How Cybercriminals Attack Pharmaceutical Companies
August 28th, 2018
The pharmaceutical industry is one of the most targeted industries on the web, especially in black market platforms. This comes as no surprise, as purchasing illegal substances has always been something that people are interested in, and where there is demand, there is a market. The price for illegal substances has continually risen and become a very profitable market for cybercriminals. But many people aren’t aware of the huge impact these illegal services have on the pharmaceutical industry. Stolen pills are available for sale online without the need for a doctor’s prescription, and at a lower price, both of which hurt the pharmaceutical companies’ market.
In this post, we share how cybercriminals target pharmaceutical companies to profit off the high demand for prescription drugs.
One of the main strategies in marketing is to advertise your product anywhere you can, especially in places where it will have a maximum impact. Hackers that target the pharmaceutical industry have come up with some interesting techniques to “market” their products, which we will discuss later in this blog.
Moreover, according to a study done in 2015, the profit for illegal substances is over $100M per year. Given this research is three years old, you can imagine how much profit has increased today! More recent statistics compiled by Europol in 2017 show that 5% of the illegal drugs on the darknet belong to the pharmaceutical industry, which contributes to the loss they experience every year.
Pharmaceutical Threat Actors and Techniques
In our research, we discovered a group of hackers that seem to focus specifically on the pharmaceutical industry. It seems that most of their activities are focused on building a business and distribution channel for selling illegal substances stolen from pharmaceutical companies. To gain market share and overcome their competitors (the pharmaceutical companies), these hackers sell their drugs at a lower price than those you can buy legally, and without the terms required for legal purchase, such as a doctor’s prescription.
We also came across a group of hackers that used some interesting advertising strategies. One tactic was building a site to recruit hackers that specialized in spamming. To incentivize spammers, they offered a commission of $250 per sale, which gives you an idea how much money they make from selling these drugs.
Image 1: Recruitment site for spammers to help sell prescription drugs
However, this was not the only tactic we saw them use. The group was also looking for hackers who sold admin credentials to pharmaceutical sites, enabling them to upload a page of their own on legitimate sites. This opened them to a whole new market of people unaware of the dark web’s existence.
Patented Drugs Sold in Black Markets
One of the most painful things for the pharmaceutical industry is when other entities try to sell patented pills and medications. Having a monopoly through patents generates huge profits for pharmaceutical companies, and can be a major source of a company’s income. When hackers sell a company’s patented pills on the dark web, they can significantly eat into the company’s profits. It also has the potential to damage brand reputation and make a company look less legitimate.
Image 2: Patented prescription drugs for sale on dark web forums
Although phishing campaigns pose a big threat to all industries, there are some sectors for which phishing is particularly threatening. The difficulty with identifying phishing sites is being able to detect them in the “infinity of the Internet”. Although there are a wide variety of security solutions that can help, many users are not aware of best practices and don’t use good judgement when using the Internet. This makes them vulnerable targets for hackers.
The challenge with detecting pharmaceutical phishing sites is that users don’t visit them frequently, so they can’t identify nuances in design and setup. For example, a user might visit their bank website a few times per month, so they are familiar with how the site looks and operates. If they were to encounter a phishing site for their bank, they are more likely to notice differences and figure out its malicious intent.
However, because most users do not visit pharmaceutical sites daily, these sites are easier to impersonate because users don’t have any familiarity with the legitimate site.
Image 3: Example of pharmaceutical phishing website
On the darknet, leaked databases are nothing new, but we’ve seen an increase in leaked pharmaceutical databases over the past few years. Hackers have learned that pharmaceutical companies carry the same personal information that their “more traditional” targets do (e.g. financial, retail and healthcare companies). This includes information such as credit cards, phone numbers, addresses, date of birth or any other data that can be used for fraud.
Moreover, pharmaceutical databases carry even more sensitive information, such as the pills a person is taking, which can tell hackers a patient’s illnesses or diagnostic health problems. This information can be used in a variety of ways:
- Customer Phishing: Imagine a hacker sends a phishing email to a patient saying “Click here to save 50% on [medication name] prescription!” There’s a good chance that user will click that link, because the email is highly relevant to them and prescription drugs can be expensive.
- Extortion: Extortion attacks are becoming increasingly popular among cybercriminals. If a hacker got data from a pharmaceutical company, they could try sending the company a sample of the data and demand a large sum of money to avoid going public with the information.
Image 4: Dark web forum listing of leaked databases, including pharmaceutical companies
Conclusion & Recommendations
For the most part, the biggest cyber threat to pharmaceutical companies revolves around the illegal sale of stolen pills on the dark web. However, in recent years, we have seen that hackers have started to target this industry through new attack vectors, such as leaked databases and hacking websites to promote their own product. These cybercriminals are not just single hackers either. We have seen whole underground operations develop, with full marketing campaigns and distribution channels, all with the purpose of selling stolen prescription drugs.
As a cybersecurity professional at a pharmaceutical company, there are a few things you should be doing to ensure you’re monitoring and responding to these threats:
- Dark Web Monitoring: Wouldn’t you want to know when a new user posts your drugs for sale online? Or what if a hacker is recruiting spammers for a new prescription drug campaign? These are key indicators that you can use to identify and mitigate cyber campaigns before they’re carried out.
- Customer Phishing Protection: Your weakest target is usually your customers, which is why hackers often use customer phishing to run their attacks. Yet, you have a responsibility to protect your customers from these attacks, even if you are not at fault for their origin. You should be monitoring for key phishing attack indicators, like newly registered domains that may try to mimic your company’s.
- Leaked Database Monitoring: While you never want your data to leak in the first place, it can happen to any organization. If it does happen, you need to identify it quickly to find out where the leak is. Monitoring for leaked databases can help you track down the source and stop any further leakage.
- Implement a Threat Intelligence Program: Many of the above activities can be accomplished and/or supported with a threat intelligence program. These programs can help you identify key indicators of attack, so you can take proactive security measures to protect your company and your customers.
The fight against cybercriminals never ends. Make sure you stay on top of the latest threat trends to figure out the who, what, where, when and why behind cyberattacks that target your organization.
Want to learn more about how cybercriminals use the Dark Web to target companies? Check out our Dark Web 101 guide.
The Dark Web 101: What Every Security Professional Should Know
Orin Mor is a Security Researcher at IntSights, focused on hunting for new threats and threat actors on the Dark Web, and working to identify new attack strategies and vectors. Prior to IntSights, she served for 5 years as a Security Researcher in an elite intelligence unit in the Israeli Defense Forces, specializing in cyber operations, data mining and threat research.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.