arrow-left-endarrow-right-end

News & Updates

The Latest on Internet Pharmacies, Supplements, Designer Drugs,
and Other High-Risk Merchants

Holy Protein Shakes! (Part II) How rogue domain name resellers, fake merchants and high-risk acquirers collaborate

Our most recent post showed how rogue Internet pharmacies like sleepingtablets-online.com use seemingly innocuous websites like buy-protein-shakes-online.com to process customer payments. Our blog concluded by identifying name server rockhamptonserver.com as a “anchor” website apparently dedicated to the illicit activity, and noted that the payment processing pages, immepay.com and fashionpay.com, appear to be registered in China.

An important connection exists with to Underhost, a supposedly “offshore” hosting solution that is the domain name registrant for rockhamptonserver.com, which appears to only exist for one reason: to be a name server for buy-protein-shakes-online.comsleepingtablets-online.com, and sleepingpills-online.com. The company also is the registrant for buy-protein-shakes-online.com. (Question of the day: if you are a legitimate online pharmacy, why do you need to host your content offshore?) We’ve tangled with Underhost before, and were left with the distinct impression that they are not only a content hosting company and domain name reseller, but also run rogue Internet pharmacies themselves — history that warrants asking whether Underhost is merely the domain name reseller for buy-protein-shakes-online.com and rockhamptonserver.com, or is more integrally involved in the rogue Internet pharmacy operation.

Consider this email from abuse[at]underhost.com, regarding two rogue Internet pharmacies, kamagra-supermarket.com and alliancepharma.eu, both of which LegitScript notified the registrar about because of their involvement in illegal online pharmacy operations (and which were subsequently shut down by the registrar). In its email to our abuse department, Underhost referred to those online pharmacy websites not as if they belonged to a client but to Underhost itself, complaining that we were “stealing” their domain names.

Putting aside Underhost’s nonsensical comments, including about us being “based on the USA” (we don’t possess those domain names, and operate globally in multiple countries, applying applicable laws and regulations, not just those of the US), what’s interesting is Underhost’s apparent claim to those two rogue Internet pharmacies on their own behalf — not a customer’s. (One typically thinks of an ISP’s “abuse” email being used to help stamp out abusive behavior, not perpetuate it.) What’s troubling about this, of course, is that kamagra-supermarket.com, the now-suspended rogue Internet pharmacy, is registered directly to Underhost, but with what would initially seem to be a “privacy protected” email for domain name registration, privacy[at]underhost.ca., which may lead anyone curious about who operates the rogue Internet pharmacy to assume that Underhost is merely playing the role of content hosting provider or domain name reseller, when in fact their email implies that they operate the rogue Internet pharmacies directly. Note, too, that the Start of Authority record for sleepingtablets-online.comsleepingpills-online.combuy-protein-shakes-online.com, and rockhamptonserver.com is none other than underhost.mail[at]gmail.com.

Underhost, despite announcing itself as “offshore,” appears to be operated by one Michael Vincent, whose LinkedIn profile and domain name registration details indicate that he is in Canada (apparently Quebec). It’s unclear whether Underhost is a one-person operation or a larger shop, but in either case, Mr. Vincent may wish to clarify the nature of his company’s relationship with websites engaged in illegal pharmaceutical sales.

Screenshot 2013-12-16 10.01.56

And what of the payment processors, immepay.com and fashionpay.com? The patterns there are different, with the domain name registrants, geolocation and registrars located in China. Immepay has less of an Internet footprint, but FashionPay also appears to go by the name “Shenzen SuHuiTong Network Techonology Co., Ltd.” or “SU HUI TONG PAY” and advertises itself as an international credit card online payment channel. The company’s home page boasts of a close relationship with multiple Chinese banks, “such as Industrial and Commercial Bank of China, Agricultural Bank of China, Bank of China, China Construction Bank, and China Merchants Bank.” If those are, in fact, the acquiring banks for Su Hui Tong Pay, it at least hints at a failure of these banks to perform due diligence as to the companies offering merchant processing services on their behalf. It is also entirely reasonable to ask if Su Hui Tong Pay is complicit in the concealment scheme employed by the rogue Internet pharmacy merchant via the phony protein shakes website.

This is the tangled web of obfuscation woven by rogue Internet pharmacy operators, but an example in which the lines between rogue Internet pharmacy and service provider are blurred or even erased: a content hosting provider (Underhost) doubling as its own domain name reseller, and seemingly operating its own online pharmacies simultaneously, while concealing the financial transactions through a fake protein shake website, in partnership with a Chinese payment-processing company boasting of close ties to major Chinese banks.