Glavmed responds - re: my Open Letter.

Welcome Glavmed affiliates who are linking here directly from the Glavmed site. :)

For a very brief period of time yesterday (Feb. 4th, 2009) the following claims were posted on many pages of the glavmed portal site, and it makes it clear that they are seeing some negative attention as a result of my open letter:

We've received a few links from our partners, containing an open letter. This letter was published at http://ikillspammers.blogspot.com/2009/02/glavmed-open-letter-to-law-enforcement.html. This is far from the last time, when apparently our business rivals try to defame our partnership programme. But this is the first time, when they appeal to The FTC, The FDA and other law organisations.

We, Glavmed, want to make a statement, that all the allegations of this letter are absolutely false and incorrect. They denigrate the honour, dignity and business reputation of our company.

We'd like to answer this open letter item by item:

1.Glavmed don't sell, have never sold and will never sell any pills. Glavmed are CEO partnership programme, which run a network of online-shops. Its main task is accepting of buyers' order und data. We have a few commission contracts with well-known, absolutely licensed drug stores. We transfer this order to them for its execution. Glavmed's task is attracting of new customers and transferring their orders to these drug stores. After receiving the commission from these drug stores we share it with our partners. We don't sell pills. That makes a great difference.

2.Glavmed have clear rules against spam and viral spreaders. We've never accepted such traffic. All such accounts have been instantly banned or cancelled. It's very easy to check. Just register and try to spread spam!

3.Glavmed are really well-known long existing partnership programme. Unfortunately we have some problems. The schemes and designs of our sites are being constantly copied and stolen. A lot of our dishonest business rivals give their sites to be ours, copying everything - graphic designs, file names and product descriptions.

4.Our rivals allege that our drug stores' products have low quality. This is totally lie and defamation. We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality.

Unfortunately we can foresee the further organized pressure against our partnership programme, because normal business competition can't be provided by them. We really take care of our partners and our customers.

This message was removed sometime between yesterday and today. It is unclear why, although I would guess that they didn't want their own affiliates reading my posting. I and other researchers have also noticed that they are now blocking very specific IP addresses from viewing the Glavmed website.

A couple of obvious corrections need to be made right off the bat:

a) The letter was not written to you, Glavmed representatives. It was written to law and drug enforcement agencies, as well as the media who has been researching this.

b) I am absolutely not a "business rival".

c) I am not the only one who has been researching your organization. My letter is a an account of the known, researched, verifiable facts regarding the scourge of unwanted Canadian Pharmacy websites. If I were trying to defame you, I wouldn't have nearly as much factual evidence in my letter.

So in response, I'll counter their bogus response point by point.

1. Glavmed claims on their front page (and I'm of course not altering their horrendous spelling and grammatical mistakes):

GlavMed is a BEST way to convert your pharmacy traffic into real money. Forget about miserable sums you're getting sending your visitors to PPC pharmacy results.

You're loosing at least half of YOUR money converting traffic like this. GlavMed offers you a possibility to eliminate any agents and sell most popular pharmacy products directly. It means 30-40% revenue share. features & benefits

Note: sell most popular pharmacy products directly. Which is it? Are they selling them or not?

Whether they sell the drugs themselves or not is ultimately irrelevant. They are part of a long chain that gets illegally-produced FAKE and harmful versions of these products into the hands of unwitting members of the public. There is copious amounts of evidence to support this, and they know it.

Glavmed is an affiliate program. They get their affiliates (aka: spammers) to promote (aka: spam) the websites (hosted via rampant viral PC infections) to sell fake drugs to unwitting victim customers. Who do they send that order data to? They don't say. But they know who that is, and they know that they are taking these orders without any consultation with any pharmacist. They also do all of this with absolutely ZERO security or encryption, so you can imagine how they're treating the rest of your personal data.

2. Sure, they state on their website that they don't allow spamming, but as I mentioned: they removed any of the postings which made it clear that very actve spammers are indeed a part of their program. Nowhere do we find ANY postings within their forum about any actual action taken against spammers. Literally everyone with an email address will know that Canadian Pharmacy is THE most spammed property on the Internet today, and has been for three years and counting. If they don't allow spammers, why is it still the most commonly found spam in the world today? You can have rules all you like. If you're not enforcing them: what does it matter?

As an aside, I and many other individuals have been complaining to Glavmed under numerous identities starting in May of 2008. I have personally sent, using numerous of my accounts, at least 25 very detailed complaints regarding spam messages I have received between May 2008 and January 2009. Guess how many responses I've gotten? Guess how much "action" I've seen on behalf of Glavmed, or anyone else claiming to represent this operation? ZERO! Guess where their abuse-reporting pages are on their site? THEY DON'T HAVE ANY!

This claim is utterly false. They take zero action regarding their KNOWN spamming affiliates, and they never will.

3. If Glavmed has been aware all this time that so-called third parties were ripping off their site designs, functionality and everything else: why haven't they drastically changed their entire design, branding, etc., or made ANY public statement regarding any of this? Why did they wait until someone like me exposes the whole setup for the obviously fraudulent operation that it is? This is an outright lie.

4. Again I will link to actual evidence (source), on behalf of a reputable company -- Ironport -- who placed orders from one of these sites, and gave the pills they received to a lab for analysis:

False Drugs Purchased

IronPort researchers followed the trail they uncovered and ordered sample pills from a pharmacy source in India. They then had an independent lab analyze the contents. The pills IronPort ordered contained sugar and some inert filler, Bhandari said.

A second test sampling from another online pharmacy purchase contained high metal content. The substances could be very harmful to unsuspecting consumers, he said.

IronPort-sponsored pharmacological testing revealed that two-thirds of the shipments contained the active ingredient but were not the correct dosage, while the others were placebos. As a result, consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors, according to IronPort.

So in light of this report: I don't believe a single word Glavmed says, and I don't think anyone else should either.

Keep in mind: this is only one such report. There are others.

I notice that they completely ignore any mention of concern over the rampant illegal spamming which continues on behalf of Canadian Pharmacy, nor do they even broach the subject that as recently as October 2008 their site templates still contained bogus "sponsorship logos" on behalf of the Better Business Bureau, Verified By Visa, and Pharma Checker, nor do they mention that they were making very public statements that they knew full well that all of these logos were not being used appropriately.

The Spamtrackers wiki entry for Glavmed contains a screenshot of the Glavmed sites page dating from July 2008 which shows the Canadian Pharmacy layout still featuring the bogus sponsor logos. (source.)

In addition: this howler of a claim:

"We can show hundreds of feedbacks, proving high quality of our products. We also have independent test results. They prove that our products are being produced by indinan laboratories and up to claimed quality."

Their claim that they have all kinds of feedback saying how great they are is meaningless.

Which "indinan laboratories"? Which "independent test results"? On behalf of whom? Published where, exactly?

Of course they will never say.

What about third-party, verified claims and lab tests that your products are genuine? What about third-party reports that your servers actually are secure? If I'm selling you a car and you ask me for verification that the car is in road-ready shape and is safe to drive, I can't just start typing you a recommendation myself. I would need a third party inspector to verify that my claims that this vehicle was safe were in fact true. Glavmed doesn't do this, nor have they ever.

"We really take care of our partners and our customers."

Really? I know for a fact that numerous of your customers would very much beg to differ.

Clearly my letter has hit a nerve. As usual, their response, as with many obvious spam operations, is more concerned with damage to their profits than anything to do with public safety, or the security of your personal data.

Glavmed's claims are theirs alone, verifiable by nobody, and easily countered point by point as being verifiably false.

I stand behind every word of my posting. This is not defamation. Again: I am only one individual, but my posting links to research performed by literally dozens of others, from a very wide variety of technical, medical, security and other backgrounds.

Use your own judgement: Glavmed, and the entire operation they support, are liars and part of a criminal operation. The proof isn't just in my open letter. It's all over the place.

SiL / IKS / concerned citizen

Canadian Pharmacy and Glavmed: An Open Letter To Law Enforcement, The FTC And The FDA

To whom it may concern (and ultimately it concerns all of you.)

I write today to petition your attention towards a large-scale international illegal pharmacy operation known as Glavmed.

Glavmed are the sponsor program promoting the very-widely-spammed property known as "Canadian Pharmacy". (Hereinafter referred to as "CPh".) If you have an email address of any sort, it is very likely that you're at least mildly aware of Canadian Pharmacy. It's the most commonly spammed property on the Internet today, and shows no signs of slowing down whatsoever. CPh has been relentlessly spammed to millions of recipients for the past three years. Here is a screenshot of a currently spammed domain, dadsymbol.com:



Please note that depending on your geographic location, this same domain will appear as "Canadian Pharmacy", "European Pharmacy", and a variety of other variations on that brand name. They do this by using geographic sensing of inbound IP addresses to the site. The overall layout and functionality remains the same.

The Websites

On the surface this appears to be a fairly innocuous website selling what appear to be legitimate pharmaceutical products. However a little further examination proves that this is a site selling fake, knock-off, imitation versions of some fairly widely-sold pharmaceutical products such as Viagra and Cialis. The clue that this is not legitimate is that they also sell the following products:

• Viagra Professional


• Cialis Professional


• Viagra Super Active


• Cialis Super Active


• Viagra Soft Tabs


• Cialis Soft Tabs


• VPXL


• Levitra Professional


• Levitra Super Active

None of these products have ever been produced by the actual originators of the original Viagra or Cialis. These products have only been sold from shady, illegitimate online pharmacies.

Add to this that they have creatively spelled the names of one or more dangerously addictive and harmful products such as "Phentrimine", and offer another bogus version of this same product named "Herbal Phentermine", and it becomes clear that this is a company which is distributing products of dubious origin and manufacture.

All of these products are sold without the need for any prescription, whcih violates several FDA regulations, especially for the sale of controlled substances such as phentermine.

Further (although technically speaking this is less of an issue than the risk to public health and safety): these sites' continued use of the brand name "Viagra" is in violation of the trademark and intellectual property rights of Pfizer, who owns the Viagra name and the patent on its particular medicinal formula. There is no such thing as "generic" Viagra, nor has there ever been. It is not legal to make -- or claim to make -- Viagra while Pfizer still holds the patent. The same is true of Cialis and Levitra.

Sales of these alleged "generic" pharmaceuticals violates the law in most countries around the world. Sale of these products in their legitimate form without consultation with a physician or a registered pharmacist is also illegal, and violates several sections of the FDA act.

Finally: sale of controlled substances - phentermine definitely qualifies, but again: who knows what's actually in the pills this "company" is selling to you? - is also against the law when done so without any registered pharmacist or a valid, authorized prescription.

This organization breaks several international laws, but more importantly it poses a very serious threat to the public's health.

Promotion Via Illegal Spam

The only way that perhaps 70% or more of the world has heard of Canadian Pharmacy is via the unrelenting, large-scale receipt of illegally-sent spam email messages. By "illegally-sent", I refer specifically to the fact that they (or someone or some group working on their behalf) send these emails using very large scale "botnets" (definition) comprising several thousand of exploited public computers. Over the past three years, no fewer than six (6) IT security organizations have performed research on a variety of these botnets, most notably the Storm botnet, and discovered that one of the primary uses of this botnet was to send spam email messages promoting these CPh websites.

I myself have written on this blog and on numerous spam- and cybercrime-related forums regarding Canadian Pharmacy, and I've specifically been researching their operations starting in mid-2006. (previous posting) However I am far from the only individual researching this organization.

Finnish Security Company "F-Secure" posted research tying spam messages promoting spamvertised websites for CPh on November 11th, 2006. (source) In this research they discovered that a PC exploit then known as "Warezov" was capable of sending spam. That spam contained urls for websites promoting what was then known as "Pharmacy Express." Pharmacy Express turned into Canadian Pharmacy in early 2007. The spam runs promoting these websites would often send tens of millions of messages to addresses around the world. The domain names for the Pharmacy Express sites were virtually identical in naming structure to those used as name servers for other sites which were being used as infection points for the Warezov virus, as well as domains used as name servers for both the warezov infection sites and the CPh websites. More on Warezov and it's functionality later.

Fast-Flux Hosting Via Hijacked Public Computers (Storm Worm)

Focusing again on the abovementioned domain, we can see that some unique hosting solution is being used for the "dadsymbol.com" domain by running a "dig" command against that domain:



As you can see from this simple check, the website itself is hosted on rotating IP addresses. This is a technique known as "fast flux" hosting (definition), and it's used by these CPh sites to hide their true location. Research has shown that these IP addresses are, invariably, infected household PC's owned by individuals who are unaware that their computer has been taken over to be used in support of these illegally-operating websites.

The IP addresses in this particular example are all located in Beijing, China, hosted at three distinct companies:

China Network Communications Group Corporation
CHINANET hebei province network / China Telecom
Beijing Zhongbangyatong Telecom Technology Co.,Ltd

This is not often the case. Several researchers have discovered some CPh sites using household dsl connections in the US Midwest, cable internet connections in Poland, and numerous other types of always-on cable or dsl connections around the world. All of this is believe to be provided by the Storm worm.

100% False Claims

Canadian Pharmacy has made numerous completely false claims throughout nearly every word they say in every spam message sent, and on every page of their websites. Among these are claims that they offer security when processing credit cards (they do not, and never have, and this is something you can see by investigating any of the domains spammed to promote this operation,) that their products are safe (numerous researchers have found that they either contain no active ingredient, or that they contain only trace amounts of the active ingredient, or that they actually contain harmful elements or materials,) and they often listed contact information which was actually for the College of Pharmacists of British Columbia, who strenuously denied having anything to do with this operation or its continued illegal spamming practices. They also listed icons for the Better Business Bureau, Verified by Visa and an organization known as "Pharma Checker", none of whom actually supported or endorsed any of these sites. (And in all cases, representatives from all three expressed frustration in being able to get this group to remove their icons from their sites.) Only in the past four months have they removed these icons. It is unclear why, although one could surmise that the increased investigations into their operations are to blame.

In fact even the very name of these sites, Canadian Pharmacy, is a lie. They aren't located anywhere near Canada, the products often ship from India, and the domains and name servers are hosted around the world. There isn't any Canadian source for any of these websites.

Further: the contact information used to register websites and nameserver domains routinely feature 100% fake information. This is true for literally every single website registered for the promotion of Canadian Pharmacy.

These websites represent a very serious risk to the public's health, no matter which country the unwitting customers of these malicious websites happen to live in.

But I encourage you to join me in digging deeper into what other illicit activities this series of illegal websites is tied to.

Glavmed's Connection to Storm / Warezov Infections

I mentioned Warezov in an earlier paragraph.

Over the past 2 years, Warezov has come to be known alternately as Storm or Asprox. There are other names for this type of PC infection. It has continued to grow in size, and has continued to be used for all manner of illicit online activity ranging from the aforementioned spamming, through to plainly illegal activity such as performing large-scale Distributed Denial Of Service attacks (aka: DDOS attacks) against any site the botnet operator chooses (source), performing SQL injection attacks (source,) and most importantly for providing hosting and infrastructure for these Canadian Pharmacy websites, including name servers. Storm worm has also occasionally been used in phishing attempts. (source)

As far back as Jan. 31, 2008, tech news stories abounded that law enforcement authorities knew who had created and continued to operate the Storm worm (source), yet nearly a full year later absolutely no action has been taken against them. Further research by a variety of individuals as well as Wired Magazine tied Storm worm to a shadowy criminal organization known as the Russian Business Network, or "RBN". (source)

No less a source than the Washington Post's Brian Krebs has previously posted in great detail about who is behind the Storm Worm, and boldly declared he had connected all the dots in a story dating from January 29th, 2008. (source, with extensive background research.)

Glavmed Affiliate Program

In the past year, after monitoring numerous spam-friendly forums, many of which now no longer exist, I discovered one website which was responsible for acquiring new affiliates to promote the Canadian Pharmacy brand: a site called Glavmed.com. This is not immediately obvious from just visiting their main website, glavmed.com. (Although they do of course mention that the sites being promoted are pharmacy websites.) Their sites page features no mention of the brand "Canadian Pharmacy", only vague descriptions of what the sites sell, and that anyone can join this program. Their sign up form features no section where anyone needs to disclose whether they are a medical professional or a pharmacist at all, or whether they are retaining one for the purposes of fulfilling prescriptions for the pharmaceuticals these sites sell.

So how did I discover the link between Glavmed's affiliate program and Canadian Pharmacy? I joined their affiliate program. I will not disclose the details of my affiliate account other than to say that I have never used it for any promotional purposes on behalf of glavmed or Canadian pharmacy. Once I was approved, I was sent a link to their site templates which made it very clear that this was a very large-scale, highly organized operation, and that they are indeed 100% responsible for Canadian Pharmacy, and therefore responsible for the relentless spamming which occurs on their behalf.

As it turns out, apparently one of their supporters or affiliates posted a very Glavmed-friendly piece on a website known as atlantea.com (source), which alleges to rate the various online pharmacies promoted by Glavmed. They of course make absolutely no mention of the fact that these sites are easily the most prolifically-spammed properties on the Internet today. That entire domain appears to be a very spam-friendly site, and it links to a known base-domain which glavmed sites have been using for payment processing for three years now, rx-partners.biz.

Some interesting additional notes: They have modified several threads in their forums. These threads previously contained postings by several members which made it very clear that not only were Glavmed and their affiliates aware that many of their ranks were involved in large-scale spamming, but that they also knew they were lying about the use of logos such as that of Pharma Checker.

This thread previously had a posting (following posting #4, which is now the final posting in that thread) which stated that there was no valid Pharma Checker account for the Canadian Pharmacy websites. (A valid Pharma Checker is required in order to place a link to any pharmaceutical sites within a Google Adsense campaign, among many others. One affiliate was refused. I feel certain that many others must have been refused as well.) Another thread regarding spamming (source) had several pro-spam postings dating back to late 2007. These were removed sometime between December 2008 and January 2009. That was previously located after posting #3. Clearly someone is removing any expository evidence. (I and many others have archives of this forum however.)

Glavmed / Spamit / Storm / Canadian Pharmacy / RBN

Further, no less an authority than Ironport, a major spam-fighting corporation, made direct connections between Storm worm, Canadian Pharmacy, Glavmed, and their underground affiliate portal (and likely the real smoking gun) known as Spamit.com. (source) Ironport also placed several orders to verify what would happen with their bait credit card information, and to see whether they would actually receive anything from the order. They did receive a package containing pills which contained sugar and what was referred to as "inert filler". Another contained "high metal content". This is clearly a very high risk to the public's health.

I and many other researchers and security professionals believe it is time for someone to take decisive action against this operation, which has profited for at least four years now and is only continuing to grow. Research and evidence abounds regarding the connections between Canadian Pharmacy, Glavmed, The Storm Worm and the Russian Business Network. All of these are known by numerous security and law enforcement agencies to be operating in flagrant violation of international law. I and the citizens of my country and those of pretty much every other country are fed up with continual bombardment of these spam messages, promoting websites which lie in every word of their content, which sell fake and harmful products, and which endanger the lives of the general public. We are fed up with the complete lack of action on behalf of anyone in Law Enforcement to go after Glavmed, their affiliates, their site operators, their payment processors, their hosting providers and their domain registrars. The time for action is now, especially with the abundance of available research into this organization and their practices.

Please take this appeal very seriously. I welcome your feedback.

Very sincerely,

SiL / IKS / concerned citizen

Further research into Canadian Pharmacy

Spam Wiki: Canadian Pharmacy
http://spamtrackers.eu/wiki/index.php?title=Canadian_Pharmacy

Further research into the Storm Worm

Storm Worm Botnet Cracked Wide Open
http://www.heise-online.co.uk/security/Storm-Worm-botnet-cracked-wide-open--/news/112385

Russian Business Network (RBN): Georgia Cyberwarfare - Attribution & Spam Botnets
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-attribution.html

Full-disclosure: It's time to get serious about Storm Worm / RBN
http://seclists.org/fulldisclosure/2008/Mar/0300.html

Slashdot: We Know Who's Behind Storm Worm
http://it.slashdot.org/article.pl?sid=08/01/29/1823242

US Pharmacy (Very American) -> Total Lies

We are seeing a great deal of new spam for this family of illegal websites. I thought it was time to raise the curtain on how these illegal websites operate.

Note that on the front page, the site is selling numerous controlled substances:



A closer look:



Note that they misspell "Hydrocodone". Sounds like a real professional operation they got goin' on there...

Hydrocodone is defined by the US Food and Drug Administration (FDA) as a banned Schedule II narcotic, and further defined by the FDA as a Schedule III controlled substance.

Vicodin ES is a derived product containing Hydrocodone and is similarly classified by the US FDA.

Phentermine, Ambien and Xanax are all defined by the FDA as Schedule IV controlled substances.

Ultram (also known as Tramadol) is not classified as a controlled substance but it is highly addictive.

Controlled substances are considered by the FDA and the international medical community to have a very high risk of addiction.

Further reading:

Schedule III (US)
Schedule IV (US)

For Vicodin ES, the usual dose is 1 tablet, up to a maximum of 5 tablets per day. It is only recommended to take this drug (as well as Hydrocodone) under the strict recommendations and instructions of a doctor or pharmacist. Overdoses can kill people. Addiction is a very strong possibility.

The sale of these substances is considered a federal offence, particularly if one does so with no medical background whatsoever. As we shall see, not only do the operators of these sites have no medical background, they seem to be pretty open about indicating that this is the case, even though they might not recognize that they have done so.

They claim to accept Visa, American Express, Diners Club International and JCB Gold, as well as the online check service ECheck. They even present a special animated banner for the front page, and several large-size icons making this claim:




In reality, when one makes it through to their shopping cart page, it turns out that they only accept Visa and American Express. They also definitely do not accept ECheck, and no such option is present on any of these websites:



The quantity of tablets available for Hydrocodone on all US Pharmacy sites far exceeds any recommended dosage guidelines for this drug:



Clearly these websites do not care what happens to the patients who purchase these products from them. That last entry (180 pills!) is enough to cause serious harm or even death to somebody who is not under the care or supervision of a doctor or pharmacist.

At no point, anywhere on these sites, is there any mention as to who is the registered pharmacist or medical professional who will be providing these drugs to consumers. The sole purpose seems to be to profit as much as possible, even if it means killing the consumers who purchase these dangerous substances.

Throughout the site, a javascript function causes a momentary pop-up graphic to appear which claims: "Please Wait, Secure site loading":



This is of course a lie. There is no secure socket layer encryption technology present anywhere, on any of these websites. They also feature, to the left side of their menu, an image which claims "100% Secure Site":



This is, of course, also a lie.

A typical spam is received in only text format (no html) and featuring very stripped down content with no subject line. A typical message body will read "Get the pian meds you need" (sic) and then feature a link to the target website.

In early January, 2008, the links in the spam messages was almost always a Blogger website whose sole purpose was to redirect the user to the actual target website. For example: The spam received on Jan. 14th, 2008 contained the url:

http://nugiwika29432.blogspot.com/

That url in turn redirected us to:

http://nugiwika29432.blogspot.com/discoveyamazing.com

Which was a mistake in this case, the morons who set up the Blogger site failed to use appropriate url redirection techniques. (Maybe they were high on Vicodin at the time...) It was attempting to redirect us to:

http://discoveyamazing.com/

Several users have received dozens of these messages throughout the month of January. In all cases, the abuse of Blogger urls was reported directly to Blogger.com using their abuse reporting form:

Their "About Us" page makes no mention as to the quality of their products or their legal ability to sell any of them, but they do make a point of saying that they are a popular destination for the purchase of these controlled substances, legal or not:

US Pharmacy is your online pharmacy for FDA approved drugs, specializing in the EXTREMELY POPULAR, yet hard to find High Level Muscle Relaxers, Pain Relief, and prescription Sleeping Aid Meds and MORE!

Join tens of thousands of customers who safely, conveniently, and discreetly order prescription medication including men's health, weight loss, pain relief, diabetes, stop smoking, cholesterol and anti depressant medications and more. Check out our FAQ for more information.

Their FAQ page makes a series of claims which could only be perceived as further lies in light of the fact that they falsely claim to be offering us a secure server.

Q. Is it safe to use my credit card with US Pharmacy ?

A. Absolutely. We have taken every precaution to make sure your transaction is secure. All account information submitted to us is safely isolated from unauthorized access. When you place an order online or with US Pharmacy, your personal information and credit card information are encrypted using SSL encryption technology before being sent over the Internet, making it virtually impossible for your information to be stolen or intercepted while being transferred.

Q. Is my personal information kept confidential?

A. Absolutely the personal information you give us will only be viewed by authorized employees of our company for the purpose of completing your order. We do not sell, trade, or rent your personal information to others.

Q. Are the drugs that you sell safe?

A. Our products are made by overseas pharmaceutical manufacturers. These are the very companies that manufacture (and export in bulk) the drug that goes in to the making of the world's best-selling brands. In the new global economy, manufacturing is increasingly being outsourced to overseas facilities of parent companies or third-party suppliers. Naturally any new advances in manufacturing technology are invested in to these overseas facilities, rather than in to the company's little-used factories. Our drugs are manufactured in state-of-the-art facilities that fully comply with the Good Manufacturing Practices (GMP).

That statement regarding the "GMP" shows the potential for just how dangerous these websites are. The US FDA's Good Manufacturing Practice (GMP) regulation does indeed exist, however it was put in place to regulate the manufacturing of medical devices (think: stethoscopes, scalpels), not pharmaceuticals. The GMP has absolutely no bearing whatsoever on pharmaceutical products. The operators of these sites are clearly not any sort of medical professional, and are only in this to profit at whatever cost. As such all of these websites should be seen as extremely dangerous.

And later in the same FAQ:

Q. Is this legal?

A. There are different laws in different countries for import the drugs for personal use. US FDA regulations allow for the importation of personal medication required for a 3 month period. US residents are already importing medication from Canada, India and South America and US citizens travel to Mexico and Canada to purchase the drugs all the time. Americans are fed up with huge prices at local pharmacies, and Congress is allowing them to buy drugs from other countries to combat this injustice. World-class drugs are now within reach of everybody who is being squeezed by the high cost of prescription drugs.

What this statement conveniently fails to mention is the following:

The United States Federal Food, Drug, and Cosmetic Act (Act) (21 U.S.C. section 331) prohibits the interstate shipment (which includes importation) of unapproved new drugs.

...

"when 1) the intended use [of the drug] is unapproved and for a serious condition for which effective treatment may not be available domestically either through commercial or clinical means; 2) there is no known commercialization or promotion to persons residing in the U.S. by those involved in the distribution of the product at issue; 3) the product is considered not to represent an unreasonable risk; and 4) the individual seeking to import the product affirms in writing that it is for the patient's own use (generally not more than 3 month supply) and provides the name and address of the doctor licensed in the U.S. responsible for his or her treatment with the product or provides evidence that the product is for the continuation of a treatment begun in a foreign country."

...

to ensure that the importation is for personal use only (and not for resale), and to ensure that the use of the unapproved new drug sought to be imported into the U.S. is supervised and does not represent an unreasonable risk, the guidance provides that the individual affirm in writing that the drug is for his or her personal use, and provide either the name and address of the U.S. licensed physician who will supervise its use or some evidence that the treatment was begun in a foreign country and that the drugs are being imported to continue/conclude the already begun treatment. Thus, while not the only documentation, either a U.S. or foreign prescription, along with an affirmation of personal use, could be supplied as evidence that this factor exists.

So no: what these sites are doing IS NOT LEGAL. Purchasing these substances from these sites IS NOT LEGAL. In fact, purchasing from these sites can lead to some serious charges for the consumers under FDA regulations, but this is assuming that the customer survives their likely overdose, given that the quantities which these sites have chosen to sell of these substances is much higher than anyone should ever take of these drugs.

Nobody requires a "three month supply" of Vicodin. That is a sure sign of addiction, and likely a sign that the user is at risk of overdose.

Placement of several control orders resulted in no secure page being accessed at any time, and no real-time validation of credit card information took place. We were immediately forwarded (via javascript) to a thank you page which passed a series of parameters which were easily able to be modified with no adverse effect.

Example url we were forwarded to:

http://discoveyamazing.com/pharmacy_thankyou.php?pending=1&PTxnID=1291602685

We could easily modify this to say:

http://discoveyamazing.com/pharmacy_thankyou.php?pending=1&PTxnID=WeAreIllegalSpammers

It has no problem with our value for the PTxnID paramater, and passes it through to the thank you paragraph:



This further indicates that there is no security whatsoever on these websites.

Placing an order results in a "thank you" page which claims that your order has been placed, and provides a 10-digit numerical tracking id. [eg.: 1291602685] They claim: "average time taken to fulfill an order is somewhere between 2 to 3 weeks."

They state that consumers can send emails regarding their order to the email address: sales@365support.us

The website that they claim users can track their orders at is www.365cansupport.us, however no such domain existed at the time we placed our sample orders.

Finally: even the brand for these illegal websites is a lie. Calling themselves "US Pharmacy" with the tagline "Very American" within their main banner indicates how badly they want to be taken seriously as a US-approved online pharmacy:



In reality the website we were spammed with () was hosted at an IP address located in China:

%whois 210.14.129.233

inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
admin-c: LA100-AP
tech-c: LA100-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: APNIC

person: Lei An
nic-hdl: LA100-AP
e-mail: anlei@gwbn.net.cn
address: No. 20, Fuxing Road, Beijing
phone: +86-10-68650064
fax-no: +86-10-66813424
country: CN
changed: ipas@cnnic.cn 20071106
mnt-by: MAINT-CNNIC-AP
source: APNIC

inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
admin-c: LA1-CN
tech-c: LA1-CN
status: ALLOCATED PORTABLE
mnt-lower: MAINT-CN-ZBYD
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: CNNIC

person: Lei An
address: 15A build , xixiaoqu road ,shijingshan district ,Beijing
country: cn
phone: +86-10-68610494
fax-no: +86-10-68610495
e-mail: anlei@gwbn.net.cn
nic-hdl: LA1-CN
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.cn 20071106
source: CNNIC

The domain itself outputs absolutely no WHOIS information which is in violation of the ICANN accreditation rules. The domain was registered with XIN NET TECHNOLOGY CORPORATION on Jan. 9th, 2008, and the operators of this domain refer WHOIS requests to their own special whois domain (whois.paycenter.com.cn) which is unreachable.

A bit of a rant regarding XIN NET Technology Corporation: They appear to be the domain registrar of choice for all illegal spammers around the world today. Out of thouosands of complaints which have been lodged with them regarding a variety of patently illegally used domain names, not a single one has been responded to or acted upon. We're talking months of complaints here. ICANN apparently doesn't care. I and many others have complained to them regarding this rogue domain registrar with absolutely no response or action taken. You could probably create your own style of snuff porn site, and have it registered via XIN NET, and nobody will do anything about it. ICANN: When are you going to do something about this?

Anyway: Clearly, there is nothing American whatsoever about these websites.

Spammer lie. Criminals also lie. These sites are created and operated by criminals, and promoted via spammers.

Needless to say: Do not purchase from these websites. Among other things, it's "un-American".

SiL / IKS / concerned citizen

My Canadian Pharmacy - another illegal rogue affiliate

If you receive email, anywhere, to any account: you have likely received spam messages promoting these sites.

Up until quite recently they all followed the same pattern:

• Email messages consisting of one line of illiterate text ("nice V1@garra") followed by the link


• Web domains consisting of seemingly randomized syllables resulting in a non-language domain name ("kuderunahexadunfes.com","funhadensalinhes.com", etc.)


• Websites featuring logos for Pharmacy Checker, Better Business Bureau, CIPA, Verisign and Verified by Visa, all linking to fraudulent "supporting" statements. (Needless to say: not one of these organizations supports or authorizes any of these sites.)


• A link to a so-called "License file" which is completely fake. (It looks like something a seven year old might be fooled by.)

There has been a great deal of research done, notably by the good people over at f-secure, into the technical infrastructure of these sites, their spamming operations, and the viruses which are used to hijack pc's into their botnets for all manner of nefarious activity.

This link outlines their tracking of the recent "Warezov / Spamthru" trojan. You will notice the similarities between the domains used to spam, the domains used to download and install the trojan, the WHOIS info for all of the domains, and the domains of the websites themselves. It's a painfully obvious exposition of their entire operation, and clearly outlines their maliciously fraudulent activity. In recent days this operation has been definitively proven to be of Russian origin, and having no plans whatsoever of stopping the spamming or the operation of their illegal websites.

My own fight against this operation has taken place on two fronts: DNS cancellation (ISP's definitely don't want to be the ones on the hook for supporting this criminal activity) and order form seeding. I wrote the first "Pharmacy Expressorator™" back in March of 2006 and it has proven to be extremely effective against these sites. So much so, that I noticed in recent days: they've completely modified the entire way their back end processes work. (The sites used to be delivered via Microsoft .NET sites. Now they use Apache and PHP. Totally different product ID's, etc.) They also don't use the gibberish domain names nearly as much, resorting instead to sequential, brief domain names (22rx.com, 33rx.com, etc.) This may be a sign that they are aware of how much they seem to have exposed the inner workings of their operation.

So I have update my Pharmacy Expressorator™ and released it into the wild. It is very easy to find and is extremely useful in providing these assholes with precisely what they continue to ask us for: orders. They want them. I'm merely providing a means of fulfilling their request. They emailed me illegitimately, so I'm providing the exact same service in return. If they ever choose to work legitimately, I'll stop.

Most spam researchers have tied the Pharmacy Express series of websites back to Leo Kuvayev, yet another Russian criminal. It appears that his last known geographic location was either Montreal, Canada or London, England. But he likely has several homes around the world, all at our expense. Isn't that great?

He's also tied to the usual cadre of illegal activities these spammers love so much: money laundering, credit card and identity theft, and of course: child porn.

I will continue to provide technical and other detailed information to law enforcement around the world, as I have been for the past year or more. I want these assholes gone, and I don't care what it takes to do so.

More as it happens. Happy New Year.

SiL