Home / Blogs

Policy Failure Enables Mass Malware: Part I (Rx-Partners/VIPMEDS)

This is the first in a series of releases that tie extensive code injection campaigns directly to policy failures within the Internet architecture. In this report we detail a PHP injection found on dozens of university and non-profit websites which redirected visitor’s browsers to illicit pharmacies controlled by the VIPMEDS/Rx-Partners affiliate network. This is not a unique problem, however the pharmacy shop sites in question: HEALTHCUBE[DOT]US and GETPILLS[DOT]US should not even exist under the .US Nexus Policy. The owners of the two malware-redirected domains are in Russia and policy reserves dotUS for U.S. persons and entities. I wish we could say this is the only policy failure allowing the malicious pharmacy network to endure, but it is one of many. Multiple forged WHOIS records, a Registrar blocking access to WHOIS records, rejected emails to abuse contacts, and Registrars without any apparent policy help create an environment for hackers, spammers, and drug-dealers to act with impunity. All of this is detailed in our report.

PHP, SQL or simply code injections are intrusions at the database, server or website level that place a simple redirect command in the existing code that redirects the user’s browser to another website, in this case our illicit .US Rx shops. This malicious code was found on the websites of several schools within the Arizona State University system, Rochester Institute of Technology, Universidade de Santiago de Compostela, Northern Marianas College, The University of Utah, Universita Mediterranea di Reggio Calabria, The International Association of Judges, earthportal.org and many other educational or non-profit entities. KnujOn notified all impacted parties prior to publishing this report and we continue to search for new infections. Malware and intrusions are not new news, but rarely reported is the true purpose of such attacks. Viruses and hacks no longer exist for their own benefit, but are part of sophisticated criminal toolkit, which drive Internet users to sites that deal in contraband. And these sites, for the most part, would not exist if effective policy and procedure were implemented.

This all comes out as ICANN’s CEO Rod Beckstrom declares that the domain name system is under threat, USA Today reports on the booming counterfeit drugs industry, Panda Security reports tens of thousands of new malicious websites appear each week, and of course the White House call for ICANN, Registries and Registrars to help develop online drug control policy.

The VIPMEDS/Rx-Partners network has many other sites examined in this report, among those is toppharmacy[dot]org. While the Pubic Interest Registry(PIR) no longer has a non-profit requirement, this illicit pharmacy domain is not an organization (at least not a legal one). Toppharmacy[dot]org is sponsored by UKRNAMES and when we first queried their Port 43 engine we received the response: No match for domain “toppharmacy.org.” This is very odd and could be a violation of RAA 3.3.1. After filing a complaint with ICANN, UKRNAMES WHOIS began giving out the proper information.

Two other domains in this affiliate network are: ameritrustpharmacy[DOT]net and
indiangenericspharmacy[DOT]com hosted by Sharktech. When we tried to contact Sharktech abuse our email was rejected. Then there the 11 pharmacy domains in this network with blatant false WHOIS. What ties all these domains and the malware together is the actual transaction domain: ebillsafe[dot]com, which as of this writing is thankfully offline. The transaction domain is where thousands, maybe even more, illicit pharmacy shop sites transfer customers once their shopping cart is full, it is where the money actually changes hands for drugs. One of the shop domains that points there is a Moniker-sponsored domain called cheapestpharma[DOT]net which uses Moniker’s privacy protection. We made several unsuccessful attempts to get a copy of Monker’s policy concerning illicit pharmacies from their senior staff and to get the site terminated. No policy is bad policy.

But there is good news. The main VIPMEDS shop site and transaction domains are offline, suspended by their hosts for policy violations. Some Registrars we contacted addressed the threat directly and terminated domains within the network. And nearly all of the infected networks have removed the malicious code. This means if someone is still unlucky enough to end up at one of the existing shop sites their transaction will fail. This is critical to understanding the problem, without domains to move cash through, the array of illicit sites and malware deployments are meaningless.

In Part II we will examine in detail a case that relates directly to ICANN compliance procedures.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Garth Bruen, Internet Fraud Analyst and Policy Developer

Filed Under

Comments

Effective? The Famous Brett Watson  –  Sep 23, 2010 5:22 AM

And these sites, for the most part, would not exist if effective policy and procedure were implemented.

Technically, I can’t contradict this. “Effective” policy and procedure, pretty much by definition, achieves its intended results. But what will it take for policy and procedure to be effective? Should we require domain name registrants to post a large monetary bond as security against abuse? That might be effective—although its effects would certainly exceed that which is directly intended.

Not a consumer burden Garth Bruen  –  Sep 23, 2010 2:41 PM

There’s no need to increase cost on the consumer, the finger here is pointed at providers and sponsors who have the most to gain from a secure Internet and have the best ability to make that happen. There is an old adage about a snake that asks a horse to carry him across a river and promises not to bite him but then bites him anyway. The horse is confused but the snake simply says: “Didn’t you now I was a snake?”

Criminals are going do what criminals do and they will exploit every opening. You can’t control criminal behavior but you can control access to resources.

In the list of illicit pharmacy domains involved in there was only one .INFO site and it was quickly snuffed out because the .INFO sponsor Afilias has good policy and policy enforcement. Ram Mohan, Afilias’ CTO has frequently commented here and elsewhere about these issues, see “Three things registrars must do to enhance security (http://www.afilias.info/blogs/ram-mohan/three-things-registrars-must-do-enhance-security)”

To do this all properly we need to recognize the problem, develop policy to address the problem, develop tools to monitor compliance, and have a procedure to enforce policy.

Several of the bodies mentioned in this report HAVE policy to prevent these problems but failed to detect or enforce them. This isn’t the fault of the consumer at large.

One of the most common responses from ICANN given to me over the years is “we lack the tools to enforce this policy.” It’s been 12 years folks.

HEALTHCUBE[DOT]US offline Garth Bruen  –  Sep 24, 2010 2:40 PM

One of the main malware directed sites: HEALTHCUBE[DOT]US is now offline…still more to go

GETPILLS[DOT]US offline Garth Bruen  –  Sep 25, 2010 3:57 PM

ameritrustpharmacy[DOT]net, indiangenericspharmacy[DOT]com, cheapestpharma[DOT]net and toppharmacy[dot]org still active

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC