Czech Republic-based Gransy, a registrar previously identified as being in our top tier of registrars friendly to pharmaceutical-related cybercrime, has made some progress, but is still allowing a back door to online criminals engaged in the illegal sale of substandard medicines.
First things first: we appreciate the progress that Gransy has made. They’ve squelched about half of their rogue Internet pharmacy portfolio, and it’s taken them time and effort to do that. But their current refusal to take action against the remaining rogue online pharmacies in their portfolio is worth analyzing: Why is it happening? What are the arguments that the rogues are using? And how and why is Gransy being persuaded to keep the illegal online pharmacies alive?
Gransy and the Pharmatheke Black-Market Pharmaceutical Network
At issue in our recent notifications are three domain names registered with the company: farmacia-es.com, farmacia-discreto.com, and farmacia-portugal.org, which are in Spanish, Italian, and Portuguese, respectively. The sole purpose of each is to illegally sell unregistered, unsafe medicines to unsuspecting Europeans.
These online pharmacies are part of a multinational criminal network known in most law enforcement circles as Pharmatheke, which LegitScript has seen over the years as connected to one or two Middle East black-market affiliate marketing outfits. Pharmatheke chiefly targets Europe, where it sells prescription drugs that are not authorized for sale — some contain controlled substances — and that are sold without a prescription. The drugs generally come from unlicensed suppliers in China or India, and — according to our analysis over several years — are not sold by licensed pharmacies in the EU or elsewhere.
What took us aback in this case is the fervor with which Gransy insists on defending these three illegal online pharmacies, even claiming that they have “completely verified the domain (name) holder.”
In the company’s most recent reply to LegitScript’s private notification on the matter, Gransy’s Martina Volfová stated:
“We have COMPLETELY verified the domains' holder and in accordance with the ICANN RAA2013 Policy everything is OK….(w)e don't support the direct sales of the drogs (sic), nevertheless those websites are only the blogs without a direct sale, so we have no reason to block them (emphasis is theirs, from the original).”
Briefly, let’s first take a detour to deconstruct what Gransy appears to mean by “verified the domain (name’s) holder.”
A Brief Detour Into Whois Accuracy (or Inaccuracy)
ICANN rules, such as they are, require a domain name’s “Whois” record (the registration details) to be verified by a registrar as accurate. Obviously, this wasn’t the nature of our complaint: even if a Whois record is accurate, it doesn’t mean that the online pharmacy is safe. Even so, it seems doubtful that Gransy did in fact verify the Whois record as accurate. The domain names are registered to one “Martin Anthony,” purportedly of the Philippines, but the phone number doesn’t pick up (a message, when we called it twice, said “no such number”), and there’s no such physical address as the one listed in the Whois record. In fact, the sole records anywhere on the Internet for that mysterious address exist in only one place: the Whois records for the online pharmacy domain names associated with this registrant.
But, of course, we invite Gransy to publicly share exactly how they “COMPLETELY verified” this domain name holder engaged in illegal drug marketing. In the meantime, let’s return to the actual basis for our complaint — that farmacia-es.com, farmacia-discreto.com, and farmacia-portugal.org are illegal online pharmacies.
A Blog and a Commercial Website With a Blog: Two Different Things
Incredibly, Gransy’s excuse is that “those websites are only the blogs without a direct sale.”
Tsk, tsk, Gransy. If you are going to insist on helping cybercriminals, you have to find a better excuse than that. Let’s deconstruct that excuse further.
First, it’s perhaps helpful to remind Gransy about what a blog is. A website is a blog when it exists for the primary purpose of providing information, usually in a series of posts. For example, this is a blog: “Irene’s Kayaking Blog” tells us about whitewater kayaking. There is a series of entries, and the primary purpose of the website is to provide information — not sell things. (Note that a commercial website can have a blog, but that doesn’t mean that the commercial website is merely a blog.)
But here’s what farmacia-es.com and the two other websites look like — and what they are doing.
Is this a blog? Uh, no. It lists products for sale. No reasonable person would think that this domain name is being used for anything but to sell drugs. It tries to get you to buy the products. You can click through and add the products to a cart. This isn’t a blog, even if it has one on a page within the website (which isn’t much of a blog; it’s more of a SEO tactic, actually). The website calls itself “your online pharmacy in Spain” (“tu farmacia online en España”). All three domain names contain “farmacia” in the domain name. These domain names, by any common sense interpretation and by its own admission, exist for the sole purpose of marketing themselves as online pharmacies and getting people to buy drugs. Yet Gransy insists, apparently at the registrant’s behest, that the website is merely a blog.
Oh, but yes. I almost forgot. On the home page, up top, there’s the word “blog.” So, as long as an illegal drug seller puts the word “blog” on their website, according to Gransy, it must be a blog and the registrar will protect it. (Note to my readership: I have a t-shirt that says “Quarterback” so, as Gransy will likely agree, I am about to be recruited by the New England Patriots.)
How Rogue Affiliate Marketers Play Off Multiple Registrars At Once
Gransy’s second excuse appears to rely on the structure of the online pharmacies, in which farmacia-es.com takes you to farmacia-es.net, and from there to two separate websites for payment. But this is a really common set-up for illegal online pharmacies: the online pharmacy affiliate marketer lists the products at Website #1, then “add to cart” at Website #2, and then pay at Website #3 — all of which are at different registrars. This is a great set-up for the cybercriminal for a couple of reasons. First, if one of the three websites gets shut down by a registrar, the code can seamlessly be uploaded to one of the other two websites. Second, the online pharmacy operator can argue to each of the three registrars that it’s “the other two” websites that are at fault, and that the website in question is a) only a blog, b) only processing orders but not advertising the drugs, or c) only taking the payment but not really selling the drugs. Registrars like Gransy who fall for that argument are a huge help to cybercriminals.
A registrar that doesn’t fully understand the nature of an abuse complaint is one thing, but a registrar that, despite multiple rounds of evidence, insists on ignoring common sense and fervently protecting cybercriminals is another. And in these situations, LegitScript is left with little recourse but to take the conversation public.
Finally, a friendly reminder to Gransy: you are currently reading a blog within legitscript.com. That doesn’t mean that legitscript.com is a blog. We have one, but having a blog and being nothing more than a blog are two entirely different things. Whether a domain name is chiefly used to sell illegal drugs is a common sense interpretation, and if you’re going to enjoy the privilege of being an accredited registrar, don’t look for every excuse you can find to do business with cybercriminals who put people’s health and safety at risk.