabs
images loading from hijacked hosts: http://212.154.24.92:8080/e/sv/images/photo.jpg	images loading from hijacked hosts: http://81.255.2.195:8080/e/vp/images/main_08.jpg

In July, 2008, spam for the Cialis Soft Tabs brand reappeared, featuring the older VIP image. At the bottom of the page for these sites is the notice "© VIP Pharmacy, 2001-2008."

Cialis Soft Tabs, July 2008

Cialis Soft Tabs

images loading from hijacked hosts: http://204.186.146.60:8080/e/ct/images/mid_07.jpg

In the case of these three minor brands, although they are not spammed, the characteristic features of Bulkerbiz.com domains are seen:

• Nameservers reside on the same IP addresses
• Websites reside on the same IP addresses
• Images load from the same IP addresses
• Domains are registered using stolen identities rather than fictitious names
• Domain names are the same as other Bulkerbiz.com domains but using different TLD's

The Eva Discounts brand is atypical, but exploring the directory heading leads to pages with more familiar appearances and with images hosted on the common servers.

Eva Discounts, November 2008

Eva Discounts

images loading from hijacked hosts: http://194.67.28.170:8080/e/vt/images/ppl.gif

In addition to the identity theft, which includes payment using stolen credit/debit cards, the servers are known to be hijacked Unix servers. These features mark these brands as part of an illegal operation. Any such domains should be suspended whether spammed or not.

Canadian Health&Care Mall, another Bulkerbiz.com brand with more dramatically fraudulent websites, currently shares many domains with VIP Pharmacy. Example:

• http://sarpletgans.com/ is VIP Pharmacy.
• http://sarpletgans.com/ch/ is Canadian Health&Care Mall.

Sample Spam

Warm Greetings!!!
Unequalled proposition for you Dear Clients!!!
Only these 5 days for our clients unthinkable offer!!!
On all preparations you want!!!

Fill in your life with colours of bliss!!! 
http://elcahm.encalkulat.com/?bdfgijkahmxowquyelzchcmc

Yours truly,
Online association of pharmaceutists

For Cialis Soft Tabs:

Subject: Cheapest cialis

Cheapest cialis - http://www.orterbaydym.com/

How to Report this Spam

The Complainterator is configured to report this spamming operation.

Sponsor Organization

Bulker.biz is the sponsor organization behind this type of site. They pay spammers to promote it, and they don't shut down illegal spammers.

Related spam operations

See: Bulker.biz