This purports to be a Manitoba Pharmacy Association licensed pharmacy. Newer site templates (year: 2011) falsely claim certification with:
- APhA - American Pharmacy Association
- AUA - American Urology Association
- Texas Board of Pharmacy
The actual name in the last case would be "Texas State Board of Pharmacy" as seen at http://www.tsbp.state.tx.us
However, it is widely believed to be a credit card theft scam - fronted by a fake pharmacy retailer.
Men's Health or Men Health or Men+ Health: Judging by the name servers used, this is clearly another of ROKSO listed #2 most wanted Cyber criminal Alex Polyakov's site, used for identity theft and credit card theft. If any of his pharmacy product ever gets delivered, it has been found to contain placebos (sugar pills).
The whole site is full of lies.
Men Health displays a fake license, LICENSE NO 03161490 from the Manitoba Pharmacy Association (MPhA).
- Manitoba Pharmacy Association License is faked.
- The ordering transaction is not secure.
- The Verisign logo is misused.
When you click on the verisign logo, you expect to be taken to the Verisign site to display its validity. Here, the link goes back to the same site. The information displayed has been fraudulently modified to try to obscure that fact that it has been tampered with.
To ensure that this is a legitimate Soltrus Secure Site, make sure that: 1. The original URL of the site you are visiting comes from Men+ Health 2. The status of the Server ID is Valid.
To ensure that this is a legitimate Soltrus Secure Site, make sure that: 1. The original URL of the site you are visiting comes from <name here> 2. The URL of our secure pages are https://<custom URL here> which will appear when you click on the first continue button during the ordering process. 3. The status of the Digital ID is Valid.
For your best security while visiting sites, always make sure the address of the visited site matches the address you are expecting to see. Make sure that the URL of this page begins with "https://seal.verisign.com"
WARNING: Placing an order on this site is giving your full credit card details to the Internet's worst criminal. If you have made that mistake, cancel your credit card immediately.
The license link on the site, links back to the same site, and displays a certificate supposedly issued by the Manitoba Board of Pharmacy. The image shown here has the same site name as the fake pharmacy site in the address bar.
Proof of fake licenseEdit
|The signatory on the older fake license, Michael N. Dort is not listed on the MPhA site.
The company name listed in the certificate is "(applicant)" !
In the more recent fake license, the board is wrongly titled "Texas Board of Pharmacy" whereas the actual genuine board is known as the "Texas State Board of Pharmacy"
Like other Yambo family sites, CH&CM uses identity theft to register its sites. Victims whose personal information has been used to register one of these sites should follow the steps outlined here.
This information no longer applies, but is included for historical purposes.
- Hijacked name servers
- Hijacked web sites
- Hijacked image servers
- All use the same name servers
- Name servers are typically 4 in number, and are registered with a subset of registrars
- Several new sites may be registered and spamvertized every day
- Hijacked sites use identical proxy servers to redirect DNS and http requests to back-end servers
- Hijacked sites have a firewall setting to prevent access from specific addresses such as FBI and Visa
Proof that the site uses image servers
If you load a page, right mouse click on any product image, and select copy image location you can see where images are stored. FOrmerly they were hosted on another hijacked host such as http://220.127.116.11:8080/mh//shop/images/cialisst-52.gif or http://18.104.22.168:8080/mh//shop/images/viagraprofessional_m.gif for example. The selection of the hijacked image servers is within some Java script code:
<script id=img_redir> var urls=new Array(); /**rdr urls*/ urls.push('http://22.214.171.124:8080/mh/'); urls.push('http://126.96.36.199:8080/mh/'); urls.push('http://188.8.131.52:8080/mh/'); urls.push('http://184.108.40.206:8080/mh/'); urls.push('http://220.127.116.11:8080/mh/'); /**rdr urls*/ </script>
Later, the images were placed on a specific server at safetrade.biz, another unlicensed pharmacy, whose domain name is registered with Sponsoring Registrar: INTERNET.BS CORP. by a registrant giving an address in the British Virgin Islands. The web site's contact page lists contact numbers also found for the Online Pharmacy fraud - US 1-800-819-0609 and UK 44-808-234-1713
Related Spam OperationsEdit
Proxy Image ServersEdit
At the time of writing, all of these hijacked image servers were simultaneously in use for the following sites
Sample sites and registrars sponsoring themEdit
bestmedicalcompany.ru biologicalherbsinc.ru canadianpharminc.ru canadianrxstore.ru curingonlinegroup.ru curingtrustedtrade.ru excellentrxprogram.ru familyhealingsale.ru familyremedygroup.ru fastcuringprogram.ru fastmedicatingmarts.ru firstcurativedeal.ru genericsmartgroup.ru generictabsprogram.ru gooddrugsupply.ru goodgenericgroup.ru healingfastservice.ru homeremedyservice.ru hotmedicinalsupply.ru magicnaturalmall.ru magicpillservices.ru medicalfastprogram.ru medicalmedsservices.ru medicatingpharminc.ru medicativecareeshop.ru myherbsservices.ru mymedicatingtrade.ru mytreatmentservices.ru naturalsmartdeal.ru organichealthtrade.ru organicremedyvalue.ru organicsmartinc.ru privaterxsupply.ru remedialpillssale.ru remedialrxvalue.ru safecuringpurchase.ru safedrugssupply.ru secureaidassist.ru securedrugsquality.ru securepillsquality.ru smartherbtrade.ru thebiologicalmart.ru thecanadiantrade.ru theremedyservice.ru thetrustedpillsassist.ru youraidquality.ru yourgenericsquality.ru
cappharmacyrx.ru (suspended) fitnessdrugstoretablets.ru (suspended) pillsdrugspharmacy.ru (suspended) smilad.ru (suspended) wryn.ru (suspended)
dietprescriptiongroup.com (suspended) myprescriptiongenerics.in (suspended)
How to Report this SpamEdit
See the Complainterator which is specifically configured to report this spamming operation.
Related spam operationsEdit