Bots used to hijack pharmacy accounts and sell drugs illegally


Bots are being used to take over online pharmacy accounts and sell addictive prescription drugs illegally, an alarming trend cyber-watchdog Kasada says has increased fivefold in the past couple of months.

Its researchers say this sharp increase has pushed the total number of stolen accounts for sale on the dark web into the tens of thousands, allowing unscrupulous buyers and sellers to access prescription drugs – including some based on methamphetamine and opioids – to which they are not legally entitled.

ADVERTISEMENT

“This activity is both illegal and dangerous,” said Kasada, adding that it first noticed it in April. “It puts medications in the hands of people who don’t have a prescription from a doctor and enables substance abuse. It also takes prescribed medications away from the people who need them legitimately.”

Despite this, Kasada’s investigation found that the bot-enabled racket had received positive reviews from its illicit customers, judging by the forum’s overall ratings. The crooks behind the scheme are doubtless motivated more by money than plaudits – the cybersecurity firm estimates a single operator stands to make more than $25,000 a month in cash transfers and cryptocurrency if it is left unchecked.

Redacted screenshot of dark web account selling opioid-based drug
Redacted screenshot of dark web account illegally offering opioid-based drug Oxycodone for sale

“The sellers offer access to legitimate prescriptions for controlled and highly addictive substances, such as Adderall and Oxycodone,” said Kasada. “The price for a stolen account ranges from what one would normally pay with an insurance co-payment to several hundred dollars. The marketplaces offer stolen accounts from physical and online-only pharmacies, many of which are from the top 10 [sellers in the] US.”

Hijacked internet-connected devices turned into ‘zombie’ machines to do a malicious hacker’s bidding, bots have become an increasingly dangerous phenomenon in the cyber-world. But Kasada believes this is the first time they have been used to target the pharmaceutical industry in this way.

“It’s been well publicized that scalper bots ‘skip the digital line’ and purchase in-demand items such as sneakers, gaming consoles, and NFTs,” it said. “More recently, people have realized that the same bots can be repurposed to score any item or service wherever demand outpaces supply, such as baby formula, semiconductor chips, and even COVID-19 vaccine appointments.”

How bots are breaking the system

Bot-driven cybercrime helps to make billions of dollars’ worth of online fraud a reality, by automating login to test stolen credentials and perform account takeover (ATO) on key industry target machines.

ADVERTISEMENT

“Using bots to commit ATO has been pervasive for a long time in industries such as retail, media and entertainment, and financial services,” said Kasada, adding that the pharmaceutical industry now appears to have joined this list with a vengeance.

ATOs involve using automated “account cracking tools” to facilitate credential stuffing attacks – during which a cybercriminal throws a high number of purloined personal data at a system, in the hope of finding the right combination to gain access.

“These tools perform a credential-stuffing attack on a pharmacy’s website or mobile app,” said Kasada. “By stuffing stolen usernames and passwords, the attacker can exploit the fact that consumers reuse the same credentials on different websites. A small percentage of the stolen credentials ‘work’ and allow the attacker to successfully take over accounts with legitimate login credentials.”

Upon succeeding in this initial salvo, the cyberattacker then extracts the prescription information including the account holder’s name, date of birth, phone number, and means of payment for medications. Such data can also presumably be resold elsewhere on the dark web to facilitate other forms of cybercrime, thus completing the vicious circle.

“This is one of the most egregious and dangerous uses of bots we’ve ever observed,” said Kasada. “The illegal sale of stolen pharmacy accounts can be a profitable venture, not to mention very dangerous – by enabling medications to be put into the hands of people who don’t have a prescription.”

It added: “With free, open-source tools widely available to automatically crack accounts, a bot operator can monetize this illegal activity with very little effort.”