Cybercriminals Are Using Bots to Steal Online Pharmacy Accounts

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
2 min read
A picture of pills spilling out of a bottle.

Cybercriminals are using bots to take control of pharmacy accounts, researchers say.


What's happening

Researchers for the cybersecurity company Kasada say cybercriminals are increasingly using bots to crack the passwords of online pharmacy accounts and steal access to them.

Why it matters

Some of those accounts are connected to prescriptions for dangerous and highly addictive drugs, which could later be sold on the black market.

Cybercriminals are increasingly deploying software Bots to commandeer the online pharmacy accounts of everyday people, according to new research, allowing hackers to illegally buy prescription drugs and depriving patients of needed medications.

Researchers at Kasada, an Australia-based cybersecurity firm that focuses on bots, said they first spotted credential-stuffing attacks against online pharmacy accounts in April. In the months since, the researchers say they've seen tens of thousands of stolen online pharmacy accounts, a number that has ballooned five times over the last 60 days.

The stolen accounts included some with prescriptions for highly controlled and addictive medicines, such as Adderall and oxycodone, according to Kasada. Prices for the accounts ranged from just a few dollars to several hundred. Based on the volume of sales they've spotted over the past month, Kasada's researchers estimate that a single cybercriminal could make more than $25,000 per month selling stolen pharmacy accounts. 

"This is one of the most egregious and dangerous uses of bots we've ever observed," Sam Crowther, Kasada founder and CEO, wrote in the report released ahead of the annual Black Hat cybersecurity conference in Las Vegas, Nevada.  

To takeover the accounts, cybercriminals load automated account-cracking tools, many of which are open source and widely available, with bots similar to those used for scalping high-demand items like concert tickets and collectible sneakers, Kasada said. The tools then bombard a pharmacy's website or mobile app with stolen usernames and passwords until a few of the combinations work and allow the cybercriminal to take over the accounts.

At that point, the cybercriminal can extract prescription and other sensitive information like the customer's name, birth date, phone number and method of payment. Those profiles are then put up for sale on online marketplaces, where drug seekers can choose and buy an account based on what kinds of prescriptions they're looking for, Kasada said.

In addition to painkillers and amphetamines, the researchers say they've seen other medications, including cough suppressants, anti-seizure drugs and anti-anxiety treatments available for purchase. 

To purchase the drugs, the account buyer could either use the credit card associated with the account, then change the shipping address, or pick up the prescription at their local pharmacy using the personal information associated with the account, such as the legitimate customer's birthdate to identify themselves. 

From there, the purchaser can consume the drugs or resell them for a premium. Either option potentially puts dangerous drugs into the hands of people who shouldn't have them, Kasada said.