Hackers Hijack Websites In Online Pharmacy Scam

Aug 12, 2011

People searching for prescription drug information online are being led astray by hackers and redirected to illicit online drug sellers in one out of every three searches.

"Legitimate health resources are completely crowded out," says Nicolas Cristin, a computer scientist at Carnegie Mellon University who discovered that 32 percent of sites that turn up in search results for prescription drugs had been infected with malicious code that waylaid the searcher. "It's very hard to find legitimate pharmacies, or information like what the [Centers for Disease Control and Prevention] would give you. This is drowned out in a sea of rogue results."

Hackers work the scam by sneaking their own code into a legitimate website. That way the site shows up on a Web search for a prescription drug. If someone clicks on the search listing, it forwards that person to an online pharmacy, not to the legitimate site. The owners of the real site usually have no inkling that hackers have hijacked the URL.

Shots tested the scam by Googling "Cialis no prescription," in search of information on the drug for erectile disfunction — which Cristin predicted would yield interesting results. Sure enough, the first result showed the URL for University of Massachusetts website belonging to a computer science laboratory with the words "Cialis No Prescription OVERNIGHT SHIPPING" above it. And when we clicked on the UMass URL we were ferried off to a site hawking generic Cialis for $3.30 a pill.

This isn't the only university site that's being hijacked: Four of the top six results returned in this Cialis search had .edu addresses. Some didn't connect to online pharmacies; Cristin speculates that the legitimate owners had fixed the site and removed the illicit redirect.

Hackers are more apt to choose .edu and .gov websites for these "search-redirection" attacks because they rank at the top of Google searches, and because they are generally trusted sources of information.

But increasingly, people seeking drug information through searches may not find what they're looking for. "I really recommend that you don't just blindly type a drug name in a search engine," Cristin told Shots. "There's a high possibility that the result will lead you to illegitimate websites."

Cristin and his colleagues found out about the search-redirection attacks by accident, after a friend asked why his blog was popping up in queries about Viagra. The Carnegie Mellon researchers spent six months running searches on prescription drugs names, and found that one third of the search results pointed to websites that had been infected by hackers. Cristin presented his results this week at the Usenix Security Symposium in San Francisco.

And for people who might be considering buying prescription drugs online, Cristin has one word of advice: don't. Go to your local brick-and-mortar pharmacy, he says, or if you must shop online, to the website of a pharmacy you know.

The Food and Drug Administration also counsels extreme caution when shopping for medication online, It recommends using only online pharmacies that are accredited by the National Association of Boards of Pharmacy.

Copyright 2011 National Public Radio. To see more, visit http://www.npr.org/.