Bad MedicineRobert Lemos
It's a regular visitor to your inbox: Spam that advertises cholesterol fighting Lipitor, depression suppressor Zoloft, or lifestyle drugs, such as Viagra and Cialis.
Known as pharmaceutical spam, or pharma spam, the unwanted email messages are a staple of online criminals and gray marketeers. Every day, hundreds of millions of junk messages inundate email servers worldwide, with pharma spam accounting for as much as 70 percent of the digital deluge.
"Pharma spam is the thing that doesn't go away," says Joe Stewart, a researcher with network protection firm SecureWorks' Counter Threat Unit. With the high cost of healthcare and drugs, the continued pervasiveness of medicine-related messages is unsurprising, he says. "People are always going to buy prescriptions."
Accounting for anywhere between 79 percent and 93 percent of email volume on the Internet, according to Symantec, spam is a constant problem for both consumers and corporations. Pharma spam departs from run-of-the-mill email fraud in that the advertisers actually want to sell a product, not necessarily steal the victim's money or their data.
Yet, the drugs sold by the gray market pharmacies are most often unregulated, so customers do not know what they will get: Generics, homemade medicines, placebos, or worse.
"They may or may not contain active pharmaceutical ingredients," says Frederick Felman, chief marketing officer for MarkMonitor, a firm that focuses on protecting client's consumer brands, including those of drug companies. "They are probably not made in the hygienic environments that the patent-owning drug companies are using. You might be getting it, but you are probably not getting something as pure."
In a study of the gray-market pharmaceutical industry, MarkMonitor collected spam and analyzed the nearly 3,000 medicine-selling sites advertised in the messages. The company's researchers ordered medicines from the companies online. They didn't test the efficacy of the drugs, but investigated the business model behind the sales.
Their conclusions: The gray-market pharmaceutical businesses were truly global enterprises. In one case, MarkMonitor contacted a seller that had connections with six different countries.
"The phone number for the seller was in Texas, the site (appeared) Canadian, the people spoke in Russian, the drugs came from India, and the credit card processing was in Israel," Felman said.
The degree to which the online pharmacies used outsourcing and global operations has surprised security researchers. In 2008, nearly half of all gray-market pharmacies were hosted in the United States. Today, that number has decreased to about a third, according to a report on the pharma-spam industry by brand-protection service MarkMonitor.
Among the trends: Canada has become an abused national brand in the pharma spam world. Many gray-market pharmaceutical seller brand their sites as Canadian to take advantage of the many Americans' belief that medicine in Canada is cheaper than in the U.S. The result: The general category of spam known as "Canadian Pharmacy" has surged to the top of the Register of Known Spam Operators (ROSKO), a list of the worst offenders in the bulk unsolicited email underground.
Big Returns, Little Risk
It's not hard to see why.
For spammers, advertising pharmaceutical products is a lucrative business. While some spammers send their messages on behalf of a specific online pharmacy, many spammers act as affiliate advertisers -- making money every time a recipient clicks on the link in the message to buy medicine.
One massive Russian online pharmacy, known as GlavMed, pays as much as 40 percent of each sale as a commission to the advertiser, according to research conducted by Dmitry Samosseiko of antivirus firm Sophos.
"Assuming that the average purchase is around $200, even a couple of purchases per day becomes a good source of income," Samosseiko wrote in a paper presented earlier this year.
GlavMed's site allows affiliates to access a member's page that give them up-to-the-second statistics on customers referred, purchases made and commissions earned. Data on one statistics page viewed by the researcher showed that the spammer earned $1,600 per day for a single pharma-spam campaign. Most often, spammers use collections of compromised computers, known as botnets, to send an avalanche of advertising every day.
The large returns come with very little risk, says Amir Lev, chief technology officer for messaging-security firm Commtouch.
"The criminals are just moving their bots to send pharma," Lev says. "If they send more, they get more money, and (in most cases) the authorities are not going after them."
A Persistent Annoyance
Estimates vary on the fraction of spam that hawks medicines: Symantec found that pharma spam accounted for 28 percent of all unsolicited email in June, but fell to 7 percent in September, while McAfee estimated that nearly two-thirds of all spam intercepted in September led to a pharmaceutical site.
While Symantec pegs "Internet Goods" as its top category of spam, the topics frequently change. "It is not unusual for the bigger categories, such as health and Internet, to swap places," said Dermot Harnett, principal analyst for Symantec's Anti-Spam Engineering team.
In the past, for example, pharma spam fell far behind the volume of messages touting stock tips.
"There was a time, like three years ago, when stock spam ruled the world," says SecureWorks' Stewart. "But pharma spam has been around for a long time -- it's been (historically) the background noise of the spamming world."
During the holiday shopping season in November and December, spam messages advertising gifts and merchandise will likely top those marketing medicines. However, after the holiday season, pharma will likely dominate again, says Commtouch's Lev.
"When there is more merchandise spam, you might see less pharma spam," Lev says. "And when they are idle, pharma spam goes up again."
For the most part, the safest approach to pharmaceutical spam is to ignore it.
Rather than follow the advertisement, find a reputable online pharmacy. The National Association of Boards of Pharmacy lists 17 recommended Internet pharmacies.
Whatever they do, consumers should not click on the advertisement, says Symantec's Harnett.
"If you click on the link, then the spammer is winning," he says. "Because, if you click on the link, they get paid."
Copyright (c) 2010 Studio One Networks. All rights reserved.