People searching for prescription drug information online are being led astray by hackers and redirected to illicit online drug sellers in 1 out of every 3 searches.
Online search performed Aug. 12, 2011
Search for "Cialis no prescription" and you'll find university websites that hackers have hijacked to redirect you to illicit online pharmacies.
"Legitimate health resources are completely crowded out," says Nicolas Christin, a computer scientist at Carnegie Mellon University who discovered that 32 percent of sites that turn up in search results for prescription drugs had been infected with malicious code. "It's very hard to find legitimate pharmacies, or information like what the [Centers for Disease Control and Prevention] would give you. This is drowned out in a sea of rogue results."
Hackers work the scam by sneaking their own code into a legitimate website. That way the site shows up on a Web search for a prescription drug. If someone clicks on the search listing, it forwards them to an online pharmacy, not to the legitimate site. The owners of the hacked site usually have no inkling their URL has been hijacked.
Shots tested the scam by Googling "Cialis no prescription," in search of information on the drug for erectile dysfunction — which Christin predicted would yield interesting results. Sure enough, the first result showed the URL for University of Massachusetts website belonging to a computer science laboratory with the words "Cialis No Prescription OVERNIGHT SHIPPING" above it. And when we clicked on the UMass URL we were ferried off to a site hawking generic Cialis for $3.30 a pill.
This isn't the only university site that's being hijacked: Four of the top six results returned in this Cialis search had .edu addresses. Some didn't connect to online pharmacies; Christin speculates that the legitimate owners had fixed the site and removed the illicit redirect.
Hackers are more apt to choose .edu and .gov websites for these "search-redirection" attacks because they rank at the top of Google searches, and because they are generally trusted sources of information.
But increasingly, people seeking drug information through searches may not find what they're looking for. "I really recommend that you don't just blindly type a drug name in a search engine," Christin told Shots. "There's a high possibility that the result will lead you to illegitimate websites."
Christin and his colleagues found out about the search-redirection attacks by accident, after a friend asked why his blog was popping up in queries about Viagra. The Carnegie Mellon researchers spent six months running searches on prescription drugs names, and found that one-third of the search results pointed to websites that had been infected by hackers. Christin presented his results this week at the Usenix Security Symposium in San Francisco.
And for people who might be considering buying prescription drugs online, Christin has one word of advice: don't. Go to your local brick-and-mortar pharmacy, he says, or if you must shop online, to the website of a pharmacy you know.
The Food and Drug Administration also counsels extreme caution when shopping for medication online because of all the bogus and potentially dangerous products floating around. It recommends using only online pharmacies that are accredited by the National Association of Boards of Pharmacy.