Tuesday, August 7, 2007

Health Nation -> RXNIC -> S-RX

In a post about a week ago I mentioned how a spam from the same spammer lead me to both a My Canadian Pharmacy and a Health Nation site. The Health Nation site was however closed down before I managed to do my research but I got another one today.

Spam contains a link to sethnw.cn/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== that redirects to dolmisdes.cn which is a My Canadian Pharmacy sites. But if you try only sethwn.cn you are redirected to aztxobzipyijon.com instead which is a Health Nation site



About the site. They have a fake drug reselling license which is standard for sites like this, this "license" is however also expired. Lazy spammer. They have a lot of false claims regarding the need of prescriptions, safety when ordering by credit card (even though they don't use SSL) and then they have this entry in their faq



If this is true then they use RX Payments and Surefire as credit card processors. RX Payments is based in Israel and the owners are the same who are behind magendavidmeds.com which is to my knowledge a fully legit reseller of drugs. That probably also means that they are so much more interested in reacting if it turns out they are really processing credit cards for Health Nation. Surefire was as far as I know bought by Terra Payments that merged with Optimal Payments. I will contact both credit card processors and ask about their connection to Health Nation.

When placing an order you get a confirmation page with a link on to www.rxhelpcenter.com



Which again shows a logo for rxnic.com



rxnic.com runs a pharmacy affiliate program and they don't exactly hide that they are a spam-friendly affiliate program. The home page mentions "BP Domain Registration and BP Hosting Solutions" for their members (BP = Bullet Proof = Doesn't close down just because of some spam abuse reports) and that they have new domains every day which can only be because they know they will get some domains closed along the way.

The home page mentions the following company and address. This company can not be found in the Louisiana Secretary of State Corporation Database and the closest I came to finding the address whad domain registration DomainContender LLC who has exactly same address except for LA 70130 instead of LA 70131. DomainContenter LLC has never heard of NT Express inc.

NT Express Inc
650 Poydras Street
Suite 1120
New Orleans, LA 70131
US


The domain rxhelpcenter.com is registered at YesNic co. ltd. with the following registrant information



The phone number is actually a fax number of a legit real estate agent. The address exists but I would be surprised if it's not the address of some innocent unknowing individual.

The site is hosted at address 64.28.179.146 which belongs to Cernel. What is interesting is that two other sites are hosted on the same server, www.hsuite.com and www.popular-cigarettes.com .

hsuite.com is a support/customer service site. 24x7x364 support (what happend to the 365th day?) , same site that can also be found on www.24x7x364.com except for some changes in phone numbers and footer. I am however not impressed by their support, I asked a week ago what is their connection to Health Suite and they have not answered me yet. When searching for hsuite.com it's mentioned together with Health Suite which was a pharmacy site being spamvertised a lot back in 2005.

hsuite.com and 24x7x364.com is both registered at EstDomains but with different regitration information:



The two sites mentions some different support numbers 1-888-241-8489 / 1-888-242-0845 (hsuite.com) 1-888-237-0341 / 1-888-240-5526 (24x7x364.com). There can be found different stories on the net related to those phone numbers and people who have tried to call and have been redirected to some say england and others say moscow. They all talked with persons who just denied spamming and afterwards hung up the phone.

The other site popular-cigarettes.com also being hosted on same server as rxhelpcenter.com is a site selling cigarettes, Smoke Man, also known for spamming. If you look at the faq you find answers to questions like"What does OEM stand for?", "Am I purchasing some academic or trial software?" etc., so a spammer that also does OEM software spamming and have been too lazy to make a new faq for his cigarette spamming site.

When searching a little for Health Suite and Smoke Man I ended up at this page www.s-rx.biz/terms.html that mentions both health-suite.com and popular-cigarettes.com. SRX is an affiliate program for pharmacy, cigarettes and OEM software. Based on the dates of the news the affiliate program seems to be death.... but the people behind is not.... because the site also mentions an ICQ of 414999 for support and on www.bulkerfoum.biz (Forum for mailers - where many are actually spammers not legit mailers) a user with the nickmame of 'S-RX' and who use the ICQ of 414999 has actually advertised for new mailers for an affiliate program just 8 days ago.

According to spamhaus then Anton Gorodov / Gorodetsk from Russia should be behind S-RX.

So connection between lot of different sites. My guess is that it's same person who was behind S-RX that is know running a new affiliate program RXNIC and still just as spam-friendly as the old one. One of the affiliates is running spam campaigns for aswell Health Nation as My Canadian Pharmacy.

Needless to say I will throw around some complaints to the different providers of hosting services and domains.

3 comments:

Anonymous said...

I'm not worthy! I'm not worthy!

Thanks for the informative posts.

AlphaCentauri said...

It doesn't matter which payment methods you [i]claim[/i] to accept if you are just stealing victims' credit card numbers and not actually selling any drugs. The agencies the sites mention may not really have any relationship with Health Nation or MyCanadianPharmacy. Has anyone ever had an order fulfilled by MCP? (See http://spamtrackers.eu/wiki/index.php?title=My_Canadian_Pharmacy )

KillSpammerz said...

> Has anyone ever had an order fulfilled by MCP?

Actually: yes (and I need to update that wiki entry to reflect this.)

Over the past 2 years, US Law enforcement and several other investigators have placed orders using tracable credit cards, and have indeed received packages containing either completely fake drugs (by fake I mean no active ingredient or sugar pills) or what are referred to as "counterfeit" versions of the drug in question. By counterfeit, we could mean either that it did contain the active ingredient as advertised but produced using unsafe means or with more filler than active ingredient, or a very low dosage of the active ingredient.

The examples I heard about were ultimately shipped from somewhere in India. The return postal address on the package as received turned out to be a bogus address in Bangalore, India (a vacant apartment.)

There are far more instances of people reporting that they gave over their credit card details and never received anything. Originally this was thought (rightly so) to imply that the sites behind this operation were involved in wholesale credit card theft. This is definitely still possible. The bigger issue is that the drugs that are received are usually of highly questionable content, and there are documented cases of people dying from taking them. (Most notably in the recent prosecution and sentencing of Christopher "Rizler" Smith.)

I really enjoy this blog. Your research is diligent and outstanding.

SiL