Illicit online pharmacies resort to hacking to gain customers
■ Redirecting search results has produced higher sales than those originating from email spam, a study says.
By Pamela Lewis Dolan — Posted Sept. 5, 2011
Illicit online pharmacies are using a new sales scheme -- hacking into legitimate websites to redirect search engine traffic to their illicit pharmacies.
A study by researchers at Carnegie Mellon University in Pittsburgh found that about one in three online searches for prescription drugs result in the searcher being unknowingly redirected to websites belonging to illegal online pharmacies. By manipulating the search engines, these illicit websites also have crowded out legitimate online pharmacies, making it harder for consumers to find them.
Nektarios Leontiadis, a PhD candidate at Carnegie Mellon and co-author of the report, said the findings should alarm physicians, because if patients conduct a blind search online for drugs, they're likely to land on an illicit pharmacy site. Leontiadis' peer-reviewed research was accepted for presentation at the August USENIX Security Symposium in San Francisco.
There's no way customers can discern the legitimate websites from the illicit sites, Leontiadis said. In his research, he identified nine legitimate online pharmacies and 4,500 illicit ones. "So you can imagine how difficult it is to find a legitimate pharmacy," he said. Not only do illicit online pharmacies outnumber the legitimate ones, but the manipulation of search engines has caused legitimate sites to be ranked so low that they are much less likely to be visited.
The researchers looked at 185,000 websites that came up through online searches for drug information and found that 63,000 were hacked to manipulate them to redirect Web traffic from one site to another. In other words, someone clicks on a link to website A, and they are automatically taken to website B.
Leontiadis said the method works because searchers generally click on a link because it's high up in a search and has related phrases that show up in the search engine. But they generally won't look at the actual Web address, which would be the address of the legitimate site that has been hacked, sending the searcher to the illegitimate site. Webmasters of the legitimate sites usually have no idea they have been compromised, he said.
The authors of the report also note that the conversion rate of clicks to actual sales is between 0.3% and 3%, much higher than the rate of sales associated with emailed spam. Leontiadis says purchasers usually get a product shipped to them, but there's no guarantee that what they ordered is what they will get, or that the product is safe.
The Food and Drug Administration issued a consumer safety guide warning consumers that drugs purchased online could be fake, expired, not FDA-approved, the wrong dosage, or not made or shipped using safe standards.
The National Assn. of Boards of Pharmacy issued a public health report in June that said 98% of the 8,000 online pharmacies it investigated were not in compliance with U.S. pharmacy law. Other reports say online pharmacies often are associated with credit card theft and sales of credit information. Many of these online pharmacies are not in the United States; a large number are Canadian.
The Justice Dept. has started to crack down on Canadian pharmacies targeting U.S. consumers. Google recently paid a $500 million fine for knowingly carrying advertising from Canadian pharmacies that sold drugs to Americans without prescriptions. The money represents revenue from the drug ads and revenue earned by the pharmacies from sales to U.S. customers.
The government's investigation found that Google has known since 2003 that Canadian pharmacies were illegally selling drugs online to Americans. The company said it has stopped carrying the ads. The settlement involved only advertising and not search engine results, including search-engine manipulation by pharmacies.
The Justice Dept. said Google acknowledged it "improperly assisted Canadian online pharmacy advertisers," but a company statement said Google has given up the practice, and that it shouldn't have "allowed these ads ... in the first place."
The FDA recommends that patients check to see if pharmacies are located in the U.S. by going through state pharmacy licensing boards. Legitimate online pharmacies will be licensed in all 50 states. Leontiadis said physicians also can provide patients with a list of legitimate online pharmacies. When those Web addresses are typed directly into the browser, they won't be redirected in the same way as websites in search engines.