The discovery of a new and compounding cybersecurity threat to pharmacies

Sam Crowther, founder and CEO of cybersecurity company Kasada, tells us about a recent discovery his company made that revealed tens of thousands of accounts with prescription drug attachments in major online pharmacies had been compromised.

While performing analysis for a client of online accounts for sale, Kasada uncovered a new and illegal way bots are being used – to steal pharmacy customers’ accounts and resell prescriptions on a secondary market for in-demand substances, such as Oxycodone.

“We’re a security business that helps companies deal with problems bots cause on their websites or mobile apps. We help them solve business problems that rear their head when someone can take a piece of code to scale their operation and make things financially viable,” Crowther states.

Crowther says this new method of using bots is “one of the boldest, most egregious, and dangerous use of bots” he’s ever observed.

Unfortunately, many online pharmacies are susceptible to bot attacks simply due to outdated security measures and a lack of appropriate systems oversight.

Detection of fraudulent activity

A bot, in its simplest form, is a piece of code that performs an action a human would, including logging into an account by filling in a username and password.

Often criminals use bots to input illegally obtained login credentials, testing them on various websites to see if they work.

“The advantage for criminals and the disadvantage for the defenders [anyone responsible for protecting an organisation from an attack] is it’s very scalable. It’s easy to have a piece of code execute thousands and thousands of times a minute and perform tens of thousands of actions, where a human may take weeks or days to do it,” Crowther states.

According to Kasada, in April 2022 its threat intelligence observed the use of credential stuffing – the automated injection of stolen username and password pairs into a website’s login form – to attack pharmacies, steal active customer accounts, and exploit them for the distribution of prescribed medications.

“We were doing some analysis, some other work for a client when we came across the same group performing these actions against more than just our customers. As we dug deeper into what the group was doing, pharmacy activity suddenly popped up, and it became very clear that their operation was quite widespread,” Crowther states.

Criminals gained access to user login information (credentials) somewhere online. Because many people use the same login information for several websites, the criminals began to test those credentials on other sites and subsequently use them on vulnerable online pharmacies.

Once the cybercriminals gained access to a customer’s online pharmacy account, they would sell the information or exploit the accounts to make fraudulent transactions.

A criminal would log in to an account, initiate a fill, select the pharmacy at which they want to pick it up, then have someone collect it for them that’s not the intended customer.

“The [implications of these stolen accounts] are twofold. One, someone who should not be able to get their hands on these controlled substances can. So, suppose I want to go and buy some Oxycodone, Adderall, or any other prescription painkiller. I can buy one of these accounts and, without a prescription, without myself as Sam having a prescription, I can actually go and get it,” Crowther states.

Criminals gaining access to controlled substances by simply picking them up at pharmacies is incredibly problematic, especially considering the massive and ongoing opioid crisis.

“On the flip side, this may actually hurt the person meant to get the prescription because you can only get them filled so many times. So, suddenly, you’re unable to get the medicine you need and have been prescribed by a doctor. Also, you may look like a [drug] mule, or you may look like you’re illegally selling it yourself, which is not a good situation for the actual customer,” Crowther states.

Where the login credentials came from is unclear, but the result was that tens of thousands of accounts with prescription drug attachments in major online pharmacies were exploited.

Crowther didn’t name the brands that were compromised, but among them were the top 10 pharmacies in the world, he states. Brands one can be confident to say most people use.

“We’re not mentioning anyone by name. As a security professional, I feel very bad calling people out because it can be quite detrimental. I’d rather do that behind closed doors,” Crowther says.

Still, he notes there are ways to prevent these attacks before any credentials are stolen, so online pharmacies can protect their interests and the customer’s welfare.

Protecting a business and its customers

Kasada only recently uncovered the above pharmacy-related criminal activity, but there’s been a substantial increase in stolen pharmacy accounts available for sale in the past 60 days alone.

“Criminals are taking advantage of the fact that a lot of these pharmacies have quite legacy security solutions and don’t really invest heavily in [cybersecurity],” Crowther states.

“Even within the last few months, it’s become very lucrative. Some of these groups are pulling in $40,000 or $50,000 a month just doing this, which is no insignificant amount of cash,” Crowther states.

Once a criminal accesses an account, they will sell that account according to the prescription that’s attached.

“They’ll say, ‘If you want an account with an Oxy prescription, that’s $75. If you want an account with Adderall, it’s $25. That’s where the money comes from for them,” Crowther states.

Increasing cybersecurity and staving off bot attacks before they start is vital for ensuring drugs don’t end up in the wrong hands.

“A big piece here is the defense and anti-fraud side of things. Making sure the company has a good grasp of who the actual customer is when they log in and fill a prescription is very important,” Crowther states.

As online pharmacies become more prevalent and consumers’ use of internet platforms grows, it’s increasingly vital to use the cybersecurity options available to protect business and consumer interests and step away from legacy security systems.

“It’s definitely an implication of coming from an old school business where the requirements for security haven’t been really high, then moving into an online world where the requirements are very, very high. The jump has not been made. That’s the problem,” Crowther states.

“The reality is it’s a cost of doing business and operating online. It is expensive because you have to secure yourself. Otherwise, you end up in situations like this, where a service meant to be great for customers is now a real legal liability.”

About the interviewee

Sam CrowtherSam Crowther is the founder and CEO of Kasada, a cybersecurity company specialising in stopping bot attacks. He is an entrepreneur with a passion for cybersecurity. With funding from leading U.S. and Australian investors, Sam launched Kasada in 2015 to provide an innovative web traffic integrity solution to companies around the world. Based in New York and Sydney, his goal is to create simple technical solutions to complex problems. Sam is motivated by challenging preconceived ideas and beliefs in order to have a positive impact on the world.

About the author

Jessica HagenJessica Hagen is a freelance life sciences and health writer and project manager who has worked with medical XR companies, fiction/nonfiction authors, non-profit and for-profit organisations, and government entities.