Wednesday, August 1, 2007

My Canadian Pharmacy on hijacked servers as usual

Received spam from "The United States National Medical Association", us-nma.com, explaining how many online pharmacy shops are unreliable and simply frauds... well who else than the spammers themselves has first hand knowledge of this.

When clicking on us-nma.com link in the message you are instead redirected twice. First to www.fadesuntuides.com/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== and then from there to ahoplicaner.com which is a My Canadian Pharmacy site, not to be confused with Canadian Pharmacy sites.

Fadesuntuides.com is registered at Xin Net Technology Corporation, www.xinnet.com, not surprisingly with forged registratation information. A complaint is sent to them. The domain is used in a botnet so it resolves to different addresses with a few minutes interval. Too much work to report them all as they can be large amount of zombie computers.

Regarding the My Canadian Pharmacy site then the SpamWiki has dissected this, so read more here: spamtrackers.eu/wiki/index.php?title=My_Canadian_Pharmacy

The domain ahoplicaner.com is registered at 1-887NameBid.com LLC, 1-877NameBid.com. The domain information used is very likely to be forged because it's the address of one of the directors of the Kentucky Secretary of State and I doubt she is involved in spamming. A complaint was sent that they chosed to delete without reading, I have reminded them that I will report that fact here to see if they change their mind.

As usual then My Canadian Pharmacy are using more servers to host their site and probably all of the frontend servers we see are hijacked. Site itself is located 195.87.6.3 which is assigned to Koc Net, Turkey, www.koc.net. Images is placed on a range of addresses all at port 8080: 212.174.224.6, 66.134.243.54, 85.92.131.183, 202.82.16.25, 193.95.254.71. Abuse reports have been sent to hosting/network providers assigned to all of the 6 addresses.

I mentioned that the redirection to www.ahoplicaner.com was done from the address fadesuntuides.com/?EILJSMWFxVW3VSXUFRQlhGHVdaXA== and this of course made me curious to see what showed up if you just went to fadesuntuides.com... another redirection this time to aztxobzipyijon.com which is a Health Nation site.

So it appears we have a spammer here which is probably running mailing campaigns for both these sites. There is quite a lot to report about this Health Nation site as it's the first time I see that one so I will leave that for a seperate post.

1 comment:

Anonymous said...

There are more of these -- just got spam email for http://bandmount.cn
also had a bogus charge on my credit card on www.meds2k.com - so now I am looking for these sites and wondering if they are the same.