Schneier on Security
A blog covering security and security technology.
« New, Undeletable, Web Cookie |
| Security by Default »
August 16, 2011
Search Redirection and the Illicit Online Prescription Drug Trade
Really interesting research.
Search-redirection attacks combine several well-worn tactics from black-hat SEO and web security. First, an attacker identifies high-visibility websites (e.g., at universities) that are vulnerable to code-injection attacks. The attacker injects code onto the server that intercepts all incoming HTTP requests to the compromised page and responds differently based on the type of request:
Requests from search-engine crawlers return a mix of the original content, along with links to websites promoted by the attacker and text that makes the website appealing to drug-related queries.
- Requests from users arriving from search engines are checked for drug terms in the original search query. If a drug name is found in the search term, then the compromised server redirects the user to a pharmacy or another intermediary, which then redirects the user to a pharmacy.
- All other requests, including typing the link directly into a browser, return the infected website's original content.
- The net effect is that web users are seamlessly delivered to illicit pharmacies via infected web servers, and the compromise is kept hidden from view of the affected host's webmaster in nearly all circumstances.
Upon inspecting search results, we identified 7,000 websites that had been compromised in this manner between April 2010 and February 2011. One quarter of the top ten search results were observed to actively redirect to pharmacies, and another 15% of the top results were for sites that no longer redirected but had previously been compromised. We also found that legitimate health resources, including authorized pharmacies, were largely crowded out of the top results by search-redirection attacks and blog and forum spam promoting fake pharmacies.
And the paper.
Posted on August 16, 2011 at 10:47 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just a question so I understand the significance: Is online purchase of drugs widespread in the US?
Here it is the rare exceptions and you cannot get prescription drugs that way at all. There are a few (regular) pharmacies that will do mail-orders for non-prescription stuff, but that is mostly for items doctors or labs would buy, like cartons with 100 syringes and the like. They do sell to private individuals as well. (1ccm "tuberkulin" syringes are perfect for mixing 2-component epoxy glue, that is how I found them.)
@Gweihir: It's not just the US, it's everywhere. The main audience is people (illegally) buying prescription drugs they don't have a prescription for. Ex. Ritalin is widespread on college campuses; viagra is widespread, erm, everywhere...
From a security perspective, "widespread" could mean "happens a lot" or "happens at all." Considering that, in the US (at least), prescription medicine is not supposed to be distributed outside of a sanctioned channel (hospitals, doctors, pharmacies), then the fact that it is happening at all is a break in the system.
The costs incurred by participating in the system, though, almost guarantee that a black market of some form exists. While there is lots of research money put into the development of prescription medicine, the actual costs of production are pretty low due to scale. Price mark-up along the sanctioned distribution channels means that the end-user (the patient, in most cases), pays a much higher cost per dose than the original manufacturing cost.
And, because there may be a real or perceived need to get the medication while avoiding the sanctioned channels (no insurance, low income, desperate for relief, being a cheap bastich, or off-label or abusive consumption), then there is always a demand for these markets--it's cheaper and potentially easier.
Which goes back to the study: Because there is a demand out there, then it's a short logical jump to set up, via infection or compromise, a method to advertise these services. A "legitimate" black marketer can't just put up a billboard without having the local police knock on the door ("legitimate" meaning they intend to ship the product). Alternatively, the pure scam can get desperate people to send money at very little cost.
In either case, the profit margin for these folks could be pretty high because their initial investment is basically getting a (team of) hackers and developers to set up the system.
The paper points out that 7 of the 73 "communities" represent over half the infection nodes, which means (to me) the bad guys are organized and find this model worth pursuing for now.
David: In addition, I suspect this method of distribution is an adjunct to the distribution of "pirated" pharmaceuticals, i.e., drugs which have the same or similar chemical composition as a brand product but manufactured by people not connected to the original manufacturer and sold as the real thing.
I remember reading a book many years ago about this arena. In the old days, the fake pill pushers had to go around and bribe pharmacists and doctors to sell the stuff. The Internet makes this much easier and cuts out a whole slew of middlemen. You just need a chemist (a dime a dozen) and the equipment (readily available) and the raw materials (also readily available) and you can grind out fake Viagra all day long which you can then sell on some hacked up Web site. The profitability compared to the legitimate market is enormous.
@gweihir Another buyer of prescription drugs are US residents with no prescription health insurance. Drugs that cost $5 per pill in the US are often only $2 in Canada, and we (of course) trust drugs bought in Ca. The problem is that fake sites promise CA drugs and deliver placebos or worse.
I have to admit, I just can't wrap my head around how this business model works.
If I'm the "supplier", I basically have three options: sell the real pills (or a medically-suitable facsimile), sell fake pills, or sell nothing & just take the customer's money. The latter option obviously precludes repeat business, but would seem to be the cheapest - no supplies, no shipping, no lab, etc. All the options are illegal, IANAL but I'd think simply taking the customer's money is probably "less" illegal than taking their money AND handling controlled substances. Fewer liability issues too - if the supplier sells a bad or fake drug, it could very well harm or kill someone. I simply don't see the incentive for the supplier to actually provide a product.
From a "customer" standpoint ... all the above is fairly self-evident, so why would I send money to someone who is very likely to give me nothing in return, or AT BEST may be giving me a substandard product? No matter how much I save over list price, the risk of faulty/no product is so high that it's simply not worth it.
So ... how does this work, exactly? Are enough people really so foolish that this becomes worthwhile?
Sometimes tsoalr.com shows me some strange text about viagre etc. May be it's also infected...
The black hat SEO for image searches is really taking off too.
@Chris: There are probably a lot of scams out there, but the value of repeat business must also be high. New customers are far more costly and risky, especially for a criminal enterprise. Some of them probably go out of their way to focus on quality and service, under the same incentives of any retailer, silly as that may sound.
@chris As part of ongoing research in this area, we've made several hundred purchases for online pharmacies. We received shipment in response to each of our purchases and have not witnessed any fraud actions against the cards we've used. Generally speaking the pharmacy affiliate programs are contracting with drug distributors who in turn are contracting with various Indian pharmacies who drop ship directly to customers. Aside from schedule II drugs, our impression is that the programs generally believe that they are selling generic equivalents (in the few examples we tested the active ingredient did indeed match the real drug and in the correct amount, although we didn't test for contaminants, appropriate binders, etc). Moreover, the re-order market is a real part of their business. On the demand side, we did a recent study of Eva Pharmacy showing that roughly 2/3 of the drugs selected at checkout were either ED or drugs that are commonly abused (e.g., Soma, HGH), while the remaining 1/3 covers a broad spectrum of chronic conditions.
There is fairly strong evidence that the larger affiliate programs can pull in small 10's of millions per year in revenue. However, the cost structure does not favor the affiliate program itself and the lions share of each sale goes to the advertiser.
The question of "substandard" is an entire arena in itself, but I believe it coincides with Richard's point. Take penicillin or aspirin, for example. Both are cheap to make, easy to reproduce, and simple to handle; moldy bread can produce basic penicillin, while I could produce aspirin from a chemical process using vinegar or refine it from willow tree leaves. As Richard said, cheap and easy to make.
On the other hand, the sanctioned channels of distribution for penicillin and aspirin are vastly different. Being that penicillin and its derivatives are prescription-only, a supplier has to comply with local and federal drug laws, deal with state medical and pharmacy board oversight, and have a tracking system that keeps any and all interested agencies happy.
Add to that the manufacturer's requirements, the doctor and pharmacists licensing and training requirements, and you have a significant premium added to a chemical that, at heart, can be found on any old piece of bread.
From a customer point of view, the cost of the sanctioned distribution process may be (or appear to be) too high. There are always fringe populations who are desperate enough or predisposed to working outside the system when they can.
From a black marketer point of view, there is a demand out there that can be filled with even less risk than selling coke or heroin. The drug laws are still in place, but local police aren't as interested in hunting down an antibiotic/viagra/heart medication distributor as they are the local meth lab.
High-but-not-astronomical risk, medium-to-high profitability, and a ready-made customer base either cynical or burned badly enough by "teh system" to go outside normal channels--all the making of a business model.
(I used to work for a terminal distributor in managing risk and securing the facilities, so we spent a lot of brainpower and time getting a handle on how the whole system works.)
Anyone use ChangeDirection or Site Delta to keep tabs on a website, to get advised whenever it changes?
Cost to distribute really isn't an issue. If a drug is off patent, the market is already charging very little over the actual cost of production. The penicillin you used as an example is so cheap that people with insurance (but a co-pay) pay the same as people without insurance. Common antibiotics usually only cost about $4.00 for a full cycle at a real pharmacy.
The difference is noticeable for patent protected drugs. Viagra can be made cheaper, but Pfizer charges more than that cost to recoup development costs, compensate for risks taken during research and development, and profit. A knock-off only has to worry about cost to produce.
The cost has nothing to do with the channel and everything to do with patents (for good or for bad). There is virtually no black market for any pharmaceutical that has more than one generic on the market.
Ammendment to previous post -- There is a black market for pharmaceuticals that are hard to get prescribed and addictive, but that isn't in the scope of the economic argument I was making.
This is considered BAD when redirect due to hacking. It is considered good when our own ISP does it to us, on behalf of outfits which have paid them advertising money to do so, and which may include some of these illicit pharmacies.
In neither case are we explicitly told this is going on, but I see it happening when I try to use Google searches ... the text I key in gets written over different than what I want, so I retry retry, then use a work around. It is also happening with my text input to Facebook.
They also love to spam wiki and Drupal installs. They have whole linkfarms created out of crap pages added to half-dead, unmaintained wikis. A few have even crumbled under the spam.
In other news, police are now using programs to predict crime hot spots and schedule officers to check on them:
Sending the Police Before There’s a Crime
Jaime: "If a drug is off patent, the market is already charging very little over the actual cost of production."
That depends on your cost of production. A legit company is supposed to maintain quality control, safety standards, etc., etc. The pirate manufacturer may or may not do so, and in any case is likely manufacturing in a country with lower labor costs and possibly lower equipment costs. While they're unlikely to match the bulk output of the large manufacturers and thus the economies of scale, they can still probably cut corners enough to make their price cheaper than the legit sources.
But yes, it's probably true that once a product doesn't have a "patent tax" on it, it's likely to nosedive in price to little over the cost of production and distribution. And clearly the incentive for a black market depends on a legit price that is higher than the black marketeer can charge.
But in the case of distribution, here again the pirate Web sites have an advantage over more physical retail distribution, not to mention a certain degree of freedom from regulation as David noted.
In the old days, according to the book I read, a small pirate manufacturer would sell until the FDA managed to find and come down on him with a fine or an order to go out of business. Then they would simply pull up stakes, move to another state, reprint their brochures and letterhead with a different company name, and go right on selling.
Today all they have to do is change their HTML headings and maybe their ISP and domain registration.
I understand what you are saying, but the total cost of a drug is not just in markup. To get a controlled (not just Controlled) substance, you have to go to a doctor (office visit fee, exam fee, test fees), spend possibly significant amounts of time waiting (hourly wages lost, personal and emotional inconvenience), and still end up being turned down or dismissed ("Need more testing", "Not that serious", "Let's try this first").
So, the ready-made audience for any prescription outside the approved methods can consist of (in no particular order):
--Abusers who don't want to get caught.
--Those who distrust the established medical system
--Those who believe (correctly or not) they know what they need
--Off-label use (differentiating from abuse in that a co-effect or side-effect may be the goal.)
I agree with your point, and others, that penicillin is really cheap and has little to no cost differential in many cases--but there is still a cost that some do not wish to pay.
As long as there is a market for pills online, we'll see even more audacious black hat attempts. Hey someone has to be responding to those emails for cheap Viagra to pay the bills. I do wonder, at least in the US, if the multiple computer fraud felonies for these blackhat techniques or the illegal distribution of controlled substances would get you more time? If course, with the amount of money in play, few will be deterred.
There are different audiences for these online pill sites:
1.People who have no medical condition but want to obtain the drugs (e.g. buying opiates instead of buying heroin on the street or buying Ritalin or Dexamphetamine instead of buying amphetamine on the street or whatever). Or people who want to buy Viagra even though they dont have anything medically wrong with their reproductive organs.
2.People who have a medical condition but where they cant get a doctor to prescribe the drugs they want (e.g. they want the doctor to give them certain painkillers but the doctor wont give them what they want so they go to online sites)
and 3.People where the doctor HAS prescribed particular drugs but they are looking to online sites as a cheaper source.
You mean Pfizer charges more than cost of production to recoup marketing costs and boost executive bonuses. Next to those, the development costs of the drug are hardly a blip on the radar.
"Requests from users arriving from search engines are checked for drug terms in the original search query. If a drug name is found in the search term, then the compromised server redirects the user to a pharmacy or another intermediary, which then redirects the user to a pharmacy.
All other requests, including typing the link directly into a browser, return the infected website's original content"
I guess their holy grail must be to infect a legit pharmacy company's site with this.
I wonder if this has been discussed here: http://research.microsoft.com/en-us/projects/...
It's a new AES attack. I can remember reading here some discussion about incrementing the number of AES rounds but I dont know if this is related to that or a brand new family of attacks
This is brilliant. It essentially means an arbitrary number of world wide webs running in parallel, with the one you see depending on the route you take to get to a particular site.
Besides the risk related to buying any product from a questionable distribution channel the real issue here is does a person own their body and can they (if they don't directly harm anyone else) engage in practices that they or their neighbors wish to prevent. I say if you don't own yourself all your other so-called rights are greatly diminished at best.
While its true that few people are competent to diagnose their mental or physical illnesses Open and remote diagnostic medical technology seems poised to change this. Though the adage that a doctor that treats themselves has a fool for a patient would still seem to apply.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.