JACOB GOLDSTEIN, HOST:
It's Jacob Goldstein. Just want to let you know today's show is a rerun. It was first reported by Alex Bloomberg back in 2013 with guest host Tracey Samuelson. It's a good one.
ALEX BLUMBERG, BYLINE: Chances are you've gotten an email like this one. Here's a good one. Subject, the greatest method to gratify your girlfriend - and then in the body of the email if you look down, there's a link to a website and the text, quote, "very good way to regain your loving life." Here's another one, also a favorite. Subject, the hottest method to please your beloved one and then a link to the website and the text, quote, "this could develop your bedroom life." As you know, a lot of these emails promise perhaps cheap Viagra online, sometimes other drugs that do the same thing as Viagra, although it's not always Viagra. Could be like this one - subject line, want to get good health for low prices? Welcome. There are low-cost med pills, exclamation point.
Now, if you're like me, you probably have some questions about these emails, questions like - who is sending them? Who is clicking on those links? And what happens when you do? Just so happens, we have answers to all these questions, answers that didn't require us to actually click on any of these spam links because something pretty crazy happened a while ago. There were two companies out there, shady, under-the-radar black market Internet companies. And some people estimate that these two companies alone were responsible for 50 percent of the spam that you or I got in our inboxes over the last five years. And these two companies apparently got in a fight with each other, a feud. And as part of that feud, they sabotaged each other by hacking into each other's private data and releasing each other's private business records online. They ended up in the hands of a cybersecurity blogger named Brian Krebs.
BRIAN KREBS: And we're talking about the contact information, the bank account information, the email addresses, phone numbers, sometimes passport information, for many of the biggest spammers on the planet - not only that, but all the personal information of all of the people who ever bought pills through these spam sites over four years, so 800,000 people's information, including their credit cards.
BLUMBERG: Hello and welcome to PLANET MONEY. I'm Alex Blumberg. And today, we dive into that data, a trove of information that lays bare the inner workings of the vast, underground business empire behind most of the spam in our inboxes. And we learned the surprising truth about what actually happens when you click on that link to buy Viagra.
(SOUNDBITE OF AARON KELLEY AND SKINNY WILLIAMS SONG, "LET'S DO WHAT WE WANT")
BLUMBERG: I'm joined on the program today by a guest host, reporter Tracey Samuelson. Hey, Tracey.
TRACEY SAMUELSON, BYLINE: Hi, Alex.
BLUMBERG: You have been immersed in this world of spam and the business behind spam for a while now, right?
SAMUELSON: Yeah. About 70 percent of all email bouncing about the world these days is spam. And a lot of that spam is promoting these drugs, like Viagra. And one of the most surprising thing we learned from this big data dump as part of this feud between these two companies is that when you click that link promising to take you to an online pharmacy where you can buy these medications - ready for this? - it actually takes you to an online pharmacy where you can buy these medications.
BLUMBERG: (Laughter) Right. It's not, like, taking you somewhere else, somewhere horrible on the Internet. And it's not installing malware on your computer. And we actually talked to a researcher Stefan Savage at UC San Diego. And he looked through all this data that was released as part of this feud. And he says not only are these online pharmacies real, but...
STEFAN SAVAGE: If you actually get deep inside and look at the communications, it's very boring. All right? They spend a lot of their time on, like, HR kinds of problem - that oh, this employee isn't working well. This guy's a problem. How are we going to get a replacement for this? We lost this supplier. We need a new one. It's not this, you know, kind of super sexy, underground cybercrime. It's just - they're grinding along, you know. The gross margin for their business is about 20 percent. So they make 20 percent on every dollar sold. That's - it's a fine margin, but it's not like Apple.
SAMUELSON: Stefan says what we have driving all these emails is a full-fledged black-market industry, an industry you can actually think of as having three parts. So at the center, there are the actual online pharmacies. Stefan calls them rogue pharmacies. They're the ones that process your credit card and get you the drugs.
BLUMBERG: But in a way, even though these rogue pharmacies are at the center of this industry, they're the least interesting part. Basically, they're just like an online ordering platform, an online store, like the NPR Shop. You know, you go to npr.org. You click on NPR Shop at the top there, takes you to a page where you can buy an NPR mug or a Susan Stamberg totebag, the Susan Stam-Bag - I'm not kidding. These rogue pharmacies are like that, except instead of mugs and T-shirts, they're shipping you Vicodin and Viagra. But the basic function, processing credit card payments, fulfilling orders - it's the same thing.
SAMUELSON: Where it gets interesting is where we get to the part of the business that most of us have had contact with, spam. Imagine that you run an online pharmacy. You're pretty good at what you do. You've got competent, polite customer service representatives to take phone orders. You've got a wide selection of drugs. So how do you let people know about your service?
BLUMBERG: You can't just call up an ad agency on Madison Avenue and say hello, I'd like to create an advertising campaign to market my illegal Viagra. Remember, it's illegal what they're doing. They're selling prescription drugs without a prescription. So how do you get the word out about your business if you're in this situation? Spam.
KREBS: We wouldn't call what they're doing legitimate. It's illegal in this country, but the fundamental practice is they are trying to advertise this product.
SAMUELSON: Now, the spammers - they're not actually a part of the pharmacy. They're more like independent contractors. They work on commission with rates ranging based on how good they are at spamming. In these leaked documents that Brian got a hold of, you can actually read negotiations between one of the online pharmacy employees and a new spammer he's trying to recruit. Hey, how about spamming for us? - he asks in an instant message conversation.
BLUMBERG: And then, the spammer replies in instant message also - what are the payment conditions?
SAMUELSON: The pharmacy employee explains that everyone starts at 30 percent of whatever sales you generate. But if you send us lots of orders, we can bump that up.
BLUMBERG: Then spammer then says, essentially, you know what, I'm really good at what I do, and I deserve a higher commission to start. To which the employee then replies, quote, "if you are indeed as good as you say, you will not stay at 30 percent for long."
SAMUELSON: This negotiation between the pharmacy and the spammer takes several weeks to conclude. After that first online conversation, the pharmacy employee actually asks the spammer for references to prove he's as good as he says he is. The spammer, in turn, asks what kind of credit cards do you process - all the major ones - Visa, MasterCard? And how secure are your servers?
BLUMBERG: And this makes sense, right? The spammer only makes money if there's a successful sale. So if he sends a potential customer to a website and the site is down, the spammer doesn't get money. Or if the site can't take the customer's credit card, the spammer doesn't make money. So the spammer wants to find all that stuff out.
SAMUELSON: Eventually, though, after vetting each other, the online pharmacy employee reaches out to the spammer again - again, via instant message - and says, quote, "I want to steal you. How can I make you interested?"
BLUMBERG: The spammer replies, quote, "by good conditions," i.e., terms.
SAMUELSON: What kind of terms do you want?
BLUMBERG: Well, give me sweeter conditions, and I am yours.
SAMUELSON: We will not give you more than 40 percent.
BLUMBERG: And that is where they land, 40 percent, which is the high end. So why was it so high for this guy? Well, apparently, according to Stefan, the researcher, there's a huge range in how effective these spammers, i.e. advertisers, actually are.
SAVAGE: Most these advertisers don't make money. They're spamming, but they don't know how to do it well. And so they'll only make, like, $200 a year. The ones who are really good will pull in north of $1 million a year.
SAMUELSON: So what makes someone good? There's an art to crafting the right email subject line or figuring out how to get through spam filters. But what really puts you in demand as a spammer is having working email addresses that you can send spam to. A while ago, Sony got hacked. You may remember - it was in the news - and the personal information of millions of PlayStation users was stolen. That would be a treasure trove of information for a spammer.
SAMUELSON: To be able to say hire me, I've got these, I don't know, 70 million email addresses - working addresses - that I can push emails to. That spammer in the chat log, the one who got the 40 percent commission, he claimed he could send 500 million emails a day.
BLUMBERG: So 40 percent commission. But the online pharmacies will basically contract with lots of different people, sort of seems like the more, the merrier from this data. One of the big online pharmacies we know had agreements with over 3,500 different spamming outfits. And these pharmacies treated these spam contractors sort of like a loosely organized sales force. They would offer them the same kinds of sales incentives that you see regular businesses offering their sales forces all the time. They'd host conferences for them.
SAVAGE: And they would have contests where you could win things. You know, the biggest spammer for this product would win, you know, a Humvee, that kind of thing.
BLUMBERG: Oh, really?
SAVAGE: Oh, yeah. All of these guys, in their heyday - Rx-Promotion, I think you would - you won a bar of gold if you were the spammer of the year.
BLUMBERG: OK. So you've got the online pharmacy. They're the ones who process the payments and fulfill orders. You've got the spammers, which is basically the marketing end of the business. And then there's this third part of the industry, the actual suppliers. When the online pharmacy processes your credit card and ships you your Viagra, where did that Viagra come from? Not, it turns out, from the actual pharmacy.
SAVAGE: That don't actually, typically, warehouse any drugs themselves. All right, they're not manufacturers. They're not - they don't actually have any stocks on hand. So they'll contract with third parties who have access usually to generic drug manufacturing in India and China who will then take off the appropriate amount of drugs and put them in a brown envelope and mail them to you.
DAVE KECK: Packaging - it was - it wasn't what I would call professional. Like, if you were to order something from Amazon.com, it's very professionally packed. What I got from this pharmacy was in, like, kind of a binder. And they included one packaging of the actual - of the medicine. And - but the rest was just kind of taped down to the inside of this binder, so it looked pretty suspicious.
SAMUELSON: Who actually buys drugs from these online pharmacies? Here's one guy, Dave Keck. He's a student and a software developer who had some moderately bad acne and no insurance.
KECK: I called Walgreens, and they said it was going to be about $600 for a month's supply of what I researched is what I should take. It was going to be pretty expensive. And on this online pharmacy, I think it was, like, $40 for the same amount. So that was a no-brainer.
SAMUELSON: The pill Dave wanted to take was Accutane. You're only supposed to take it under a doctor's supervision because it can actually have some pretty serious side effects, everything from nosebleeds to problems with your liver. Dave knew the risks, but he also knew that he couldn't afford $600.
BLUMBERG: So he found an online pharmacy located in Latvia, and three weeks later, when that suspicious package arrived, he was faced with a moment of truth. Sitting with his glass of water, his blister pack of pills with, not Latvian, but Turkish writing all over it in front of him - and if you've ever wondered what goes through the mind of someone who is about to ingest pills that they've ordered off the Internet for the first time, wonder no longer.
KECK: I'm thinking there's two possibilities. This is either a placebo, or it's the real thing.
BLUMBERG: There's a third possibility there (laughter).
KECK: Poison - is that what you're thinking, poison?
BLUMBERG: Yeah (laughter). Something between placebo and real thing.
KECK: Well, my thinking was, I guess, those three possibilities. And I was thinking poison's just going to be more expensive. These people probably just want to make money, so it's going to be a sugar pill or the real deal. So - and after I had taken it for about a week, I was 100 percent sure that it was the real deal just based on the side effects. Like, the side effects are, you know, completely documented, and that's exactly what I experienced.
SAMUELSON: His skin got really dry, his lips got chapped, and his acne got better. He took the pills for about six months and still has maybe 30 left. He says he'll pop a pill every now and then if his skin gets really bad. But mostly, he doesn't need it anymore.
BLUMBERG: Dave's in school now, and he's pretty sure he has insurance through the school. So he says if he needed something, he'd probably go through a doctor. But then again...
KECK: It's so easy, you know, to buy it off this website that if I felt comfortable, like, if they weren't documented cases of people falling over dead for whatever medication it was, you know, I might consider it. And the thing is, like, a lot of people have more severe diseases. You know, acne, like, whatever - but, like, if you actually have - you know, like, this pharmacy company online sells stuff for, like, epilepsy and other stuff. And I mean, if you have a issue like that and you can't afford medication, that's...
BLUMBERG: A pretty compelling reason to use an online pharmacy. According to Stefan's research and that gigantic leaked data set, the vast majority of people who use these online pharmacies, about 75 percent, bought Viagra or other erectile dysfunction drugs.
SAMUELSON: And you can imagine the bulk of those orders were probably for the usual reasons. People who are ordering Viagra are embarrassed to talk to their doctor about it or maybe wanted to keep it secret from a spouse.
BLUMBERG: But one of the more surprising findings lurking in that data was that there is a sizable percentage, up to 15 percent of the customers, most of whom were in the U.S., who were using these pharmacies like Dave did, to buy regular medications to treat everyday health problems. And Tracey, you actually spoke to some of these customers who actually had their information leaked as part of this feud that we've been talking about.
SAMUELSON: Right - names, addresses, phone numbers, what they ordered. Brian Krebs, that cybersecurity blogger we heard about from in the beginning, sent me a few examples of people who had ordered everyday medicines, not Viagra. And he gave me their phone numbers, so I called them up.
BLUMBERG: And you actually talked to them on the phone.
SAMUELSON: Yeah. Not surprisingly, they didn't want to be recorded. But I got a couple of stories that were like Dave's, pretty positive. There was this one guy who'd ordered a whole bunch of stuff from heartburn medication to blood thinners. He'd been doing it for a couple years and had no plans to stop. And then I found another guy online who'd been ordering diabetes medications twice a year for 10 years without incident. He was fine.
BLUMBERG: And Stefan, the researcher, says that in his experience, most of these drugs that you order from the sites, they seem to be legitimate.
SAVAGE: For legal reasons, we can't buy every drug, and we're not equipped to test everything. I will say that drugs that we have tested, the right active ingredient has appeared in the right amount. And I will say that from the standpoint of the people in this business - from their own communications with each other, they believe that they are selling an equivalent product.
BLUMBERG: You have access to lots and lots of communications between the two of them.
SAVAGE: Yeah. We've seen a lot of their - their crank communication with one another.
BLUMBERG: So Tracey, are we (laughter) actually saying to people - go ahead. Click on that spam for all your prescription medication needs? We're not saying that, right?
SAMUELSON: Well, I don't know. To each their own, I guess. But personally, after playing around in this world for a little while, I probably would not use one of these sites.
BLUMBERG: Would not.
SAMUELSON: Would not. First of all, I don't know. I would still worry that I would wind up with some drug that would make me sick.
BLUMBERG: You're not a risk-taker like Dave Keck.
SAMUELSON: Maybe a little more conservative than Dave. And even though a lot of people, like Dave, had good experiences with these sites, I also talked to people who were, shall we say, less than pleased. There was one guy who'd ordered blood pressure medication for a couple of years. And everything was fine until one day, he got a batch that made him really sick. And that was, obviously, enough for him to stop ordering. Then, there was a woman who ordered antidepressants, but she didn't even take them because it looked so sketchy.
BLUMBERG: The packaging.
SAMUELSON: The packaging, exactly. And both of them, when they stopped ordering, they were harassed by these pharmacies trying to sell them more stuff - literally 10 calls a day and emails all the time. It was actually hard to reach them because neither of them would answer their phones anymore for numbers that they didn't know.
BLUMBERG: Although you can avoid that just by creating a separate phone number and email address if you wanted to.
SAMUELSON: If you want to get crafty, sure. But the credit card information still has to be yours. And I guess my second main concern would be having lots of personal information in the hands of spammers and black-market pharmacies.
BLUMBERG: Yeah. You are conservative, aren't you? What, you don't want, like, your credit card information in the hands of black-market pharmacies on the Internet? The two pharmacies we mentioned as having this feud, they set out to destroy each other, and they basically succeeded. They're pretty much defunct right now.
And in general, the black market, rogue pharmacy business, it's hurting. It's being targeted by law enforcement. The prescription drug manufacturers themselves are pressuring the credit card companies to stop processing payments for these guys. But the demand is still there for cheap drugs and secret Viagra. So it's safe to assume rogue online pharmacies will continue to pop up to meet that demand. And as proof, I offer this humble search term - cheap Viagra, no prescription. No prescription is an autofill, by the way.
SAMUELSON: Nature abhors a vacuum.
BLUMBERG: It does indeed. Stay shady, Internet.
(SOUNDBITE OF JAMES DRISCOLL, PETER LUKE ADAMS AND SKINNY WILLIAMS SONG, "DON'T LOSE YOURSELF")
GOLDSTEIN: Since we did this show back in 2013, it does seem like we're getting less spam in our email inboxes. But this problem of black-market pharmacies has approved really persistent. Just a few months ago, the National Association of Boards of Pharmacy put out this new report. They said there are still thousands of these online black-market pharmacies.
Let us know what you thought of the show. You can find us on Facebook or email us at firstname.lastname@example.org. The episode was originally produced by Jess Jiang. Today's version was produced by Elizabeth Kulas. The hosts of the show were Alex Bloomberg and Tracey Samuelson. I'm Jacob Goldstein. Thanks for listening.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.