Cybercriminals are breaking into pharmacy websites and apps, and then stealing accounts with prescriptions for different medications, experts have warned.
According to cybersecurity researchers from Kasada, those accounts are then sold on the black market, giving access to dangerous drugs to people who do not have their doctor’s permission.
Kasada spotted that since April 2022, the number of pharmacy accounts sold on the black market started to rise. Over the past 60 days, the number of stolen accounts increased fivefold, they said, reaching “tens of thousands”. What’s more, these are not accounts on third-grade pharmacies, with some of them among the biggest in the US.
A hacker’s guarantee
“This activity is both illegal and dangerous. It puts medications in the hands of people who don’t have a prescription from a doctor and enables substance abuse. It also takes prescribed medications away from the people who need them legitimately,” Kasada said in a blog post (opens in new tab) outlining its findings.
To obtain the accounts, the hackers use credential stuffing, trying infinite combinations of usernames and passwords (opens in new tab) (or using credentials stolen elsewhere) until they get in. Most of the process is automated.
By selling these accounts, the crooks are giving away access to controlled and highly addictive substances, such as Adderall, or Oxycodone. The price of such an account, Kasada says, ranges from “what one would normally pay with an insurance co-payment” to “several hundred dollars”. Buyers even get to choose the pharmacy, and the medication, and can pay for the service with either cash or crypto. The sellers, on the other hand, guarantee the account will work properly. If it doesn’t, they provide the buyer with a new one, free of charge.
To obtain the drugs, the purchasers can either order online, using the credit card associated with the account (they just reroute the shipping address), or pick the drug up at the counter. The pharmacies often ask for personally identifiable information when handing over the drugs, such as birthdays. These things are all found in the stolen accounts (opens in new tab).
Kasada’s researchers don’t know exactly what happens to the drugs once people actually obtain them, speculating that they’re either sold again, or used.