Indonesian University Website Used to Redirect Internet Users to Online Pharmacy Store Website - Part 2
TOKYO (MacHouse) - As we reported about 20 hours ago, a simple spam post circulated by an organized cyber criminal group contained a number of pharmacy-related phrases such as lexapro online, zithromax online, diflucan online, zyrtec online, propecia online, cialis online. (See Screenshot 01.) A URL underlying every phrase points to the website at President University (Bekasi, Indonesia) In fact, accessing http://poss.president.ac.id/pharmacy/, one can see a whole list of spam webpages installed by the cyber scum group as folder permission is set to 755 or equivalent. (See Screenshot 02.)
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: President University |
 Screenshot 03 - Source: President University |
Accessing any of the spam webpages with a web browser, one could be automatically redirected to an online pharmacy store at fastcanadianpharmacy.com. However, the website doesn’t seem to be accessible for the past 20 hours or so. That doesn’t necessarily mean the domain of fastcanadianpharmacy.com doesn’t exist. It’s still registered by an Russian individual whether or not registration is fake. And the domain points to a web server hosted in Frankfurt, Germany.
The following is a list of URL used in the spam post.
http://poss.president.ac.id/pharmacy/Lexapro-Online
http://poss.president.ac.id/pharmacy/Zithromax-Online
http://poss.president.ac.id/pharmacy/Diflucan-Online
http://poss.president.ac.id/pharmacy/Zyrtec-Online
http://poss.president.ac.id/pharmacy/Propecia-Online
http://poss.president.ac.id/pharmacy/Cialis-Online
http://poss.president.ac.id/pharmacy/Nexium-Online
http://poss.president.ac.id/pharmacy/Imitrex-Online
http://poss.president.ac.id/pharmacy/Aciphex-Online
http://poss.president.ac.id/pharmacy/Ultram-Online
http://poss.president.ac.id/pharmacy/Singulair-Online
http://poss.president.ac.id/pharmacy/Protonix-Online
http://poss.president.ac.id/pharmacy/Viagra-Online
http://poss.president.ac.id/pharmacy/Orlistat-Online
http://poss.president.ac.id/pharmacy/Lipitor-Online
http://poss.president.ac.id/pharmacy/Prozac-Online
http://poss.president.ac.id/pharmacy/Tramadol-Online
http://poss.president.ac.id/pharmacy/Allegra-Online
http://poss.president.ac.id/pharmacy/Xenical-Online
http://poss.president.ac.id/pharmacy/Levitra-Online
http://poss.president.ac.id/pharmacy/Zantac-Online
http://poss.president.ac.id/pharmacy/Effexor-Online
http://poss.president.ac.id/pharmacy/Wellbutrin-Online
http://poss.president.ac.id/pharmacy/Zoloft-Online
http://poss.president.ac.id/pharmacy/Paxil-Online
http://poss.president.ac.id/pharmacy/Valtrex-Online
http://poss.president.ac.id/pharmacy/Prilosec-Online
http://poss.president.ac.id/pharmacy/Lamisil-Online
http://poss.president.ac.id/pharmacy/Flomax-Online
http://poss.president.ac.id/pharmacy/Zovirax-Online
And Screenshot 04 shows one of the HTML webpages installed at http://poss.president.ac.id/pharmacy/. It appears that Javascript is used to redirect Internet users at arrival to fastcanadianpharmacy.com.
 Screenshot 04 - Source: MacHouse |
 Screenshot 05 - Source: MacHouse |
 Screenshot 06 - Source: MacHouse |
Okay. Let’s find out quickly where sponsor’s website is hosted. There are two nameservers that the domain of fastcanadianpharmacy.com points to. They are ns1. fastcanadianpharmacy.com and ns2.fastcanadianpharmacy.com. (See Screenshot 06.) Apple’s Network Utility automatically traces these nameservers both to the IP address of 89.149.228.102. According to RIPE, this IP address is assigned to a German organization called netdirekt (netdirekt.de). (See Screenshot 07.) It’s a disgraced web hosting company behind many malicious websites. (Screenshot 08 shows the gate page of netdirekt’s website.)
 Screenshot 07 - Source: MacHouse |
 Screenshot 08 - Source: netdirekt |
 Screenshot 09 - Source: Whois.net |
Let’s take a look at the WhoIs registration of fastcanadianpharmacy.com. It’s registered by
Anton Nikiforov
Smolnaya str. d.21 kv.360
Moscow
Russia
(See Screenshot 09.) Of course, there is no guarantee that this registration is genuine. There is no criminal time for anybody in any country for inaccurate registration information.
Related stories:
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.