FDA To Criminal Pharmacy Affiliate Programs: Stop.

Some great news this morning from the Food and Drug Administration.

Yesterday the FDA's office of criminal investigations sent out warning letters to operators of several domains which present websites selling pharmaceuticals illegally. Brian Krebs has the full story including links to the specific letters and the FDA press release, and the full list of warning letters sent by the FDA to several rogue website operators. That is a significant amount of reading, and essentially echos what people like me have been trying to tell the public since at least 2005.

This is definitely a case of "No sh*t, Sherlock", since the FDA was arguably in a position to do this as far back as 2006, but it's better late than never. Letters were sent to 136 website operators, and specifically describe the precise illegal nature of each of the sites, which should be obvious to anyone who reads this blog or follows any ongoing spam-related illegal online pharmacies.

I am also a bit surprised that the main "affiliate program" being called out is rx-commission.com, since we all know that the #1 criminal promoter of these bogus websites is Spamit aka Glavmed, who continue to pummel the Internet at large with their criminal websites promoting what we know to be completely bogus and dangerous versions of pharmaceutical products. But it's still good news.

One of the key, KEY quotes from the press release:

The agency issued 22 warning letters to the operators of these Web sites and notified Internet service providers and domain name registrars that the Web sites were selling products in violation of U.S. law. In many cases, because of these violations, Internet service providers and domain name registrars may have grounds to terminate the Web sites and suspend the use of domain names.

That one is pretty significant: if you allow a domain name to be registered, and that domain is then used to promote any of these rogue pharmacy sites, YOU can shut it down - period. I should hope that this means far-off companies such as XIN Net, Ename, Beijing Innovative Link, etc., will finally get the message: you can now be held as criminally responsible as the individuals whose websites you allow to be registered. My colleagues and I have been trying to get this message across to these organizations for at least the past three years. This press release from the FDA adds considerable weight to our communications to these companies.

"The FDA works in close collaboration with our regulatory and law enforcement counterparts in the United States and throughout the world to protect the public," said FDA Commissioner Margaret A. Hamburg, M.D. "Many U.S. consumers are being misled in the hopes of saving money by purchasing prescription drugs over the Internet from illegal pharmacies. Unfortunately, these drugs are often counterfeit, contaminated, or unapproved products, or contain an inconsistent amount of the active ingredient. Taking these drugs can pose a danger to consumers."

Again: no surprise to anyone reading this blog, but great that they put it in black and white so that (hopefully at least) the average consumer can now be made aware of this action.

The individual warning letters do not mince words:

The United States Food and Drug Administration (FDA) has reviewed your websites [...] and has determined that you are offering products for sale in violation of the Federal Food, Drug, and Cosmetic Act (the Act). These products include, but are not limited to "Xanax (Generic)," "Valium (Generic)," "Viagra (Brand)," "Acomplia (Generic)," "Acomplia (Brand)," "Rimonabant," "Herbal Xanax," and "Herbal Viagra." We request that you immediately cease marketing violative products.

These products, are drugs under section 201 (g) of the Act, 21 U.S.C. § 321 (g), because they are intended for use in the diagnosis, cure, mitigation, treatment, or prevention of disease and/or because they are intended to affect the structure or function of the body. Your marketing and distribution of these drugs violate various provisions of the Act, as described below:[...]

You can't get more clear than that.

I fully expect to see a large number of questions on support forums related to Glavmed or Spamit, saying things like "but you told me this was perfectly legitimate?!?!" I'm certain the responses should be highly entertaining.

Let's see what the next year or so holds in terms of this statement having any real effectiveness in the fight against organized criminals and the websites they continue to push onto unsuspecting consumers.

SiL / IKS / concerned citizen

Earth4Energy Appears On Criminal Spam Radar.

In light of recent wins against a variety of Russian-based pharmaceutical spammers, and assistance from Yahoo in getting those pesky Yahoo Groups URLs, I was interested to see what ridiculous trends would start to appear from the same morons who insist on sending spam to people who clearly don't want it.

Enter "Earth4Energy", a site I had never heard of until (you guessed it) people started sharing their samples of inbound, unwanted spam promoting it.

Researching this rather dubious "product" turned out to be pretty interesting, because whoever is behind Earth4Energy has taken great care in registering as many domains as possible - including those which would imply that the product is a scam - and then employing them in all manner of seemingly blackhat SEO (search engine optimization) techniques. This obscures any genuine discussion of this "product", which is why I thought it was probably worth posting here.

Let's start at the beginning. Here's a recently-received sample of the spam being sent, which I have only mildly cleaned up (this particular idiot didn't bother to clean up the formatting for readability):

From: "Dan Kittles"
To: <[spamrecipient]@[domain].com>
Subject: Create a windmill & solar power @ home!

Discover now how to create electricity at home. No gimmicks! It's just a simple science, and I believe you knew it. This is exactly what you need if you are interested of knowing how to generate power and reduce electricity bills at home.

All it takes are guts, the eagerness to read the manual and apply it real life.

Earth4Energy is the solution for our needs. It can reduce our power bills or even completely eliminate it. So why would you follow others who pay $1400 for the installation of Windmill & Solar Power at home? You can actually build your own!

See it on this site to discover it now!

Best Regards,
Dan Kittles
upandaway777@gmail.com

Notice: List is taken from "Dan's Corner". So this e-mail is NEVER sent unsolicited. You are receiving it
because you, or somebody purporting to be you and using your e-mail address, has asked to be added to this mailing list.

To be remove, please reply so. Then we'll remove you from the database.

Boy. Way to go on the copy writing there, moron.

You can see a full example also being reported for spamming at this website. Note that that version, from August 2009, didn't have to use URL shorteners, probably because they had yet to become blacklisted.

The line that says "See it on this site" links to a URL shortener, for obfuscation purposes, in violation of their terms of service regarding spamming:

http://to.ly/tKo

That in turn redirects to:

http://www.earthforenergy.com/

With the ultimate goal being to get you to purchase their "manual" via ClickBank's shopping cart functionality:

https://ssl.clickbank.net/order/orderform.html?time=1257866002&vvvv=656172746834&item=1&cbskin=48&vvar=cbskin%3D48

The site of course contains more breathless testimonials and unsubstantiated claims than even the most bogus pharmacy spam I've seen. That should be red flag #1 to anybody.

So that exposes the "thrust" of this spam campaign, and also the affiliate ID.

Note that not one person who has reported this to me has ever subscribed to "Dan's Corner", nor had they ever heard of either that list or this "product".

Any attempt to "opt out", has also been unsuccessful, as expected.

ClickBank is a fairly well-known "Pay Per Click" affiliate program, and they appear to offer affiliate promotion services for a wide array of products and services.

They also offer a shopping cart service, which is what this particular scam is out to abuse.

Note their extremely specific anti-spam clause in their terms of service:

You shall not directly or indirectly:

a Send, initiate or procure the sending of an Email to any Person who has either not explicitly requested to receive such messages specifically from You, including without limitation for the purposes of sending unsolicited bulk email, executing any "mass mailings" or "email blasts," or for the purpose of spamming any public forum, including without limitation, any blog, message board, classified listings, auction sites, altnet, newsnet, newsgroups, or similar service.

b Send, initiate or procure the sending of an Email to any Person who has explicitly requested to receive no further Emails from You or Your company.

c Employ any false or deceptive information regarding Your identity, or regarding the intent, subject, or origin of the message or fail to include accurate information regarding Your identity, and the intent, subject, and origin of the Email.

[source]

It continues from there, but we can see already: This message violates all three of those. There is no "Dan Kittles", and a search for that email address only returns further discussion of this particular spam campaign.

They began their SEO campaign at least as early as October 2007. The first research I could find regarding this dates from November 2008:

This disease is really getting out of control. Earth4Energy now gets 222,000 hits on Google (October 24, 2008), and it is all a fraud. There are even thousands of fake negatives, like "Don't buy Earth4Energy" and "Earth4Energy Sucks" that lead you to yet more sales pages. Negative reviews are totally drowned out by the massive, cancerous marketing campaign.

[source]

That same author has set up an extremely detailed page specifically criticizing all of this company's claims regarding Earth4Energy, and in my opinion it's definitely worth a read, especially the completely bold-faced threats that they against the author make regarding his negative review. (Read on, you'll see that his dissection is pretty much spot-on.)

Affiliates for this scam have also spammed Craigslist repeatedly, and continue to do so now. [example]

There is, of course, a link to the Earth4Energy affiliate program [affiliatematerial.com], and it becomes extremely obvious that this group do not care how you promote this crap. They don't care if you paint some random person's house with your domain name. There is no abuse process, no terms of service, nada. Just sign up, and (they allege) you can "start making money now!"

I tested out a signup, and their process doesn't include anything verifying that you have solid, opt-in-only lists, that you have whitelisted domains, etc. They just ask for a name and email, and you're in. Period.

Their "product" list looks like a veritable megastore of utterly useless crap. "Hair Extensions DIY", "Zero Chemicals", "DIY Hot Water", and of course the only product I or any of the people had contacted me had heard of, "Earth4Energy".

Note that in these examples they plainly list a ClickBank url. They don't reiterate ClickBank's terms of service, they don't say anything about not spamming people, and they don't warn against flooding other sites or forums with links to these promotional urls.

Now: add to this that I've actually been sent a copy of this alleged "manual". Let me tell you: it is extremely slim on any kind of technical details regarding the construction of either a solar panel or a windmill. It has very cursory descriptions of how to build each piece, but no schematics, no detailed parts lists with sample pricing, etc.

Check out this excerpt regarding how to secure your windmill in the event of strong winds:

but how do we stop it from rotating wildly during high winds or severe storms? This is not something we want as it could tangle the wires and damage them. The easiest home fix for this is to use a bungee cord. You may think this sounds like a cheap little fix, and you are right! It is a cheap fix and it works very well.

Ignoring for the moment that this would violate numerous building and safety codes, there is no legitimate construction manual I have ever seen in my life that would recommend this solution. Especially not one that is a digital download being sold for $49 USD.

It is also rife with spelling and grammatical mistakes which make it clear that this is definitely a money grab.

In comparison to the plethora of actual forums and discussions regarding DIY electrical generation (there are dozens of them out there,) I find it very hard to believe that anyone would seriously think that this "manual" is worth the money being paid. It certainly appears that more than mere "guts" are required, and the manual itself makes it extremely unlikely that anyone would "apply it real life."

The affiliate company behind this operation has been extremely active at responding to any negative commentary regarding this product. (Again: note their threats against a detailed analysis of why their product could be bogus.) The moment anyone complains about it being a scam, there is immediately a response saying that perhaps they didn't do it right, or stating that the person complaining just didn't bother to build it. This of course seeds doubt regarding the claims, so the sites are continually allowed to exist and be promoted. You can see a series of examples of this here.

I would have to say in the strongest possible terms: this product is a scam. It is worthless. Do not waste your money on it. As with any "product" being promoted via unwanted spam, it is utter crap, and not worth anyone's time, energy, or money.

SiL / IKS / concerned citizen

P.S. Update: it turns out that the nlcpr.com dissection already included lots of info from the actual pdf file these scammers sell. He does a very thorough job of refuting literally every claim in this so-called "manual." Again: do not waste your money. Thanks to readers who sent me this update.

InBoxRevenge.com: DDOS #3

As many of you may now be aware, the forum I assist in maintaining known as InBox Revenge is down at the moment.

That's because someone out there (you can imagine who) seems to have randomly gotten pissed off at my team's research. Which research in particular? I have no idea. It wasn't a particularly busy month so far.

The attack is ongoing and likely costing someone lots of money. The good news about that is: this has become a great means of logging the attack as much as possible for both law enforcement agencies and the security community.

If you're a member of that community, feel free to contact me via comments. (I won't publish them if you don't want me to.) This attack already answers several questions that a lot of security websites were asking back in February.

As for our research: it's still ongoing. The forum has only been one of numerous ways we stay in touch.

Thanks to those who got in touch with me already about this, and thanks for your patience if you're a regular reader of that forum.

I'd also like to recommend our hosting company, Servint.net, who provide excellent uptime as well as fantastic security and support services.

More as it happens.

SiL / IKS / concerned citizen

SEO Comment Spammer Without A Clue

Looks like some "SEO" spammers have decided to bombard this blog with "comments" to boost their sites' page rankings.

Let's take a look shall we?

Starting on Nov. 2nd, I began receiving comment postings as follows:

deepak has left a new comment on your post "I just won the Microsoft, Toyota, Yahoo and MSN Lo...":

it's a really nice blog thanks for add my comment...

Welcome to Thebettingonline. We are here for to be the most online betting. For read our online casino gambling and betting guide click on www.thebettingonline.com. We also suggest you types of betting action Opening bets, Calling, Rising, Checking, it will help you to win the Bet.Online Poker Betting

Then on Nov. 4th, the same idea only with a different Blogger account:

mukesh has left a new comment on your post "I just won the Microsoft, Toyota, Yahoo and MSN Lo...":

it's a really nice blog thanks for add my comment...

Club casino online is a place where you can play the best and most popular online casino games. Here you will enjoy the very finest in online casino entertainment presented today, you may be sure of a secure and sound, helpful and friendly environment. If you want to play Blackjack, Pontoon, Baccarat, Casino War, Desert Treasure, A night Out, Ways Royal, 4 Line Jacks Or Better, Aces and Faces and more online casino games then just visit on clubcasinoonline.com.Online Casino Games

In each case the spammer was of course attempting to get this blog to link to each of his domains:

thebettingonline.com
clubcasinoonline.com

Deepak's profile is here:

http://www.blogger.com/profile/15774993016293932083

Mukesh's profile is here:

http://www.blogger.com/profile/06060353648109596325

Both were created solely to create these annoying, repetitive comments in an attempt to boost page ranks. (Though with such ridiculous copy, I can't imagine anyone having the slightest interest in clicking on anything this moron posts.)

The sites themselves don't "do" anything. They just sit there, being linked to via comment spam.

A bit further digging shows that my blog is not the only one affected by this mentally-challenged individual. A search for one of the phrases turns up ten entries which have the same posting. A search for the other turns up only four.

Further searches for the domains he's trying to link to pulls up even further sites where he's comment spammed repeatedly.

Notice of course that none of these sites that this idiot is "commenting" on have the slightest thing to do with gambling.

Of course, this blog comment spammer also uses Google Analytics on that first domain to track the inbound traffic to his scammy little setup. His account id is UA-10919767-14

But without links to anything, what is the point?

The second site lists yet another domain name -- bestbettingcasino.com -- but doesn't link to it. Why? (That site is also using his Google Analytics account, using id: UA-10919767-16)

All of this is a roundabout attempt to... create traffic. For what?

This is one of the stupidest attempts I've seen by anyone to try to drum up linked traffic with no monetization. Keep up the horrible work, "Deepak".

SiL / IKS / concerned citizen

New Flash: Fake Pill Sites Don't Even Bother To Lie Very Effectively

After just receiving another of the plethora of bogus black-market pill sites via (you guessed it) criminally-sent spam, I think we've hit a new threshold for obvious, retarded lying practices on behalf of these moronic criminal fake pharmacy sites.

Can you spot the obvious problem with the following screenshot?

Highest security level guaranteed

This is a Secure page. Your Data is safely encrypted and is protected from an unauthorized access. All transactions are 100% secure.

That's right: never mind that "75% secure" crap: this site claims to be "100% secure", and even shows you how to verify this. All of which completely negates the fact that none of this is true, and that any person with a pair of eyes can tell that they're lying to you. There is no "https", of course (thanks for the tip, idiots) and there is also no padlock present anywhere it normally would be in any  browser in use today.

What else are they lying about? Oh: everything of course.

This one comes on behalf of what appears to be the newest member of the former SanCash / AffKing group: Canadian Online Pharmacy. ("Canadian", of course, meaning "located in China, with drugs most likely shipped from India.")

Not that it needs to be said again ^* but: don't buy anything you have to ingest from a "company" you've never heard of, especially one that lies to you with every breath they take.

SiL / IKS / concerned citizen

* Actually it probably does need to be said, because these idiot criminals are STILL profiting thanks to what are arguably stupid and / or desperate "customers".

Happy National Cybersecurity Awareness Month!

This was news to me but possibly not to everyone.

Read more about this special month here.

SiL / IKS / concerned citizen

Following The Money (Mule)

This year has seen an interesting cross section of what seem on the surface to be distinct and separate spam campaigns, but are in fact connected, and part of a very coordinated cybercriminal enterprise.

In the past two years, we have seen numerous spam messages arrive which claim to offer "personal shopper" or "work from home" schemes. These are actually money mule messages used to recruit individuals to receive money, purchase products, and then ship the products to (at the moment) unknown addresses.

There have also been a variety of fake "corporate" websites put together for the purpose of recruiting these money mules, nearly always hosted in Russia. Renowned security researcher Bob Harrison has reported several of these websites, and documented their criminality in great detail. [source]

In the past six months we have now also started to see a variety of stories which describe the mass withdrawal of large sums of money from a variety of companies and other organizations. The most recent comes from Brian Krebs of the Washington Post, who has been covering this in some detail. [source]

In this story he uncovers that several businesses, and most recently a school district, have noticed very large withdrawals occuring from their bank accounts, and has made the connection that this is where the money for the "Secret shopper" purchases is coming from.

This was made possible by a specific computer exploit known as "clampi" that these same criminals, or possibly someone they hired specifically, were able to create to specifically record any banking details used by anyone who used any computer within the company or organization's network. [source] You can read some great research on Clampi (and its other varient names) written by the well-known security researcher Joe Stewart here. The companies affected are extremely varied (construction companies, electronics testing companies, demolition, at least one other US-based school district), but I guess it really doesn't matter where they get the banking information from. If the money is there, who cares what they happen to do?

The problem with this latest fraudulent banking activity is that it was from a fairly meagre school district - the Sanford School District, located in Sanford Colorado - which services just 340 students. I recognize that the scumbag criminals behind this activity could care less who they affect with their criminal acts, but this is reprehensible on many levels. But this is also only one of what appears to be a very large number of these events, and there doesn't seem to be any sign that this activity will slow down in the slightest.

This particular crime exposes a serious shortfall in general staffing and infrastructure of most small businesses and governmental or civic organizations. The key piece of information that these criminals were counting on was that each of these companies were small, and most likely had negligible IT or network security staff, if they had any at all. This is a huge, gaping hole which many colleagues and I have felt was inevitable given the costs and considerations of staffing and maintaining an organization such as a school district, or any other governmental office.

IT Security staff, if it is an item of any consideration at all for any governmental or civic budgetary office, must be near the absolute bottom of the list of things which are considered important to fund and maintain. Since most qualified IT security staff are often outside of the salary budgets of most governmental or civic comptrollers, it is hardly surprising that we now find ourselves in this predicament. Having a decent staff to support and protect the networks used by these companies could have identified any rogue traffic resulting from the clampi infection. It might have also stopped the ability of the clampi exploit to replicate itself across the entire network. It might also have assisted in the data and evidence gathering which will now be required to pursue this in a court of law.

Mr. Krebs noted that the US Senate Homeland Security and Governmental Affairs Committee was holding a hearing regarding this specific issue and its ongoing effect on small businesses and organizations. [source] I should like to think that each of the following items would be addressed by this hearing:

1) Increased funding and infrastructure for IT security staff, especially for governmental or civic organizations.
2) Following the trail to the inevitable Russian or Eastern European criminals who executed this crime.
3) Greater stringency on the part of banks or other financial institutions regarding processing of funds on behalf of any company, but especially smaller businesses or civic organizations.

If you run a small business and are profitable, it is very strongly recommended that you get an expert to take a look at your current computer setup for any PC running windows, which may have been used at any time to login to any financial institution used to process any funds on behalf of your company.

I expect to see several more of this type of story, and I expect the criminals to get away with this for the foreseeable future, and that is extremely disappointing.

I wish this would lead to any kind of sanctions against Russia or the Eastern European countries involved in these crimes, but that is another story on its own. This makes several years now that individuals from Russia especially have been involved in widespread online criminal activity. No US-based initiative has gone after them, no law enforcement has been brought to bear, no governmental sanctions have ever been imposed, nor does it appear that they will be in the near future. Given Russia's intent to join the World Trade Organization, and its preparations to meet their guidelines (such as the mock-shutdown of allofmp3.com, specifically related to this WTO acceptance,) it is frankly baffling that no such action has been taken against Russia as a country, or the Russian government generally. There are hundreds if not thousands of research reports all pointing directly to Russian individuals as being involved in extremely indepth and varied cybercriminal activity including distribution and sale of child pornography, illegal sale and distribution pharmaceuticals, illegal sale of patented software and trademarked products, and of course widespread infection of computers around the world. One of these days - probably not soon, unfortunately - this will result in some extremely bad news for Russia as a country, and especially Russia as a potential member of the WTO. That it hasn't happened already is simply unacceptable.

Unsurprisingly, Mr. Krebs has also written about this topic as recently as March 2009. [source] That's worth a read, as is the Slashdot posting which resulted. The same discussion should apply to any country which continues to allow this rampant criminal activity to continue to occur. (Russia is obviously a key contributor to this, possibly the key contributor.)

SiL / IKS / concerned citizen