Home / Blogs

Policy Failure Enables Mass Malware: Part I (Rx-Partners/VIPMEDS)

Garth Bruen

This is the first in a series of releases that tie extensive code injection campaigns directly to policy failures within the Internet architecture. In this report we detail a PHP injection found on dozens of university and non-profit websites which redirected visitor's browsers to illicit pharmacies controlled by the VIPMEDS/Rx-Partners affiliate network. This is not a unique problem, however the pharmacy shop sites in question: HEALTHCUBE[DOT]US and GETPILLS[DOT]US should not even exist under the .US Nexus Policy. The owners of the two malware-redirected domains are in Russia and policy reserves dotUS for U.S. persons and entities. I wish we could say this is the only policy failure allowing the malicious pharmacy network to endure, but it is one of many. Multiple forged WHOIS records, a Registrar blocking access to WHOIS records, rejected emails to abuse contacts, and Registrars without any apparent policy help create an environment for hackers, spammers, and drug-dealers to act with impunity. All of this is detailed in our report.

PHP, SQL or simply code injections are intrusions at the database, server or website level that place a simple redirect command in the existing code that redirects the user's browser to another website, in this case our illicit .US Rx shops. This malicious code was found on the websites of several schools within the Arizona State University system, Rochester Institute of Technology, Universidade de Santiago de Compostela, Northern Marianas College, The University of Utah, Universita Mediterranea di Reggio Calabria, The International Association of Judges, earthportal.org and many other educational or non-profit entities. KnujOn notified all impacted parties prior to publishing this report and we continue to search for new infections. Malware and intrusions are not new news, but rarely reported is the true purpose of such attacks. Viruses and hacks no longer exist for their own benefit, but are part of sophisticated criminal toolkit, which drive Internet users to sites that deal in contraband. And these sites, for the most part, would not exist if effective policy and procedure were implemented.

This all comes out as ICANN's CEO Rod Beckstrom declares that the domain name system is under threat, USA Today reports on the booming counterfeit drugs industry, Panda Security reports tens of thousands of new malicious websites appear each week, and of course the White House call for ICANN, Registries and Registrars to help develop online drug control policy.

The VIPMEDS/Rx-Partners network has many other sites examined in this report, among those is toppharmacy[dot]org. While the Pubic Interest Registry(PIR) no longer has a non-profit requirement, this illicit pharmacy domain is not an organization (at least not a legal one). Toppharmacy[dot]org is sponsored by UKRNAMES and when we first queried their Port 43 engine we received the response: No match for domain "toppharmacy.org." This is very odd and could be a violation of RAA 3.3.1. After filing a complaint with ICANN, UKRNAMES WHOIS began giving out the proper information.

Two other domains in this affiliate network are: ameritrustpharmacy[DOT]net and
indiangenericspharmacy[DOT]com hosted by Sharktech. When we tried to contact Sharktech abuse our email was rejected. Then there the 11 pharmacy domains in this network with blatant false WHOIS. What ties all these domains and the malware together is the actual transaction domain: ebillsafe[dot]com, which as of this writing is thankfully offline. The transaction domain is where thousands, maybe even more, illicit pharmacy shop sites transfer customers once their shopping cart is full, it is where the money actually changes hands for drugs. One of the shop domains that points there is a Moniker-sponsored domain called cheapestpharma[DOT]net which uses Moniker's privacy protection. We made several unsuccessful attempts to get a copy of Monker's policy concerning illicit pharmacies from their senior staff and to get the site terminated. No policy is bad policy.

But there is good news. The main VIPMEDS shop site and transaction domains are offline, suspended by their hosts for policy violations. Some Registrars we contacted addressed the threat directly and terminated domains within the network. And nearly all of the infected networks have removed the malicious code. This means if someone is still unlucky enough to end up at one of the existing shop sites their transaction will fail. This is critical to understanding the problem, without domains to move cash through, the array of illicit sites and malware deployments are meaningless.

In Part II we will examine in detail a case that relates directly to ICANN compliance procedures.

By Garth Bruen, Internet Fraud Analyst and Policy Developer. More blog posts from Garth Bruen can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DNS, Domain Names, ICANN, Internet Protocol, Malware, Networks, Policy & Regulation, Registry Services, Top-Level Domains, Whois


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Effective? The Famous Brett Watson  –  Sep 22, 2010 10:22 PM PDT

And these sites, for the most part, would not exist if effective policy and procedure were implemented.

Technically, I can't contradict this. "Effective" policy and procedure, pretty much by definition, achieves its intended results. But what will it take for policy and procedure to be effective? Should we require domain name registrants to post a large monetary bond as security against abuse? That might be effective — although its effects would certainly exceed that which is directly intended.

Not a consumer burden Garth Bruen  –  Sep 23, 2010 7:41 AM PDT

There's no need to increase cost on the consumer, the finger here is pointed at providers and sponsors who have the most to gain from a secure Internet and have the best ability to make that happen. There is an old adage about a snake that asks a horse to carry him across a river and promises not to bite him but then bites him anyway. The horse is confused but the snake simply says: "Didn't you now I was a snake?"

Criminals are going do what criminals do and they will exploit every opening. You can't control criminal behavior but you can control access to resources.

In the list of illicit pharmacy domains involved in there was only one .INFO site and it was quickly snuffed out because the .INFO sponsor Afilias has good policy and policy enforcement. Ram Mohan, Afilias' CTO has frequently commented here and elsewhere about these issues, see "Three things registrars must do to enhance security (http://www.afilias.info/blogs/ram-mohan/three-things-registrars-must-do-enhance-security)"

To do this all properly we need to recognize the problem, develop policy to address the problem, develop tools to monitor compliance, and have a procedure to enforce policy.

Several of the bodies mentioned in this report HAVE policy to prevent these problems but failed to detect or enforce them. This isn't the fault of the consumer at large.

One of the most common responses from ICANN given to me over the years is "we lack the tools to enforce this policy." It's been 12 years folks.

HEALTHCUBE[DOT]US offline Garth Bruen  –  Sep 24, 2010 7:40 AM PDT

One of the main malware directed sites: HEALTHCUBE[DOT]US is now offline...still more to go

GETPILLS[DOT]US offline Garth Bruen  –  Sep 25, 2010 8:57 AM PDT

ameritrustpharmacy[DOT]net, indiangenericspharmacy[DOT]com, cheapestpharma[DOT]net and toppharmacy[dot]org still active

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016