More than half of all sales at the world’s largest rogue Internet pharmacy in the last four years were charged to credit and debit cards issued by the top seven card-issuing banks, new research suggests.
Unlicensed pharmacies create public health risks and confuse consumers who are looking for safe and reliable prescription medicines. Rogue pharma Web sites are primarily advertised with the help of spam, malicious software, and hacked Web sites. Curbing this drug dealing activity would promote both public health and Internet users’ safety.
Recent findings highlight additional levers that policymakers could use to curb sales at rogue online pharmacies, by convincing the card-issuing banks to stop accepting these charges or by enacting legislation similar to that used to squelch online gambling operations.
The figures shown below come from sales data stolen from Glavmed, a Russian affiliate program that pays webmasters to host and promote online pharmacy sites that sell a variety of prescription drugs without requiring a prescription. Last summer, a source sent KrebsOnSecurity a copy of the Glavmed database, which includes credit card numbers and associated buyer information for nearly $70 million worth of sales at Glavmed sites between 2006 and 2010.
I sorted the buyer data by bank identification number (BIN), indicated by the first six digits in each credit or debit card number. My analysis shows that at least 15 percent of all Glavmed purchases — approximately $10.7 million in rogue pill buys — were made with cards issued by Bank of America.
The Glavmed sales using cards issued by the top seven credit card issuers were almost certainly higher than listed in the chart above. About 12 percent of the Glavmed sales could not be categorized by bank ID number (some card issuers may have been absorbed into larger banks). Hence, the analysis considers only the 88 percent of Glavmed transactions for which the issuing bank was known. More significantly, the figures in this the analysis do not include close to $100 million in sales generated during that same time period by Spamit.com, a now defunct sister program of Glavmed whose members mainly promoted rogue pharmacies via junk e-mail; the leaked database did not contain credit or debit card numbers for those purchase records.
The data help to draw a more complete picture of the financial infrastructure that powers the spam ecosystem. In May, researchers from two University of California campuses published findings from a three-month study of spam markets, during which they spent thousands of dollars buying drugs advertised via spam. The researchers discovered that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by three financial companies — based in Azerbaijan, Denmark and Nevis West Indies. The full paper is available here (PDF).
The data from the Glavmed purchases suggest that the spam ecosystem could be crippled if banks stopped processing payments to a handful of institutions. It also shows that such an effort would require action by relatively few card-issuing banks.
Stefan Savage, one of the authors of the University of California study, said there is no shortage of smaller financial institutions that are willing to take on riskier transactions such as online pharmaceuticals. But he said forcing rogue pharmacies to constantly seek new processing partners could put a serious dent in revenues.
“The issue is that it is not a cheap or quick transaction to set up a new banking relationship,” Savage told me. “You need to meet these guys, Visa or MasterCard needs signed credentials for both you and the bank, and this process can take a week at light speed to set up. So, even if you as a pharmaceutical organization can change processors, you can’t do it overnight. And on the flip side, it would take me seconds to figure out if a pharma organization switched [processing] banks. So, technically, if [card-issuing] banks were willing to adopt a blacklisting approach, there is absolutely no way these pharma outfits could keep up.”
I wondered whether Savage’s proposed approach would work, so I asked Igor Gusev, the founder of Glavmed. Gusev is a fugitive from his native Russia, which last year lodged criminal charges against him and his business. In a phone interview with KrebsOnSecurity, Gusev said putting more concerted pressure on the merchant banks would decimate the rogue pharmacy industry, which tends to coalesce around a handful of processors and switch processors in lockstep when forced to move. For example, since the University of California study was published, the pharmacies featured in the study that were processing at Azerigazbank (AG Bank) in Azerbaijan stopped using AG Bank and moved their business to another institution in that country — Bank Standard.
“They need to put pressure on the card processors which are monsters [that] only regulate on very negative public pressure,” Gusev said. “I think it would be a very powerful strike, and online pharma would be dead within two years if they could somehow switch off the merchants who [are] connected to online pharma.”