Cybercriminals break into pharmacy websites and apps, then steal accounts with prescriptions for different drugs, experts warn.
According to Kasada cybersecurity researchers, these accounts are then sold on the black market, giving people access to dangerous drugs without their doctor's permission.
Kasada noted that from April 2022, the number of pharmacy accounts sold on the black market began to increase. In the past 60 days, the number of stolen accounts has increased fivefold, they said, reaching "tens of thousands." Also, these are not accounts at third-tier pharmacies, some of which are among the largest in the United States.
A hacker's guarantee
“This activity is illegal and dangerous. It puts drugs in the hands of people without a prescription and enables drug addiction. It also takes prescription drugs away from people who legitimately need them,” Kasada said in a blog post (opens in a new tab) describing his findings.
To get the accounts, the hackers use credential stuffing, trying endless combinations of usernames and passwords (opens in a new tab) (or using credentials stolen elsewhere) until they break in. Most of the process is automated.
By selling these accounts, scammers provide access to controlled and highly addictive substances, such as Adderall or Oxycodone. The price for such an account, Kasada says, ranges from "what one would normally pay with an insurance copay" to "several hundred dollars." Buyers can even choose the pharmacy and the medication, and can pay for the service in cash or with cryptocurrency. Sellers, on the other hand, guarantee that the account will work properly. If not, they provide a new one for free to the buyer.
To obtain the medications, shoppers can order online, using the credit card associated with the account (all they need to do is redirect the delivery address), or pick up the medication at the counter. Pharmacies often request personally identifiable information when dispensing medications, such as birthdays. All of these things are under Stolen Accounts - opens in a new tab.
The Kasada researchers aren't sure what exactly happens to the drugs once people get them, speculating that they are resold or used.