Individuals who normally promote unlicensed, fly-by-night Internet pharmacies recently registered hundreds of hardcore porn and bestiality Web sites using contact information for the founder of a company that has helped to shutter more than 10,000 of these Internet pill mills over the past year, KrebsOnSecurity.com has learned.
The reputation attack is the latest sortie in an increasingly high-profile and high-stakes battle among spammers, online pill purveyors and those trying to shed light on their activities. Around the same time that these fake domains were registered, KrebsOnSecurity.com came under a sustained denial of service attack that traced back to Russian pill gangs.
In the third week of September, hundreds of domains were registered using the name, phone number and former business address of John Horton, founder of LegitScript, an Internet pharmacy verification service. The domains, many containing the word “adult,” all redirect to a handful of porn and bestiality sites (a partial list is available here, but please tread lightly with these sites because they are definitely not safe for work and may not be safe for your PC).
The sites were registered just days after LegitScript finalized a deal with eNom Inc., the world’s 5th-largest domain name registrar. At the time of that agreement, roughly 40 percent of the unlicensed online pharmacies selling drugs without requiring a prescription were registered through eNom, according to Horton.
Reached via phone with the news, Horton was annoyed but not surprised, saying the action was almost certainly in retaliation for the eNom deal. He said he’s even received death threats lately in apparent response to the move.
“The bottom line is, rogue pharma types need a ‘safe haven’ for domain name registrations,” Horton said. “There are fewer and fewer of those left, and we’re playing a role in that.”
There are a number of clues leading from the farm sex domains registered in Horton’s name back to the usual pill gangs. For one thing, many of the sites advertise monthly porn subscriptions alongside ads for Pharmacy Express (a.k.a Yambo Financials) brand rogue pharmacy Web sites (in the sanitized screen shot to the right, the red boxes contained graphic images).
A big chunk of the domains were set up through a registrar simply called “Maxine,” which lists in its contact information a non-working number. But that number, “+718.5998172″, is the same one used to register countless pill sites pushing rogue pharmacies, such as anomedic.com.
All told, nearly 2,000 Web sites were either registered in Horton’s name or were existing porn domains that had their WHOIS records updated to include Horton’s data, according to Ronald Guilmette, the security researcher who discovered the cache of bogus registrations.
This kind of reputation attack is typical behavior when organized crime groups sense that their turf is being threatened. Such tricks are reminiscent of the assaults against CastleCops, a once potent anti-scam community that came under a variety of reputation attacks, including DDoS sieges and thousands of dollars in bogus PayPal donations that used stolen credit cards and hijacked PayPal accounts.
I sought comment from Directi, ELB Group (the parent of the “Maxine” domain reseller mentioned above) and UK2 Group, all registrars whose services were abused to register these domains. I have yet to receive a response from any of them. However, since then, many — if not all — of the domains registered through UK2 appear to have been suspended, although Horton’s name remains in the current WHOIS records for those domains.
For his part, Horton said he plans to do what it takes to get the fraudulent domains suspended and scrubbed, and to find out who is responsible — even if it means filing a lawsuit against a registrar.
“I’m very serious about suing,” said Horton, a former prosecutor and associate deputy director at the White House’s Office of National Drug Control Policy (ONDCP). “We can’t let this kind of thing go unanswered.”