Monday, April 13, 2009

New Drug sites avoid Visa and MasterCard, Sell Hydrocodone

Those who research Pharmaceutical spam have learned that there are basically two major classes of drugs. Those which the Feds care about stopping (Controlled substances monitored by the DEA) and those the Feds are happy to ignore, and which they call dismissingly "Lifestyle Drugs".

Its quite frustrating in light of the fact that, as Microsoft pointed out recently in their semi-annual report on Internet safety, 97% of the email on the Internet is spam, and HALF of that email is pharmaceutical spam. For someone to decide that its not worth investigating lifestyle drugs (by which they mean Viagra, Cialis, and other sexual-experience related drugs) as vigorously as we investigate "Controlled Substances" has lead to our current status on the Internet as a world flooded with absolutely uncontrolled drug spam.

Nevertheless, knowing that there is a two-tiered system of investigation related to pharmaceutical spam, we've all learned that the way to get action is to point out sites that are selling things that are on the Class I, Class II, Class III, or Class IV Controlled Substance List.

Side Note - if you are looking for a Computer Forensics Research program interested in making an impact on pharmaceutical spam, that has as partners in its "Computer Science/Justice Science Working Group" forensic criminologists with their own Gas Chromotography Mass Spectrometer (GS/MS), and faculty and grad students trained in its use, please look no further than the University of Alabama at Birmingham.

That's one of the two reasons why this new spam cluster is especially interesting to me. We have more than 1450 spam emails in the UAB Spam Data Mine during March and another 1,069 so far during April that contain the word "Hydrocodone" in either the body or the subject. The subject line in today's case actually says "Hydrocodone For You", and pointed to a pharmacy site here:

which leads with Hydrocodone, Vicodin, Phentermine, Ambien, Valium, and Levitra. They have quite a few alternate payment methods, but most notably they do NOT accept Visa or Mastercard:

By accepting electronic checks, direct bank transfers, and Western Union payments, these dealers in fake drugs can move their money even faster than they move their drugs. The world of money laundering possibilities opens wide once you get Visa and MasterCard off the option list. That should also make it pretty clear to the potential buyers. This vendor wants to move your money Quickly, Untraceably, and most importantly Irreversibly. They want to make sure they get your money NOW, even though you may (or may not) get your drugs later, and that even if you do NOT got your drugs, there is no way your going to get your money back, or even figure out where your money went.

This particular domain was registered on March 20th via XIN NET Technology.

The IP is at - Hanaro telecom, Korea

This is not a new IP address to us at the UAB Spam Data Mine.

March 23 - (1 spammed domain)
March 24 - (13 spammed domains)
March 25 - (16 spammed domains)
March 26 - (50 spammed domains)
March 27 - (42 spammed domains)
March 28 - (42 spammed domains)
March 29 - (42 spammed domains)
March 30 - (64 spammed domains)
March 31 - (75 spammed domains)

(I'll update those stats with April data once its been caught up...)

The Hotmail address in the whois data is =

Two hundred other hyphenated domain names are on the same Hanaro IP address, according to DomainTools:

Over the weekend, a new Hydrocodone cluster emerged, distinct from the one above.

The new cluster used the following domain names in more than 1500 emails just over the last weekend:

The new cluster looks like another Viagra site at first:

but scrolling down, we see it really is selling Hydrocodone and other Class II and Class III Controlled Substances:

As with the first cluster we mention, Visa and MasterCard are conspicuously missing from this site. It now accepts ONLY American Express:

Fortunately, they are concerned about the High Incidence of Fraud. 8-) Haha!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.