Swine Flu fears makes millions for Russian hackers

November 16, 2009 Sophos Press Release

As the number of reported swine flu cases in Britain climbs to an all-time high, IT security and data protection firm Sophos has added its voice to government warnings against buying Tamiflu and other medicines over the internet. Panic-induced stockpiling by individuals who aren't officially classified as being at risk of contracting swine flu, and therefore anxious they won't receive Tamiflu from the NHS, will not only line cybercriminals' pockets with millions of pounds in cash but also grant them access to sensitive personal data to be used for other crimes.

Tamiflu website

Sophos's indepth look at how these underground web affiliates, which form networks called the Partnerka, profit from online sales of Tamiflu and other medicines was revealed today in a whitepaper entitled "The Partnerka - what is it, and why should you care?" [PDF]

Working inside an organised criminal network alongside the businesses running online pharmacies, the Partnerka generate traffic to those sites for an agreed share of the profit. Many of these pharmaceutical sites brand themselves as "Canadian Pharmacy" in order to appear as a more trusted website to unsuspecting internet users.

This year, Sophos has intercepted hundreds of millions of fake pharmaceutical spam adverts and fake pharmaceutical websites, promoted by affiliate members. Working day and night, thousands of affiliates use criminal methods including spam, adware and malware to drive as much traffic to their partners' stores as possible, which then sell high-profit illegal goods as part of a multi-million dollar industry. The top five countries purchasing Tamiflu and other drugs from the Canadian Pharmacy, and thus unwittingly assisting additional criminal activity, are the United States, Germany, United Kingdom, Canada and France.

Although the precise number of affiliates is ever-changing, it is projected that there are thousands in operation at any one time. Sophos's research has discovered that on one of the more popular affiliate networks operated out of Russia, it is possible to earn an average of $16,000 a day promoting pharmaceutical websites - totalling $5.8 million a year. But the criminals can be members of more than one affiliate network, and some have boasted of earning more than $100,000 per day.

The rewards for selling drugs online can be substantial

Sophos is warning that concerns about the severity of swine flu, which has led to more than 6,500 deaths worldwide and may reach as high as 40,000 before the end of pandemic, has the potential to drive even greater volume of traffic and total sales to Partnerka websites.

The worrying trend of stockpiling Tamiflu has already been seen in Britain. Not only did large corporations come under fire for stockpiling Tamiflu this summer, Sophos further uncovered that this July, when concerns that global Tamiflu production were falling behind schedule, there was a 1400% increase in UK internet searches for Tamiflu.

"As there's a very good chance the swine flu pandemic has not yet hit its peak, Sophos has issued this warning to help prevent another significant influx of cash and unwitting transfer of personal details to Partnerka affiliates," said Graham Cluley, senior technology consultant at Sophos.

Pharmacy website selling Tamiflu

The business model for exploiting online purchases is fairly simple. Once someone searches online for medicines such as Tamiflu, they are directed to online pharmacies to purchase a generic and very possibly counterfeit version of the drug. What most people don't know is that cybercriminals have manipulated internet search engine results to drive as much online traffic as possible to these sites. Furthermore they bombard innocent users with adverts via spam email sent from hijacked computers and hacked social networking accounts.

Pharmacy spam

Profits can range between 20% - 40% for each of the parties involved, depending on who has the upper hand in the relationship. Although unwitting buyers do often receive some kind of drug as result of the transactional exchange, at best the drug doesn't work and at worse it can pose serious health risks.

"As more and more cases of swine flu in the UK come to light, it is essential that we all resist the panic-induced temptation to purchase Tamiflu online," continued Cluley on his blog.

"The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers' health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they'll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger. If you think you need medication contact your real doctor, and stay away from quacks on the internet."