Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

Amid Controversy, Outed Steroid Sites Still Online

Anti-fraud groups, US Internet registrars at odds over takedown of 'roid sites

Remember those Websites sponsored by U.S. Internet domain registrars that were recently exposed for illegally selling steroids? These sites are still pushing the drugs online, according to the anti-fraud watchdog groups that first discovered them. (See Hundreds of Websites Outed for Illegally Selling Steroids.)

The domain registrars hosting these sites as well as the Internet Corporation for Assigned Names and Numbers (ICANN), say their hands are tied when it comes to shutting down the steroid-selling sites, which KnujOn and LegitScript.com outed and reported to the registrars and ICANN last month.

But KnujOn and LegitScript argue that shutting down these sites should be a no-brainer.

"In the vast majority of Websites we identified, it was plain that [they] were offering these drugs, and doing so in a way that violates U.S. federal law. Frankly, one doesn't have to be an expert to see what these Websites are doing," says John Horton, president of LegitScript.

“We also received -- and in some cases, presented to the registrars -- information from the Website operator with information about the drugs (including photos) and instructions for payment," Horton says. "We think that these sites are fairly straightforward to identify in many cases, and the remedy -- termination -- is equally clear.”

At least one of the registrars named in the report, GoDaddy/Wild West, sees it differently. “Each of the sites in the report have been investigated by our 24x7 abuse department and do not appear to be violating our terms of service. We hope in the future, through reform from Congress, we can easily identify rogue vendors selling drugs illegally,” says a GoDaddy spokesperson.

“This report confirms what we knew all along -- there needs to be reform when it comes to Internet pharmacies,” the spokesperson said. He added that Go Daddy suspended 1,300 Websites last year that were selling drugs without a prescription, and typically without verifying the age of the buyer.

ICANN, meanwhile, says regulating pharmaceutical sales over the Internet is outside its purview. “ICANN can only take action if there are any issues of registrar compliance with the Registrar Accreditation Agreement. If laws are being broken, that should be brought to the attention of law enforcement agencies,” an ICANN spokesman said in a statement.

Garth Bruen, creator of KnujOn, says that if ICANN won’t expand its role to help shutter these illicit sites -- which KnujOn and LegitScript now count at 156 selling Schedule III substances -- the security industry itself may instead take action of its own.

Some Internet security companies, which he wouldn’t name, are considering blocking the steroid sites themselves in their own Web and email content-filtering products. “They say ‘we’re tired of trying to get a single IP shut down,’ so they are [looking at] shutting off a whole IP range from certain providers -- that’s how bad it’s gotten.”

Bruen says that KnujOn has found that the over 500 U.S.-based registrars are really controlled by a smaller number of companies, somewhere around 150. And some of them are run by spammers or other bad guys who want control of their domains to keep their illicit sites up and running.

“We’re going into a phase in Internet crime where we’ve moved away from small spam operations... to a situation where [these groups] have enough money to be their own [domain] providers,” he says. It’s much more difficult to shutter a rogue domain registrar than a bad site, he says.

He says he was shocked at that all of the registrars named in KnujOn’s report -- Abacus America Inc., DSTR Acquisition VII LLC, Dynadot.com, Everyones Internet, Ltd., dba resellone.net, eNom, Inc., EstDomains, Inc, GoDaddy/Wild West, Parava Networks, Inc., and dba 10-Domains.com -- have left the steroid-selling sites intact.

“I thought at least some of them would be cooperative, but none of them are. It’s very troubling,” says Bruen, who says he’s even been pressured by some registrars to “back off” and drop the issue.

Meanwhile, Go Daddy maintains that Internet providers need legislation to help them distinguish between legitimate and illegitimate pharmacies online. The company’s General Counsel testified before Congress recently in support of Senate and House bills advocating consumer protection in online drug purchases.

While the steroid sites cited in the KnujOn/LegitScript report were mostly selling the real deal, including anabolic steroids, testosterone, and other controlled substances, fake drugs are a becoming an even bigger problem on the Net. “We’re going to do a much larger report on fake pharmacies – we’re going to go into detail on all the registrars hosting fake pharmacies, where the source drugs are coming from,” Breun says.

Why doesn’t the Federal Drug Administration take action against these phony online pharmacies? Bruen says the main obstacles to FDA intervention is that online pharmaceutical regulation takes place at the state level, and brand owners whose drugs are being counterfeited traditionally haven’t taken steps to protect their brand -- although that is gradually changing, he says.

A recent report from IronPort, Cisco’s email security unit, revealed a link between the Storm botnet and other malware creators and illegal pharma suppliers that recruit the botnets to spam users with Viagra and other drugs as a way to steer buyers to their sites. (See Researchers Link Storm Botnet to Illegal Pharmaceutical Sales.)

Pat Peterson, vice president of technology at IronPort, says he’s not surprised that ICANN or the registrars cited in the KnujOn report hadn’t taken action against the steroid sites. He says the legitimate registrars may be a bit gun-shy about taking down one of their hosted sites because they don’t have sufficient legal backing to do so. “Legislation with teeth is desperately needed in this case,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
PUBLISHED: 2019-10-13
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows blog-list.php XSS, in both the gila-blog and gila-mag themes, via the search parameter, a related issue to CVE-2019-9647.
PUBLISHED: 2019-10-13
Gila CMS through 1.11.4 allows Unrestricted Upload of a File with a Dangerous Type via the moveAction function in core/controllers/fm.php. The attacker needs to use admin/media_upload and fm/move.
PUBLISHED: 2019-10-13
Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed.