What You Should Know:
– Cybercriminals are leveraging illegal bots to steal pharmacy accounts and resell prescriptions on a secondary market for in-demand substances, like Oxycodone, according to recent research from Kasada’s threat intelligence team.
has recently shared research by its threat intelligence team about a new, illegal use of bots -.
– Researchers have also identified an acceleration in this activity: over the past 60 days, the number of stolen pharmacy accounts available for sale has increased by 5x.
Using Bots to Steal Pharmacy Accounts and Resell Prescriptions
In April 2022, Kasada threat intelligence first observed the use of credential stuffing to attack pharmacies, steal active customer accounts, and exploit the distribution of prescribed medications. Credential stuffing is an automated attack where cybercriminals use lists of stolen or leaked usernames and passwords to try and log in to various accounts. Once they are successful, they take over accounts (ATO) and either sell them or exploit them by making fraudulent transactions.
This illegal activity puts medications in the hands of people who don’t have a prescription from a doctor. As such, it enables substance abuse. It also takes prescribed medications away from the people who legitimately need them. Sellers offer access to legitimate prescriptions for controlled and highly addictive substances, such as Oxycodone. The price for a stolen account ranges from the cost of an insurance co-payment to several hundred dollars. Based on the volume of transactions over the past 30 days, it is estimated that a single operator can make over $25,000 per month selling stolen pharmacy accounts. Stolen accounts often come with a guarantee – if the login or card on file doesn’t work, the provider will replace it with a new account.
“This is one of the boldest, most egregious and dangerous uses of bots we’ve ever observed,” said Sam Crowther, founder and CEO of Kasada. “Because the automated tools used for these attacks are so readily available and affordable, and because the sale of stolen usernames and passwords has never been more lucrative, it is easy to see why this type of theft is growing in popularity.”
Kasada’s modern, proactive approach to stopping bots adapts as fast as the attackers working against it, in contrast to reactive bot management systems that rely on static and poorly obfuscated defenses. The company recently announced enhancements to its anti-bot platform, maintaining the company’s position at the forefront of defending against the latest and stealthiest automated threats. Its latest release also addresses the growing prevalence of Solver Services, which are API-as-a-service tools created to bypass the majority of bot management systems and conduct automated attacks such as credential stuffing.
4 Ways Hackers Use Bots to Commit Account Takeovers to Sell Stolen Prescriptions
Researchers also identified the following four key ways hackers are using bots to commit ATO to sell stolen prescriptions:
1. Credential Stuffing to Conduct ATO Attacks – Automated account cracking tools, including OpenBullet2, are loaded with bots and configurations similar to those used for scalping. These tools perform a credential stuffing attack on a pharmacy’s website or mobile app. By stuffing stolen usernames and passwords, the attacker can exploit the fact that consumers reuse the same credentials on different websites. A small percentage of the stolen credentials “work” and allow the attacker to successfully takeover accounts (performing ATO) with legitimate login credentials.
2. Data Extraction – Once an account is taken over, the attacker automates the process of extracting the prescriptions and other information associated with the account. Data linked to the account includes customer information, such as name, birth date, phone number, and the payment source on file.
3. Storefront Integration – The extracted information is integrated with eCommerce marketplaces that can be found across the corners of the Internet. It’s notable that these acts of online fraud aren’t restricted to the dark web, but are on the Internet for anyone to find. Stolen accounts are put up for sale using a non-identifiable seller profile. Shoppers can choose the pharmacy and medication of their choice, accepting a range of payment methods, including cash transfer and crypto. The sellers typically offer a guarantee such that if the account doesn’t work, they will provide a new account at the same pharmacy at no additional charge.
4. Using a Stolen Pharmacy Account – Once an account is purchased on the secondary market, the purchaser is free to use the account to obtain the medication at the specified pharmacy. This can be done using online ordering (use the credit card associated with the account and reroute the shipping address). Alternatively, the purchaser can visit a pharmacy to pick up the prescription using the information lifted from within the account to pass authorization checks, such as birthdate. What’s done with these pharmaceuticals after purchasing? Likely a combination of two activities that create a dangerous – and difficult to trace – impact on our society. The purchaser can consume them, or resell them for a premium, furthering the underground economy for stolen pharmaceuticals and widening the access of controlled substances to those who shouldn’t be taking them.