Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

Amid Controversy, Outed Steroid Sites Still Online

Anti-fraud groups, US Internet registrars at odds over takedown of 'roid sites

Remember those Websites sponsored by U.S. Internet domain registrars that were recently exposed for illegally selling steroids? These sites are still pushing the drugs online, according to the anti-fraud watchdog groups that first discovered them. (See Hundreds of Websites Outed for Illegally Selling Steroids.)

The domain registrars hosting these sites as well as the Internet Corporation for Assigned Names and Numbers (ICANN), say their hands are tied when it comes to shutting down the steroid-selling sites, which KnujOn and LegitScript.com outed and reported to the registrars and ICANN last month.

But KnujOn and LegitScript argue that shutting down these sites should be a no-brainer.

"In the vast majority of Websites we identified, it was plain that [they] were offering these drugs, and doing so in a way that violates U.S. federal law. Frankly, one doesn't have to be an expert to see what these Websites are doing," says John Horton, president of LegitScript.

“We also received -- and in some cases, presented to the registrars -- information from the Website operator with information about the drugs (including photos) and instructions for payment," Horton says. "We think that these sites are fairly straightforward to identify in many cases, and the remedy -- termination -- is equally clear.”

At least one of the registrars named in the report, GoDaddy/Wild West, sees it differently. “Each of the sites in the report have been investigated by our 24x7 abuse department and do not appear to be violating our terms of service. We hope in the future, through reform from Congress, we can easily identify rogue vendors selling drugs illegally,” says a GoDaddy spokesperson.

“This report confirms what we knew all along -- there needs to be reform when it comes to Internet pharmacies,” the spokesperson said. He added that Go Daddy suspended 1,300 Websites last year that were selling drugs without a prescription, and typically without verifying the age of the buyer.

ICANN, meanwhile, says regulating pharmaceutical sales over the Internet is outside its purview. “ICANN can only take action if there are any issues of registrar compliance with the Registrar Accreditation Agreement. If laws are being broken, that should be brought to the attention of law enforcement agencies,” an ICANN spokesman said in a statement.

Garth Bruen, creator of KnujOn, says that if ICANN won’t expand its role to help shutter these illicit sites -- which KnujOn and LegitScript now count at 156 selling Schedule III substances -- the security industry itself may instead take action of its own.

Some Internet security companies, which he wouldn’t name, are considering blocking the steroid sites themselves in their own Web and email content-filtering products. “They say ‘we’re tired of trying to get a single IP shut down,’ so they are [looking at] shutting off a whole IP range from certain providers -- that’s how bad it’s gotten.”

Bruen says that KnujOn has found that the over 500 U.S.-based registrars are really controlled by a smaller number of companies, somewhere around 150. And some of them are run by spammers or other bad guys who want control of their domains to keep their illicit sites up and running.

“We’re going into a phase in Internet crime where we’ve moved away from small spam operations... to a situation where [these groups] have enough money to be their own [domain] providers,” he says. It’s much more difficult to shutter a rogue domain registrar than a bad site, he says.

He says he was shocked at that all of the registrars named in KnujOn’s report -- Abacus America Inc., DSTR Acquisition VII LLC, Dynadot.com, Everyones Internet, Ltd., dba resellone.net, eNom, Inc., EstDomains, Inc, GoDaddy/Wild West, Parava Networks, Inc., and dba 10-Domains.com -- have left the steroid-selling sites intact.

“I thought at least some of them would be cooperative, but none of them are. It’s very troubling,” says Bruen, who says he’s even been pressured by some registrars to “back off” and drop the issue.

Meanwhile, Go Daddy maintains that Internet providers need legislation to help them distinguish between legitimate and illegitimate pharmacies online. The company’s General Counsel testified before Congress recently in support of Senate and House bills advocating consumer protection in online drug purchases.

While the steroid sites cited in the KnujOn/LegitScript report were mostly selling the real deal, including anabolic steroids, testosterone, and other controlled substances, fake drugs are a becoming an even bigger problem on the Net. “We’re going to do a much larger report on fake pharmacies – we’re going to go into detail on all the registrars hosting fake pharmacies, where the source drugs are coming from,” Breun says.

Why doesn’t the Federal Drug Administration take action against these phony online pharmacies? Bruen says the main obstacles to FDA intervention is that online pharmaceutical regulation takes place at the state level, and brand owners whose drugs are being counterfeited traditionally haven’t taken steps to protect their brand -- although that is gradually changing, he says.

A recent report from IronPort, Cisco’s email security unit, revealed a link between the Storm botnet and other malware creators and illegal pharma suppliers that recruit the botnets to spam users with Viagra and other drugs as a way to steer buyers to their sites. (See Researchers Link Storm Botnet to Illegal Pharmaceutical Sales.)

Pat Peterson, vice president of technology at IronPort, says he’s not surprised that ICANN or the registrars cited in the KnujOn report hadn’t taken action against the steroid sites. He says the legitimate registrars may be a bit gun-shy about taking down one of their hosted sites because they don’t have sufficient legal backing to do so. “Legislation with teeth is desperately needed in this case,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.