Uncategorised

My never ending battle with a Russian-Canadian scam pharmacy

https://www.scambook.com/company/view/1166/Canadian-Health-And-Care-Mall

I hate scammers; especially if they are to do with peoples health. Just like in this case with the fake Canadian pharmacy. This is a very old and famous scam, in which I remember reading at one point a botnet was sending out millions of spam emails a day to generate traffic to their websites. This could have a huge impact on vulnerable people who order medication for health reasons, and for druggos too I suppose. I do not know whether or not you get the products or not, and I do not know whether the products are legit.

My initial target was this website which I found on Google one day:

http://sismos.rm.ingv.it/doc/tn.php

Ok obviously this is a scam lets be honest here. Its a php file in a dir called doc and the root of the site is a completely different website in iteself anyway.

Did I mention this site runs Joomla and is vulnerable to hell.

Not to mention this page is dodgy as hell:

screencapture-mumbaimag-com-wp-content-doc-tn-php-1463168414989

Those two images were located here:

http://i.imgur.com/q9IA5o9.png

http://i.imgur.com/SmjWOOz.jpg

Which I got Imgur to remove for me to help kill the traffic reaching the end sites.

The images link to the following website:

onlinetabsbargain.ru

Which obviously has a .ru russian domain name and is hosted in le Russia:

IP address 95.31.22.193
Host name 0891749489.static.corbina.ru
IP range 95.31.0.0-95.31.26.255 CIDR
ISP CORBINA-BROADBAND
Organization
Country Russian Federation (RU)
Region Moscow
City Moscow (Central Administrative Okrug)
Time zone Asia/Krasnoyarsk, GMT+0700
Local time 02:30:46 (KRAT) / 2016.05.14

This website looks even more dodgy:

screencapture-onlinetabsbargain-ru-1463168699820

From here I will not investigate the site any further up until I have gathered enough information and intelligence from the targets to pass over to the authorities.

I actually found another hacked site within their network:

http://mumbaimag.com/wp-content/doc/tn.php

Did I mention this site runs WordPress and is vulnerable to hell. Do you see the pattern here? If you are using WordPress, Drupal or Joomla, KEEP IT UPDATED!!! AND DONT USE DODGY PLUGINS! cannot stress this enough.

Anyway funnily enough I found the hackers FilesMan backdoor here:

http://mumbaimag.com/wp-content/doc/x.php

Although it is password protected (aw, maybe later).

Here are a few others I found:

gazeteadana.com/doc/show.php

only-cookware.com/images/doc/tn.php

forums.jlconline.com/doc/page.php

chem-station.com/bosyu/tn.php

tmregiony.pl/doc/show.php

psychicguild.com/blog/wordpress/doc/tn.php

kognitywistyka.amu.edu.pl/en/doc/tn.php

isn.prism.uvsq.fr/doc/show.php

Google dork: https://www.google.co.uk/search?sclient=psy-ab&hl=en&biw=1920&bih=971&site=webhp&q=%22alternative+and+coupon+codes%22&oq=%22alternative+and+coupon+codes%22&gs_l=hp.3…185672.185672.5.185755.1.1.0.0.0.0.0.0..0.0….0…1c.1.64.psy-ab..1.0.0.j_3locg6Lsk&pbx=1&bav=on.2,or.&bvm=bv.122129774,d.bGs&ech=1&psi=qA47V6u6I-qC6AT34ZiwBA.1463488168987.13&ei=3A47V4HyG6mVgAaU3aToBg&emsg=NCSR&noj=1

But alas, we have a much bigger operation on our hands. The following are only some of the fake Canadian pharmacys I have found:

homefastmall.club/?cid=mm2

canadianworldwiderx.com/

onlinetabsbargain.ru

https://www.rxmedsca.com/products/?p=20

http://www.canadianhealthmall.org/testimonials/

http://nathom.nakhonphanom.doae.go.th/images/panadol_extra.html?ph=pipe&zfj

http://shop.vmakemore.com/products/antiviral/

http://eyeshop24.com/

 

 

More to follow soon.

 

——————————–

google dork:

https://www.google.co.uk/#q=%22%2Fdoc%2Ftn.php%3Fpg%3D%22

https://www.google.co.uk/#q=intitle:All+top-quality+Canadian+medications+in+one+place+at+most+reasonable+price!
———————————