Kudos to the Kasada Threat Intelligence team for their release this week on the disgusting, illegal, and immoral use of bots to steal prescriptions by attacking pharmacies, exploiting distribution of drugs, and taking the drugs to be sold on the secondary market.

Not only are scumbags stealing medicine from people who need it, but adding to the perils of drug trafficking including addiction and substance abuse, improper prescribing without a doctor, and death. It is infuriating for those of us in the cybersecurity industry.

Kasada describes it as malicious bots that facilitate billions of dollars in online fraud, in part by automating login processes to test stolen user credentials and perform account takeover (ATO). Stolen accounts obtained from credential stuffing attacks are exploited by making fraudulent transactions and depleting stored value. Using bots to commit ATO has been pervasive for a long time in industries such as Retail, Media & Entertainment, and Financial Services.

With regards to pharmacies, Kasada has also seen scalper bots jump ahead of others to book services, such as COVID-19 vaccine appointments. Now what’s come to light is a new trend of pharmacy accounts being stolen with bots in order to purchase and resell controlled substances. They observed the first instance of this in the beginning of April 2022.

Tens of Thousands of Stolen Accounts Resulting in a 5x Increase

Kasada researchers have discovered tens of thousands of stolen online pharmacy accounts that are now available for sale on secondary marketplaces. The trend is accelerating – over the past 60 days, the number of stolen accounts we’ve observed available for sale has increased by 5x.

Kasada on How Fraudsters Commit Account Takeovers (ATO) to Sell Stolen Prescriptions

  1. Credential Stuffing to Conduct ATO Attacks – Automated account cracking tools, including OpenBullet2, are loaded with bots and configurations similar to those used for scalping. These tools perform a credential stuffing attack on a pharmacy’s website or mobile app. By stuffing stolen usernames and passwords, the attacker can exploit the fact that consumers reuse the same credentials on different websites. A small percentage of the stolen credentials “work” and allow the attacker to successfully takeover accounts (performing ATO) with legitimate login credentials.

  2. Data Extraction – Once an account is taken over, the attacker automates the process of extracting the prescriptions and other information associated with the account. Data linked to the account includes customer information, such as name, birth date, phone number, and the payment source on file.

  3. Storefront Integration – The extracted information is integrated with eCommerce marketplaces that can be found across the corners of the Internet. It’s notable that these acts of online fraud aren’t restricted to the dark web, but are on the Internet for anyone to find. Stolen accounts are put up for sale using a non-identifiable seller profile. Shoppers can choose the pharmacy and medication of their choice, accepting a range of payment methods, including cash transfer and crypto. The sellers typically offer a guarantee such that if the account doesn’t work, they will provide a new account at the same pharmacy at at no additional charge.

  4. Using a Stolen Pharmacy Account – Once an account is purchased on the secondary market, the purchaser is free to use the account to obtain the medication at the specified pharmacy. This can be done using online ordering (use the credit card associated with the account and reroute the shipping address). Alternatively, the purchaser can visit a pharmacy to pick up the prescription using the information lifted from within the account to pass authorization checks, such as birthdate. What’s done with these pharmaceuticals after purchasing? Likely a combination of two activities that create a dangerous – and difficult to trace – impact on our society. The purchaser can consume them, or resell them for a premium, furthering the underground economy for stolen pharmaceuticals and widening the access of controlled substances to those who shouldn’t be taking them.

Overtaking the heavily regulated, complex, and transactional pharmacy business with bots in such a perverted way shows just how diabolical cyberattacks have become and continue to grow. It is another stark example of how all industries and all businesses need a proactive and vigilant strategy to protect their data, their assets, and their clients. As always, River Run can help.



Share this article