Another Russian-Ukranian run fake pharmacy hosted in Romania
Today I traced a spam email claiming to be a message from Facebook Support, with the subject: "Facebook Support has sent you a message." The spam was sent through a hijacked email server belonging to an NTT owned Verio Web Hosting customer's account. The link in the fake Facebook button led to a fake Canadian Family Pharmacy website, hosted in Bucharest, Romania.
This is a known rogue online pharmacy that is part of a huge spam operation run by a Russian spam affiliate program called Eva Pharmacy, which grew out of Bunker.biz. The people behind this spam operation are a tight-knit group of criminals known as Yambo Financials, based in the Ukraine.
The domain name used in the spam run uses JavaScript redirection to take you to the actual website, which, although it claims to be the "Canadian Family Pharmacy," uses the domain name (this time): medicarerxdrugstore.com. A Whois lookup of that domain reveals that it was registered on April 18, 2011, by someone claiming to be (or using stolen identity of) Ekaterina Nevzorova; ul. Turgeneva d.110 kv.19; Krasnodar; Krasnodarskiy kray,350000; Russia.
Clicking through the link in the fake Facebook message leads one to 188.229.97.110, which is a Romanian web host, shown below.
Input URL: http://medicarerxdrugstore.com
Effective URL: http://medicarerxdrugstore.com
Responding IP: 188.229.97.110
Host 188.229.97.110
Location RO RO, Romania
City Bucharest, 10 -
Organization SAFE TELENET SRL
ISP SAFE TELENET SRL
AS Number AS50068 SAFE TELENET SRL
The web page that was displayed claimed to be the Canadian Family Pharmacy, with an address near the bottom of the page, claiming to be: 913 Montreal Road, Ottawa, ON, Canada. This is a non-existent address that has been used since at least 2009 by the same Yambo and Bunker.biz cybercrime gangs to advertise their various fake pharmacies. Everything about the pharmacy is fake, including the drugs they sell, which are produced in counterfeiting factories in India and China.
If you receive an unexpected email claiming to be from Facebook Support, hold your mouse pointer over the link or button (labeled See All Messages, or similar). You will see the actual destination in the status bar on the bottom. If your email client or browser lacks a status bar, hover over the link and right-click, then select Copy Link Location. Open Notepad, or your preferred text editor and paste the link into a new blank document. You will see that the URL does not lead to anything.facebook.com/, but, to either a weird domain name, or a numeric IP address. The message I traced had the numeric IP address: 200.58.119.150, that was for a hijacked computer in Argentina.
I pray that none of my readers will fall for this, or any other fake online pharmacy, whether they claim to be Canadian, American, or from The Borg Collective. They are fake, selling counterfeit drugs and are run by master criminals in the former USSR. If you actually do receive the items you paid them for, you are getting counterfeits, with God knows what ingredients and dosages. Contact your bank, or credit card issuer and request a refund, based on fraud and request a new debit or credit card number (criminals have the card number used to make your purchase on file).
See my Spam Issues articles for more expose's about fake pharmaceuticals spam and the Romanian and Russian connections to most of it.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.