Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

Amid Controversy, Outed Steroid Sites Still Online

Anti-fraud groups, US Internet registrars at odds over takedown of 'roid sites

Remember those Websites sponsored by U.S. Internet domain registrars that were recently exposed for illegally selling steroids? These sites are still pushing the drugs online, according to the anti-fraud watchdog groups that first discovered them. (See Hundreds of Websites Outed for Illegally Selling Steroids.)

The domain registrars hosting these sites as well as the Internet Corporation for Assigned Names and Numbers (ICANN), say their hands are tied when it comes to shutting down the steroid-selling sites, which KnujOn and LegitScript.com outed and reported to the registrars and ICANN last month.

But KnujOn and LegitScript argue that shutting down these sites should be a no-brainer.

"In the vast majority of Websites we identified, it was plain that [they] were offering these drugs, and doing so in a way that violates U.S. federal law. Frankly, one doesn't have to be an expert to see what these Websites are doing," says John Horton, president of LegitScript.

“We also received -- and in some cases, presented to the registrars -- information from the Website operator with information about the drugs (including photos) and instructions for payment," Horton says. "We think that these sites are fairly straightforward to identify in many cases, and the remedy -- termination -- is equally clear.”

At least one of the registrars named in the report, GoDaddy/Wild West, sees it differently. “Each of the sites in the report have been investigated by our 24x7 abuse department and do not appear to be violating our terms of service. We hope in the future, through reform from Congress, we can easily identify rogue vendors selling drugs illegally,” says a GoDaddy spokesperson.

“This report confirms what we knew all along -- there needs to be reform when it comes to Internet pharmacies,” the spokesperson said. He added that Go Daddy suspended 1,300 Websites last year that were selling drugs without a prescription, and typically without verifying the age of the buyer.

ICANN, meanwhile, says regulating pharmaceutical sales over the Internet is outside its purview. “ICANN can only take action if there are any issues of registrar compliance with the Registrar Accreditation Agreement. If laws are being broken, that should be brought to the attention of law enforcement agencies,” an ICANN spokesman said in a statement.

Garth Bruen, creator of KnujOn, says that if ICANN won’t expand its role to help shutter these illicit sites -- which KnujOn and LegitScript now count at 156 selling Schedule III substances -- the security industry itself may instead take action of its own.

Some Internet security companies, which he wouldn’t name, are considering blocking the steroid sites themselves in their own Web and email content-filtering products. “They say ‘we’re tired of trying to get a single IP shut down,’ so they are [looking at] shutting off a whole IP range from certain providers -- that’s how bad it’s gotten.”

Bruen says that KnujOn has found that the over 500 U.S.-based registrars are really controlled by a smaller number of companies, somewhere around 150. And some of them are run by spammers or other bad guys who want control of their domains to keep their illicit sites up and running.

“We’re going into a phase in Internet crime where we’ve moved away from small spam operations... to a situation where [these groups] have enough money to be their own [domain] providers,” he says. It’s much more difficult to shutter a rogue domain registrar than a bad site, he says.

He says he was shocked at that all of the registrars named in KnujOn’s report -- Abacus America Inc., DSTR Acquisition VII LLC, Dynadot.com, Everyones Internet, Ltd., dba resellone.net, eNom, Inc., EstDomains, Inc, GoDaddy/Wild West, Parava Networks, Inc., and dba 10-Domains.com -- have left the steroid-selling sites intact.

“I thought at least some of them would be cooperative, but none of them are. It’s very troubling,” says Bruen, who says he’s even been pressured by some registrars to “back off” and drop the issue.

Meanwhile, Go Daddy maintains that Internet providers need legislation to help them distinguish between legitimate and illegitimate pharmacies online. The company’s General Counsel testified before Congress recently in support of Senate and House bills advocating consumer protection in online drug purchases.

While the steroid sites cited in the KnujOn/LegitScript report were mostly selling the real deal, including anabolic steroids, testosterone, and other controlled substances, fake drugs are a becoming an even bigger problem on the Net. “We’re going to do a much larger report on fake pharmacies – we’re going to go into detail on all the registrars hosting fake pharmacies, where the source drugs are coming from,” Breun says.

Why doesn’t the Federal Drug Administration take action against these phony online pharmacies? Bruen says the main obstacles to FDA intervention is that online pharmaceutical regulation takes place at the state level, and brand owners whose drugs are being counterfeited traditionally haven’t taken steps to protect their brand -- although that is gradually changing, he says.

A recent report from IronPort, Cisco’s email security unit, revealed a link between the Storm botnet and other malware creators and illegal pharma suppliers that recruit the botnets to spam users with Viagra and other drugs as a way to steer buyers to their sites. (See Researchers Link Storm Botnet to Illegal Pharmaceutical Sales.)

Pat Peterson, vice president of technology at IronPort, says he’s not surprised that ICANN or the registrars cited in the KnujOn report hadn’t taken action against the steroid sites. He says the legitimate registrars may be a bit gun-shy about taking down one of their hosted sites because they don’t have sufficient legal backing to do so. “Legislation with teeth is desperately needed in this case,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...