ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Vincent Chan gang

Evidence Menu:

Vincent Chan gang Index

Country: Hong Kong
Vincent Chan and his Chinese partners have been sending spam for years. They mainly do pharmacy, and are able to send out huge amounts daily. They use vast numbers of compromised computers -- for sending, hosting and proxy hijacking. Now seem to be an "oursourced" server obtainer for other spam gangs.

Vincent Chan gang SBL Listings History
Current SBL Listings
Archived SBL Listings

new Canadian Pharmacy

This data is from June 2007:
Vincent Chan used to have sites with multiple hostnames. Reaching the site
resulted in Javascript parsing the hostname used to reach it and using a
hash (associative array) to select a target host and redirecting to it
(usually(?) loading it into a frame
: document.write("[HTML][HEAD][TITLE]Welcome[/TITLE][/HEAD]
: [FRAMESET rows=100%,*]
: [FRAME src=\"" + url + "\" scrolling=yes]
Most often the target URLs were on port 8088 with images loaded from
: http://[hostname]:8088/cg/images/ftr/ftr_logo_bbb.gif
for example (this is the fake BBB Online seal of approval).

The sites used to use a fake verisign seal, which was commented out
: [!--[a href='verisign.php?PHPSESSID=[varies]'
: onclick="'verisign.php', 'win2', 'width=406,height=436,scrollbars=yes');return false;"]
: [img src="images/ftr/ftr_logo_verisign.gif" width="58" height="84" alt="" /]
: [/a]--]

The order form used session based names for two name/value pairs,
name and email (for example):
: jak4l644=[victim's name: first last]
: ukt1q980=[victim's address: email]

One of the 'unsubscribe' links was:
: http://[hostname]/rsupport/?extra=cg

This data is from June 2011:
Recently a 'new' Canadian Pharmacy botnet has come to my attention.
It uses bots. It has image on port 8088. It does not have one controlling
Javascript section loading one of multiple sites. The fake BBB Online seal
is at http://[IMAGE_HOST_BOT_IP_ADDRESS]:8088/vti_sys/images/ftr/ftr_logo_bbb.gif
(using other bots, reached on port 8088 by IP address, for the images)

with a commented out verisign seal
: [!--[a href='verisign.php'
: onclick="'verisign.php', 'win2', 'width=406,height=436,scrollbars=yes');return false;"]
: [img src="http://[IMAGE_HOST_BOT_IP_ADDRESS:8088/vti_sys/images/ftr/ftr_logo_verisign.gif" width="58" height="84" alt="" /]
: [/a]

and the order form has session based names for two name/value pairs,
name and email (for example):
: mva0o29=[victim's name: full]
: t1mzg724=[victim's address: email]

The unsubscribe link on the starting page is:
: http://[hostname]/rsupport/?extra=cg

Well ... not much has changed (they still have the invisible, commented
out verisign seal).

The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is:

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2018 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy