A new report today from researchers at bot mitigation company Kasada Pty. Ltd. details the rise of pharmacy account theft and how stolen accounts are being resold on the internet.

Targeting pharmacy accounts, those used by people to obtain prescription medication and other controlled substances, isn’t that surprising but it is fairly new, at least in the number of accounts targeted. Attacks targeting retail, entertainment and financial services accounts have long been pervasive, but the researchers found that pharmacy attacks are quickly growing in number.

The methodology used to steal pharmacy accounts comes as no surprise with the same technology used when targeting other types of accounts. Those behind the account theft were found to be using malicious bots to test stolen user credentials in credential-stuffing attacks. Those attacks involve using compromised user credentials obtained in hacks on other sites and services to see if they work, in this case on pharmacy sites, since many users use the same username and password across multiple sites.

The numbers are significant. The Kasada researchers have discovered tens of thousands of stolen online pharmacy accounts available on secondary marketplaces, with the number of stolen accounts available for sale increasing by five times in the last 60 days.

Using the stolen accounts, sellers are offering access to legitimate prescriptions for substances such as Adderall and Oxycodone. The prices of the drugs offered vary from what would typically be paid with an insurance co-payment to several hundred dollars. The marketplaces offer stolen accounts from physical and online-only pharmacies, including the top 10 U.S. pharmacies, typically with the name of the pharmacy redacted.

In an interesting twist, the stolen accounts are not being sold only on the shady part of the internet known as the dark web but also on the regular internet for anyone to find. Those looking to buy can choose the pharmacy and medication of their choice and pay via cash transfer or cryptocurrency. They’re offered a guarantee that if the account does not work, they will be provided a new account at the same pharmacy at no additional charge.

“It’s easy to see how the illegal sale of stolen pharmacy accounts can be a profitable venture,” the researchers conclude. “Not to mention very dangerous — by enabling medications to be put into the hands of people who don’t have a prescription.”

Photo: Rawpixel