March 12, 2012

Half of all “rogue” online pharmacies — sites that sell prescription drugs without requiring a prescription — got their Web site names from just two domain name registrars, a study released today found. The findings illustrate the challenges facing Internet policymakers in an industry that is largely self-regulated and rewards companies who market their services as safe havens for shadowy businesses.

Source: LegitScript

There are about 450 accredited domain name registrars worldwide, but at least one-third of all active rogue pharmacy sites are registered at Internet.bs, a relatively small registrar that purports to operate out of the Bahamas and aggressively markets itself as an “offshore” registrar. That’s according to LegitScript, a verification and monitoring service for online pharmacies.

LegitScript President John Horton said the company began to suspect that Internet.bs was courting the rogue pharmacy business when it became clear that the registrar has only two-tenths of one percent of the market share for new Web site name registrations. In a report (PDF) being released today, LegitScript said that a separate analysis of more than 9,000 “not recommended” pharmacies compiled by the National Association of Boards of Pharmacy suggested that Internet.bs is sponsoring nearly 44 percent of the Internet’s dodgy pill shops.

Asked whether he was concerned about allegations that his firm was targeting an industry that seeks out registrars who turn a blind eye to questionable businesses, Internet.bs President Marco Rinaudo replied that, on the contrary, LegitScript’s report was bound to be “excellent advertising for our company.”

Reached via phone at his home in Panama, Rinaudo said he was under no obligation to police whether his customers’ business may be in violation of some other nation’s laws, absent clear and convincing evidence that his registrants were operating illegally from their own country.

“Even though I understand they could bother some pharmacy lobby, if an industry likes us, what’s the problem with an online pharmacy, as long as they are operating legally from their own country?” Rinaudo asked. “We cannot accept pressure to shut down a legitimate business just because it is not pleasing to some political lobbying group. We and I personally make sure that all the domains that are in breach of an applicable law and for which we receive a complete report, will be acted on the same day.”

LegitScript’s Horton said his organization conducted a series of undercover operations in which they posed as pharmacy affiliate programs that were seeking registration for domains representing pharmacies that had previously been shut down by U.S. regulators for marketing addictive and controlled substances, such as Oxycodone, Phentermine and Vicodin.

According to LegitScript, Internet.bs replied that it had “never ever shut down a pharmacy domain based on a request coming from outside our jurisdiction and we have never ever received a request coming from insider our jurisdiction to do so.”

Responding to an email from LegitScript’s investigators, Internet.bs’s Helen Templeton wrote that the company routinely ignores such requests.  “As a matter of fact we have ignored LegitScript requests because we consider that something that is illegal under the laws of the USA, is not necessarily illegal outside the USA and unless it is demonstrated that your website are illegal from where you are conducting business, we do not interfere with your business. We are the registrar of many thousand of pharmacy domains and we fight for you all to protect you interest as if you are happy, we are happy!”

Horton said that if ICANN — the entity that oversees the domain registration industry – does not step up to firmly deal with cybercrime-friendly registrars in their midst, it is inevitable that government authorities will seek to do so.

“If jurisdictional constraints make that difficult, governments will inexorably seek expanded authority and new tools,” he said. “If the Internet community hopes to prevent that, it must insist that ICANN enforce its existing code of conduct against registrars, like Internet.bs, who willingly serve as platforms for cybercrime.”

For his part, Rinaudo said that if someone presents him with evidence that his registrants are violating the laws in their own countries, he will gladly confront the customers and suspend the domains if necessary. But he said the terms of his registrar agreement preclude him from canceling customer domains without a court order.

“I have no grounds to stop some pharmacy site from operating without breaching the ICANN registrar agreement,” Rinaudo said. “ICANN is telling me, ‘Marco, you can suspend a domain only if you receive an order from a competent court or if you have a UDRP decision.’ We don’t care about FDA regulators, pharmacy regulators, food regulators or whoever. We have to organize our business to support our clients, including pharmacies and those subject to unjustified pressure. We’re not going to close these businesses or change our policy.”

The other registrar named in the LegitScript report as rogue was ABSystems (doing business as yournamemonkey.com). According to the report, ABSystems “appears to exist for the sole purpose of providing domain name registrations for a rogue Internet pharmacy network.” The company’s domain registration system is not open to the public, and several antivirus companies current block users from visiting the site.

Anti-spam and registrar watchdog Knujon (“nojunk” spelled backwards) also released a report (PDF) on rogue Internet pharmacies today, calling attention to Internet.bs, AB Systems and a host of other registrars with large volumes of pharma sites.

The reports are being released as ICANN is set to kick off a public meeting in Costa Rica this week. ICANN did not respond to requests for comment.

Garth Bruen, Knujon’s co-founder, said ICANN has fairly limited options for dealing with registrars that cater to rogue pharmacies. Bruen said that in most cases in which ICANN has suspended or terminated a registrar’s contract, it is because the registrar failed to provide open access to WHOIS registration data, or failed to take steps to verify the legitimacy of that data.

Such enforcement actions sometimes do impact registrars that specialize in catering to rogue online pharmacies. On Feb. 16, 2012, ICANN announced (PDF) it was suspending the charter for Alantron, a registrar that has a history of association with pill and spam gangs.

In 2010, KrebsOnSecurity.com was viciously attacked by an organized cyber crime gang known for aggressively pushing male enhancement drugs and other knockoff pharmaceuticals. In that attack, Internet addresses belonging to Microsoft had been used to route traffic to more than 1,000 fraudulent pharmacy Web sites maintained by a notorious group of Russian criminals responsible for promoting Canadian Health&Care Mall pill sites. A follow-up investigation found that all of those pharma domains were being controlled using DNS services from Alantron.

ICANN suspended Alantron’s charter not because it was friendly with pharmacy spammers, but because it had repeatedly failed to provide public access to its WHOIS registration records.


25 thoughts on “Half of All ‘Rogue’ Pharmacies at Two Registrars

  1. Matt Leidholm

    Is that Tucows I see on the graph? Wasn’t Tucows a free download repository (a la Download.com) back in the day? When did they become a sleazy Domain registrar?

    1. Ken Schafer - Tucows

      Tucows is the third largest registrar in the world and has been an active advocate for registrant rights since our accreditation in 1999.

      It would be interesting to see this same data parsed differently, for example, “what percentage of total domains under management do “Rogue Pharmacies” represent at various registrars?”

      I think that chart might look very different.

      In this case we’re looking at 9,000 domains. The report claims domains registered through Tucows represent less than 2% of that or about 180 domains. Out of 9 million. So .002% of domains managed through us are at issue here.

      None of this diminishes the need for our compliance team to work diligently with the community to reduce the number of questionable domains, but I felt a little context was in order.

      Cheers,

      Ken Schafer
      EVP Products
      Tucows.

      1. BrianKrebs Post author

        Hi Ken. Thanks for your comment. If you haven’t looked at the whole report, you may want to check it out. I believe there is a graphic in it that breaks things down the way you describe, in terms of percentage per market share.

        1. Ken Schafer - Tucows

          Good point Brian, the “Disparity” data does pretty much what I was asking.

          There is a fine balance between registrant rights and the efforts of the community to deal with bad actors. We work to find a balance and tend to err on the side of the registrant when there is doubt.

  2. I See What You Did There

    “but at least one-third of all active rogue pharmacy sites are registered at Internet.bs”

    Amusingly relevant TLD there.

    1. JimV

      It certainly provided me with a very hearty belly-laugh when I saw it — I would have thought ICANN (or whoever) in designating the country’s domain code would have realized its prospective humor to many Americans (and others) before finalizing the list….

  3. Silemess

    I imagine Mr. Horton is very careful to dot his i’s and cross his t’s with his ICANN paperwork. That said, I imagine he’s not exactly careful to make sure that the WHOIS information is valid, merely that it’s available.

    I’d understand his desire to obey the law in the name of internet freedom. But he obviously knows he’s dealing with peddlers of dubious goods and means, and that he’s doing it for the money not any redeeming value. Makes me rather wonder what his professional history might be.

    1. Rider

      Yeah I think I trust the big pharma lobby group less then I trust a sleazy offshore registrar.

  4. Mike

    Krebs touched on these points (but curiously failed to expand on them as they were counter to his argument), but for the sake of clarity and objectivity, I’ll put them bluntly. There are three separate issues with involving registrars in battling a perceived evil on the internet:

    1. The registrars aren’t police/investigators/juries/judges. They are neither trained nor paid to conduct investigations into businesses that register a domain with them. Apparently some organisation called ‘LegitScript’ (which I’ve never heard of before) are the final arbiter in what’s rogue and what’s not in the pharmacy industry, but if I’m a registrar, am I expected to keep and regularly update a list of the ‘final arbiters’ of *all* industries and hope that those organisations conduct full and proper investigations, are accountable, transparent, with full oversight and have grievance procedures in place? This significantly goes beyond the remit of what a Registrar is expected to do.

    2. Whether the registrar personally agrees with the customer’s site contents or not is irrelevant. They may choose to discontinue business with the customer based on a fear of their business reputation, however given that a boycott of a domain registrar would be extremely ineffective (as I doubt you’d get much buy-in for rogue pharmacy consumer activism), this point is moot. You can only *hope* that they would act on moral grounds. Thankfully, most registrars already do this if given evidence of malware and/or phishing, however the issue of ‘rogue’ pharmacies is far more morally ambiguous.

    3. Most importantly of all is jurisdiction. Americans seem to have a hard time understanding that American law isn’t applicable outside American borders. This is so obvious to the rest of the world that I feel like an idiot even having to say it. For some hilarious examples, take a look at the long history of legal threats to The Pirate Bay (such as using the USA-only DMCA laws), posted on their website.

    As a exercise, whenever you say ‘illegal’, qualify what jurisdiction it’s illegal in. If the ‘perpetrator’ of this ‘crime’ doesn’t live or run a business inside that jurisdiction, then immediately stop talking, as you’re going to come across as naive at best.

    Given that many operators of these rogue pharmacy websites operate out of eastern Europe, south-east Asia or south America, there’s a very good probability that these people aren’t criminals, as the jurisdiction they’re operating out of is not as heavily regulated and they might not be committing a crime in their jurisdiction.

    Lets try and maintain a sense of objectivity here.

    1. AlphaCentauri

      Once they’re hosting their sites and nameservers on hacked computers in the US, they’re violating US laws.

      1. Mike

        Do you have statistics or evidence that this occurs frequently?

        Malware yes, phishing yes, but why would you bother with pharma, when there are a number of jurisdictions where you can operate with impunity?

        1. BrianKrebs Post author

          Don’t know about statistics, but from reading months of chats between the guys who ran the Spamit pharmacy affiliate program it was clear that they were hosting sites on bots. This a fairly common practice, and it’s called simply “bothosting.”

        2. AlphaCentauri

          “Do you have statistics or evidence that this occurs frequently?”

          It varies. Currently I am mostly seeing websites being hacked to insert a page redirecting traffic from the spammed URL to the target pharma site, though I’m not seeing much pharma spam at all this week. It’s definitely illegal trespassing on other people’s servers, but not so blatant as running the entire pharma website on a hacked server.

          In the past I’ve run into large numbers of pharma websites on hacked servers. The Eva Pharmacy sites (previously Bulker.biz) tend to hack large Unix servers, such as the ones I mentioned in a previous post:
          http://krebsonsecurity.com/2010/02/rootkit-may-be-culprit-in-recent-windows-crashes/comment-page-1/#comment-2041
          (I believe the “Canadian Health&Care Mall” site Brian mentions above was one of those, too.)

          “Discount Pharmacy” was previously hosted on hijacked Windows servers:
          http://spamtrackers.eu/wiki/index.php/Discount_Pharmacy#Server_Hijacks

          Spamit (“Canadian Pharmacy”) at one point used fast-flux botnets for a while, a large percentage of which were cable customers in the US.
          http://spamtrackers.eu/wiki/index.php/Canadian_Pharmacy#Hijacked_Hosting_Infrastructure

          Botnet hosting is less popular now, perhaps in part because it is so much easier to convince registrars that these domains are criminal enterprises (and not simply pharmacies following the laws of another jurisdiction) when you can point to the university or government agency or elementary school whose computer is hosting them.

    1. BrianKrebs Post author

      I asked John Horton this several times. He said the domains they registered in their undercover operation were not counted toward their assessment that Internet.bs had one-third of the rogue pharma domains. They didn’t count the ones they registered.

  5. Neej

    Couldn’t agree more with Mike’s post above.

    In fact to me it seems somewhat idiotic that on the one hand there’s so much talk from US policymakers and commentators along the lines of (paraphrasing obviously) “the internet should be a free exchange of information without interference from governments or otherwise” and then despite this anytime something is morally or legally objectionable to a US interest merry hell is kicked up.

    It’s a big world – behaviour considered unacceptable in the US and countries close to the US in terms of world view etc such as my own place of residence Australia isn’t unacceptable elsewhere.

    Deal with the reality outlined above or stop harping on about the importance of “internet freedoms” because doing so just seems idiotic and hypocritical.

    1. AlphaCentauri

      I would not conflate pharmacies that are operating legally in a different jurisdiction from websites that are scams that just happen to be pretending to be pharmacies instead of pretending to be work at home schemes. It isn’t legal for Americans to order from pharmacies in Cyprus or India, but if they are upfront about where they are and who they are, at least the customers know what risks they are taking.

      Many of the pharmacies we’re talking about change domain names every few days (no need to worry about repeat business), use fake registration information (no private domain registration), pay for their registration with stolen credit/debit cards, host on hacked servers, spam from trojan infested computers, have false information on their websites claiming to be run by physicians or pharmacists or to have a physical location in Canada or New Zealand, etc. Prices are often higher than what it costs to buy similar generics in the US. If they can only make money if their customers are deceived, it’s an indefensible business model.

      1. Mike

        Perhaps we need a change in nomenclature then.

        If we’re talking about those sort of sites you describe, then grouping them by what products or services they’re supposedly selling is more or less irrelevant. It’s quite simply just labelled a scam.

        When I hear the term ‘rogue pharmacy’, I think semi-legitimate pharmacy that is selling products that would otherwise be illegal in various jurisdictions (ie. scheduled drugs or medicines needing a prescription)

        If they’re not actually selling and shipping pharmaceutical products, then I’d wouldn’t think that they’re a rogue pharmacy any more than a 419 scammer is a rogue bank clerk from Ghana. A scam is a scam, whereas the term rogue lends itself to the idea that it once was, or is operating to a degree in a lawful fashion.

        1. AlphaCentauri

          LegitScript has two levels, “rogue” and “unapproved.” Their definitions are a little different from what you are proposing.

          You might consider a site okay as long as they actually ship product, even if the site is run by affiliates who know absolutely nothing about medications, who don’t require physician prescriptions, and who don’t know what manufacturer is producing the product in what company or what kind of quality control they have. Or you might consider it okay if the company running it is located in a country like Canada with effective drug quality controls, but which simply has the drugs shipped from a third country without ever entering Canada. Those sorts of schemes would be rated as “rogue” by LegitScripts.

          It’s not simply black and white. For instance, many of the generic drugs available in the US legitimately are produced by high quality manufacturers in India, so that might be seen as a safe place from which to order drugs, but there are also a lot of adulterated medications still being sold in India, too.

  6. jennyspider

    I would like to thank you for the efforts you have made in providing such great information about Blog Posting. I am hoping the same best work from you in the future as well…..

  7. JOe

    Maybe because Internet.bs is the best registar that supports alternative payment methods, which cybercriminals tend to use more often?

Comments are closed.