Spam Nation (11 page)

Read Spam Nation Online

Authors: Brian Krebs

Tags: #Political Science, #Security (National & International), #Business & Economics, #Industries, #Computers & Information Technology, #Pharmaceutical & Biotechnology

SpamIt pharmacies, for example, relied on pills bulk-shipped by
at least forty different suppliers, but the vast majority of the medications sold via their spamvertized sites came from a half-dozen drop shippers in India and Hong Kong. According to information pieced together from the SpamIt affiliate database and the Stupin online chats, the top suppliers for SpamIt included Sai Balaji Enterprises and Hemant Pharma (doing business as “Chinmay Overseas”), both from Mumbai, India. Other top suppliers for SpamIt included Trans Atlantic Corp., based in Hong Kong, and Shri Kethlaji Traders in Sumerpur, India.

The trouble is that the GlavMed-SpamIt order fulfillment system appears to have selected suppliers and drop shippers automatically based on which one recently bid the lowest for the class of drug the customer is seeking. The spam pharma companies have no idea whether these drugs are safe for consumer consumption—or whether they’re even the real drugs or fake ones stuffed with potential poisons and toxins like what killed Marcia Bergeron.

In short, customers who order drugs from spam may be playing a dangerous game of Russian roulette.

Digging deeper, I discovered that GlavMed kept scrupulous records of customer service complaints and requests. Thousands of complaints from customers appeared in the leaked GlavMed database, yet relatively few of them pertained to the quality of the drugs that were delivered. Rather, most complaints were about delays in receiving the ordered drugs or were lodged by customers who received the wrong medications or were unhappy with how the drugs were packaged.

One exception was a transaction made by Deborah G., a resident of the United Kingdom. Deborah ordered weight-loss drugs and other items from pillaz.com—a site advertised by a spammer working for Igor Gusev’s GlavMed affiliate program. According to the GlavMed customer complaint database, the pills that Deborah ordered sent her to the emergency room. The London resident described herself as a forty-three-year-old woman who weighed more than two hundred pounds
but who had no allergies or current medications. In 2010, she paid $437.39 (not including shipping) for a veritable medicine cabinet of prescription drugs, including:


One hundred eighty (20 milligram) tablets of the anti-obesity drug Acomplia.


Sixty doses of Xenical, a drug that blocks the absorption of fat in certain foods.


A three-month supply of Hoodia, an organic weight-loss supplement.


Four tubes of acne-fighting tretinoin cream.

Not long after ingesting her new pills, Deborah fell into a deep depression and had to be admitted to the hospital after she began to feel sick to her stomach. Suspecting that the tablets she’d received from her online order may have been tainted, she brought the drugs to a lab to have them professionally tested.

“On testing, they discovered they were completely fake,” Deborah said in her emailed complaint to GlavMed’s customer support team. According to Deborah, the lab results revealed that some of the pills contained a variety of inactive and decidedly hostile ingredients, including poisons, cement, and talcum powder.

Deborah later lodged a threatening complaint at the site from which she’d ordered.

“I want ALL my money back. I will gladly post back the tablets, and no further action will be taken,” she wrote in a comment included in the SpamIt database. “However if I do not receive this I will face no other option than to go to the police and all the customs authorities dealing with counterfeit drugs, and trust me, I will get you prosecuted. I will expect a full refund for all your poisons immediately.”

Records show that the SpamIt-affiliated pharmacy site complied, posting a full refund to Deborah’s credit card. Again, the last thing these rogue online pharmacies want is to be pulled onto the radar of law-enforcement authorities or to have unsatisfied customers issue chargebacks, which could endanger the online pharmacy’s ability to take credit cards (which would kill its business) and could cause it to incur heavy fines.

Given the quantity of fake pharmaceuticals that flood markets in North America and Europe each year—and the potential brand damage and profit losses wrought by rogue pharmacies—one would think the powerful and influential pharma industry would use its might to show just how dangerous these drugs can be. Indeed, the story of Bergeron’s death is almost always recited in some form whenever experts allied with the pharmaceutical industry talk about the need to eradicate rogue Internet pill shops.

Yet, neither the Food and Drug Administration (FDA) nor the giants of the pharmaceutical industry appear to have taken concrete steps to fight back against these rogue online competitors, though it’d be easy to show whether the drugs being offered through them contain harmful ingredients or at least dangerously low or high levels of the active ingredients compared to legitimate versions of their pills.

John Horton, president of LegitScript, a company that maintains a searchable database of thousands of approved and “rogue” pharmacy websites, said the FDA occasionally publishes the results of chemical testing done against dietary supplements and some prescription drugs bought from online pharmacies, but that few comprehensive studies have been conducted.

“It’s fair to say that there’s a dearth of testing,” said Horton, a White House aide on drug policy issues during the administration of President George W. Bush, from 2002 to 2007. “I think one of the problems you run into is that these tests are expensive. Also, it’s difficult to scientifically study and analyze the chemical composition of these drugs ordered
from rogue pharmacies because those pharmacies constantly are switching suppliers.”

According to LegitScript, there are more than 41,000 active Internet pharmacies, yet only one-half of one percent of those (slightly more than 200) are approved and legitimate web pill shops. In other words, if you order from one, you have more than a 99 percent chance of using an illegitimate, unapproved website. The company ranks pharmacies as legitimate if they meet a set of criteria, including registration with the U.S. Drug Enforcement Agency and possession of a legitimate license to dispense drugs. But most importantly, the pill shop must ask for and receive a legitimate, doctor-ordered prescription before shipping prescription drugs to Americans.

To make matters worse, Horton said many of the 40,000-plus rogue online pharmacies rely on multiple suppliers, meaning that the quality and safety of the drugs they ship can shift from day to day as prices in the wholesale and drop-shipping markets fluctuate.

“Most of these pharmacy affiliate programs don’t just have one supplier,” Horton said. “Some of the bigger ones have dozens. So, just because a given drug from a specific pharmacy program tests as genuine one day doesn’t mean it’s going to be the same genuine drug the next time someone orders it.”

But Horton believes perhaps the single biggest reason neither the FDA nor the pharmaceutical industry has put much effort into testing is that they’re worried that such tests may show that the drugs being sold by many so-called rogue pharmacies are by and large chemically indistinguishable from those sold by approved pharmacies.

“Frankly it’s sort of a double-edged sword,” Horton said. “Let’s say you test Rx-Promotion’s drugs and they turn out to be real, to be chemically equivalent to the stuff you’d get from your local pharmacy. Does it then follow that by publishing those results, you are almost implicitly endorsing the site that sold those drugs?”

Thus, most of the work of testing pills sold by rogue pharmacies
has fallen to academic researchers attempting to unearth data on the safety and efficacy of prescription medications ordered through spam. Stefan Savage, a professor in the systems and networking group at the University of California, San Diego (UCSD) led a research team that spent many months in 2011 making more than eight hundred test orders from pill shops advertised via junk email.

“The prevailing wisdom was that these pharma shops took your money and ripped off your credit card, and you never got jack,” he said. “We wanted to know if you ordered from these stores whether you actually got anything, and if so, where it came from, who did the payment processing, all that stuff.”

Savage said the group was surprised to learn that the drugs they purchased and tested all seemed to have the right active ingredients in roughly the correct amounts, but they weren’t able to test the drugs for contaminants that may have introduced health risks for customers.

“For legal reasons we can’t buy every drug, and we’re not equipped to test everything,” Savage said. “But in the drugs that we have tested, the right active ingredient has appeared in the right amount. So it really seems like from the standpoint of the people in this business and their communications with each other that they believe they’re selling an equivalent product” to what consumers would otherwise get at a local drugstore, he said.

In 2012, Savage and his fellow UCSD researchers, along with researchers at the International Computer Science Institute and George Mason University, examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day. They found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27 percent of average program revenue for GlavMed and 38 percent of that revenue for SpamIt. For Rx-Promotion, revenue from repeat orders was as much as 23 percent of overall revenue.

“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said, noting, however, that many of the repeat customers were purchasing controlled and habit-forming prescription drugs, including painkillers. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”

♦    ♦    ♦

By far the most important question about the pills pimped by the spam business is the efficacy and safety of the drugs. I interviewed hundreds of U.S. residents who purchased prescription drugs from the pharmacy sites advertised through SpamIt, and received a panpoly of responses about the effectiveness of these pills. But none of those I interviewed could tell me about the safety of the drugs or their purity.

For that, I’d hoped to enlist the help of chemists and researchers. Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham (UAB), had sought to conduct much of the same research, but ran into bureaucratic hurdles left and right. So not long after receiving a copy of the GlavMed-SpamIt data, I shared it with Warner. He, in turn, tried to get various pharmaceutical firms interested in using the data to open a broader, well-funded investigation into these rogue online pharmacies. But his efforts were met with little success.

The sprawling campus of UAB is also known as “the University that Ate Birmingham,” and it’s not hard to see why. The city of Birmingham is home to fewer than a quarter-million residents, and about one in ten are students at the university.

On the fourth floor of a nondescript brick building smack in the middle of the campus is the UAB computer forensics lab, where Warner spends eight to ten hours a day with a mix of undergraduate, graduate, and PhD students who, like me, seem to be infected by a passion for going after Internet bad guys.

Warner is standing in front of a floor-to-ceiling whiteboard that is covered with equations related to a mathematical algorithm that the computer lab’s twentysomething geeks are trying to work out. He is gesturing at rows of computer servers and Mac OS X systems that line either side of the climate-controlled and tightly secured room, which is used in part by university students laboring under a grant from the Defense Advanced Research Projects Agency (DARPA) to create and study malicious software in a lab environment.

A complete and unabashed caffeine junkie, Warner is slurping from his third diet Mountain Dew of the day. He’s talking excitedly about the dangers of ordering from unlicensed Internet pharmacies, irrespective of whether the pills themselves are real and chemically equivalent to pills that customers might otherwise purchase from a local pharmacy.

Part of the problem, Warner said, is that many unlicensed Internet pharmacies will happily ship a variety of drugs whose use has been banned or highly restricted in the United States because of the drugs’ tendency to induce dangerous side effects—without offering any warnings or instructions on using the medications.

For example, pharmaceutical giant Roche decided to pull its anti-acne drug Accutane from the U.S. market after juries awarded millions of dollars in damages to former Accutane users. The drug has been strongly linked to birth defects among children born to women who took it while pregnant. As a result, the U.S. FDA in 2005 ordered that Accutane only be sold to women who sign a pledge saying they will submit to multiple pregnancy tests and practice at least two forms of birth control while on it. But Accutane is still available through rogue spam pharmacies.

This is another example of the risks people take when buying from these rogue pharmacies: they don’t get vital information on the serious health hazards they could face in taking certain drugs in certain conditions or in combination with other drugs. Legitimate pharmacies, on the other hand, do their best to ensure that their customers understand these risks before giving them their prescriptions.

“Many of these rogue pharmacies are still advertising a number of discontinued, banned, or very restricted drugs,” Warner said. “And they’re definitely not passing on warnings about how these drugs should be used, even when there are strong conditions that would normally be impressed on the customer when ordering these drugs from regular pharmacies.”

The most obvious example of a common risk introduced by pills dispensed from GlavMed and SpamIt pharmacies is the two to four free counterfeit Viagra or Cialis pills that were shipped with every order. The pills were stuffed into all orders, even those in which the customer had purchased drugs such as nitrates that could produce a deadly cocktail when taken with erectile dysfunction (ED) medications. Physicians have long warned against taking ED drugs in tandem with medicines designed to decrease high blood pressure, because doing so could lead to dangerously low blood pressure levels, a condition that often precipitates a heart attack.

Other books

Nomance by T J Price
Cloak of Darkness by Helen MacInnes
Liberty by Darcy Pattison
Taking Terri Mueller by Norma Fox Mazer
Tell No One by Harlan Coben
Branded By a Warrior by Andrews, Sunny
The Hallowed Ones by Bickle, Laura