The world of online pharmacies is – said in a very simplistic way – a huge Russian doll mechanism of containers and cross references, deliberately anonymised.
Shedding light on the system was not an easy task and finding a name to link to this game of mirrors required a veritable technical “deep dive” into the labyrinth that is the internet.
We started by choosing the most popular portal from the various sites that offer the opportunity to buy medication without a prescription: apertafarmacia.it
The first step to finding out who is behind a website is to perform a “whois”, a command that should theoretically reveal the site manager and the name to which it is registered.
It couldn’t be that simple though; behind apertafarmacia.it we found a simple figurehead. A dead end. We then decided to investigate the other information that was clearly on show.
As you can see, at the bottom of the page there were telephone numbers, but – even more interesting – an e-mail address for anyone requiring customer support.
This was the first key to opening up the Pandora’s box of these sites. Curiously, in fact, the address provided ([email protected]) was not exclusive to the site we were analysing, but found matches in many other portals deliberately addressed to an Italian audience.
Among these we found:
- https://nuovapillola.com/
- https://vera-farmacia.com/
- https://apotekreseptfritt.com/
- https://realia-farmacia.com/
- https://forsta-apotek.com/
- https://pharmacie-nationale.com
- https://farmacia-amore.com
- https://medsitalia.com/
- https://itfarmaci.com
- https://apo-sverige.com/
- https://mypharmameds.com/
- https://www.apotekmeds.com
- https://farmacia-amore.com/
But the list could go on for several pages.
This was the turning point. Is it possible that all these sites have the same origins and mould? Is it possible that they are part of a single business that actually sells the opportunity to set up these sites in a way not too dissimilar to a franchise?
To find out, we searched the hidden pages of these portals in search of information about a possible affiliate program.
And it’s not surprising that we found a positive response to our questions. All the sites listed are in fact controlled by a single portal: https://ipillcash.com/
What we see in the image above is the heart of all the sites selling medication without a prescription.
A platform which – once registered – provides the entire infrastructure for “opening” the online pharmacy against payment.
Not only that, this web page is the same one that manages orders, sales, shipments and payments in the background.
We had therefore found the “how” of all these sites. What we were missing was the “who”. Fortunately on this site, the creator’s tracks hadn’t been covered as well as in previous cases.
Here is our man: Mikle Bodro. An alias, a real name? We obviously can’t know for sure. What we have discovered, however, is how this name continues to repeat itself over time (we found traces of it dating back to 2013) behind all the web infrastructure necessary for the creation of these sites.
If you dig a little deeper, do a more in-depth analysis of the domains, the name continues to appear with a certain frequency, although some variations do appear from time to time.
But it is difficult to keep track of it and find an actual name – below is also an example of another alias used. What we know for certain is that the activity of this “man in Havana” seems to be connected to most of the domains active in the field of these illegal pharmacies.
It cannot be excluded that this is an individual who resides in the area of the former Soviet Union, as he appears very frequently in Cyrillic fora and pages and especially when contacted he replied via an e-mail domain that corresponded to the UTC+2 time zone. It is a complex game of Chinese boxes that requires you to dig further down. But the final result is buried so deeply that it is difficult to spot…
The missing pieces of the puzzle
In short, behind the phenomenon of online pharmacies is an affiliation and franchise program built especially for those wanting to try their hand at this illegal activity.
Some questions do, however, remain open regarding how it is possible for these portals to persistently appear on the first pages of Google.
Here too we have the answers: it is nothing more than a very aggressive black marketing operation.
The sites controlled and created thanks to Mikle’s infrastructure are actually able to aggressively spam a large number of portals – how? Thanks to injection, i.e. secretly inserting their URL within perfectly legitimate sites (without the managers noticing it), to increase their online reputation and therefore deceiving Google about how trustworthy they are.
What about data?
In all this, one last question remains: behind all this illegality and game of Russian dolls, is the service being sold legitimate? And above all, are our data safe? It would appear that the medication is actually sold and delivered, so much so that some of the sites listed have even set up a Trustpilot page to receive feedback from customers.
As for the data entered into these sites by customers, however, the response to the question is anything but positive.
As we read in this Threat excerpt from the well-known Raid forum (a forum – in fact – where criminal hackers buy/sell stolen data) ipillscash is often the subject of discussion.
We also had the opportunity to notice how, despite an apparently professional setting, all these portals are actually highly vulnerable to possible attacks by criminal hackers.
How the franchise operates
A few days after the end of the first phase of technical infrastructure analysis, we decided to thoroughly test whether, as indeed was advertised, it was possible to open one of these pharmacies.
We therefore contacted the support e-mail on ipillscash.com and started talking privately – via Telegram – with our “partner manager”.
Obviously he didn’t introduce himself, but it isn’t hard to believe that behind the screen there could be the person we have often come across in our analyses: Mikle (and that’s the name we saved him under in our contacts).
As a first step, he gave us a unique ID to initially register our hypothetical pharmacy.
Once this step was complete, we immediately started discussing the technical details of the site. Mikle himself offered us various design and template options. Various languages were available, along with the preferred currency to set up purchases, and it also offered us the opportunity to set up a multi-language site.
During these very first exchanges, our contact quickly revealed that many of the goods were bought directly from Europe and – probably – distributed from European warehouses.
Not only that, Mikle also claimed to work closely with one of the largest webmasters in Europe.
Not just Viagra
Still in these “contract opening” phases, he pointed out how recently, other non-prescription drugs were available for sale, including nootropics – the famous “smart drugs” -. Included in the offer were:
- Provigil
- Modafinil
Curiously, drugs such as Ivermectin are also listed, a source of huge debates on its effectiveness in fighting COVID-19. The various “unofficial” remedies he listed for us included:
Among these he listed:
- Stromectol
- Zithromax
- PLAQUENIL
The drugs listed here, like Viagra and its derivatives, cannot be sold without a prescription in Italy, but are subject to a Restrictive Repeatable Prescription, i.e. medicines subject to a restrictive medical prescription, which can be sold to the public on prescription by hospitals or specialists.
Still in the negotiation phase, Mikle suggested buying an internet domain hosted in Hong Kong, probably to muddy the waters even more.
Having obtained this information, we interrupted contact with the seller.