Ah, those pesky rogue protein shake merchants … at it once again!
Rogue Internet pharmacy operators go to great lengths to conceal their activities from search engine advertising programs, domain name registrars, and even the banks they do business with. One common tactic: pretending that they are only selling shoes, cowbells or, in this case, protein shakes — anything other than prescription drugs — in order to forge a relationship with a bank, enabling them to get paid by the methods most convenient for customers.
The website sleepingpills-online.com sells a multitude of prescription-only medicines without requiring a prescription, earning it a rogue designation in LegitScript’s database. The drugs are also imported from … well, it’s anyone’s guess, but the drugs are unregulated (as opposed to being FDA-approved for the US, or approved by drug safety authorities in other countries), and as such, it’s not possible that the merchant is licensed as a pharmacy where it offers to ship drugs. So, it’s a triple-strike: no prescription required, unregulated sleeping pills, and the lack of valid pharmacy licensure, a business model that tends to lead to inconveniences like, oh, the death of one’s customers.
What’s their secret? As shown in the video below, purchasing a drug on the rogue Internet pharmacy website redirects the user to buy-protein-shakes-online.com — a website that, if you visit the home page sui generis, provides no indication of anything illicit (and, indeed, appears to be selling only protein shakes).
Customers who start out at sleepingpills-online.com find themselves at buy-protein-shakes-online.com upon starting a purchase and are ultimately directed to the website of a payment-processing company, security.immepay.com. Those who actually arrived at buy-protein-shakes-online.com to buy protein shakes (that is, starting from the home page of that website, not being redirected there from sleepingpills-online.com), end up at a different payment website: payment.fashionpay.com. The design of both payment-processing websites is nearly identical, and both domain names, immepay.com and fashionpay.com, are registered to individuals or companies claiming to be in China.
The two merchant websites, sleepingpills-online.com and buy-protein-shakes-online.com, can be inferred to have a connection for other reasons: their use of nearly adjacent IP addresses. The former hosts content on 18.104.22.168, along with its name server, rockhamptonserver.com, while buy-protein-shakes-online.com hosts content on 22.214.171.124, just two IP addresses away. Smack dab in the middle, at 126.96.36.199, is sleepingtablets-online.com, which — you guessed it — exhibits the same behavior as sleepingpills-online.com, directing would-be customers seeking to acquire prescription drugs without a prescription to the protein shakes website.
A bulk check of the domain name registration (WHOIS) records at whibse.com shows that each of the domain names referenced above, including the “anchor” website, rockhamptonserver.com, is privacy-protected. This is not surprising, criminals don’t typically hang out a shingle. (While there are legitimate reasons for individuals to utilize privacy-protection services for domain name registration, there is no conceivable reason for an online pharmacy to hide who is really operating it. No legitimate reason, anyway.) The domain names for the online pharmacy, the protein shakes website, and the name server are mostly registered with Tucows, currently the largest registrar (and one of the few remaining) declining to take action on rogue Internet pharmacy notifications. The content is mostly hosted in Russia. Meanwhile, the financial websites, immepay.com and fashionpay.com, have WHOIS details pointing to China.
So who’s behind this? Stay tuned for Part II, in our next blog, which discusses the role that a Canadian ISP plays in the rogue Internet pharmacy world, and identifies the Chinese payment processor involved in the scheme.