Nicolas Christin is the Associate Director of the Information Networking Institute, where he is also faculty, as well as a CyLab Systems Scientist. He was previously a resident faculty in our research and education center in Japan, CyLab Japan, located in Kōbe, Hyōgo Prefecture. He also serves as Faculty Advisor for the Master's of Information Technology-Information Security (MSIT-IS) degree program.
posted by Richard Power
CyLab Chronicles: What significant findings emerged from your study, "Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade"?
Nicolas Christin: I would say there are three main findings. First, illicit online pharmacies --- or agents advertising on their behalf --- are increasingly trying to manipulate search engine results to promote their businesses. This is because they can get pretty decent conversion rates: We find they net somewhere between three and thirty purchasing customers out of a thousand people searching for drugs online. This is much more effective than email or web forum spam. As a very negative consequence, legitimate pharmacies or online health resources have been pretty much driven out of these search results entirely. Second, this attack is made effective thanks to fairly high profile websites (e.g., .edu) getting compromised and participating in the search-engine manipulation. Unfortunately, operators of these sites are very slow at cleaning up their sites -- infections last seven weeks on average, and four months on .edu sites. Third, we find that most pharmacies are connected through advertisement chains; looking at the advertising network a bit more deeply, we find that surprisingly few hosts ("redirectors") play a very important role in sending traffic to illicit pharmacies. Taking down these redirectors would almost certainly disrupt this line of business, at least temporarily.
CyLab Chronicles: What are search-redirection attacks? How are "high-ranking" sites "systemically compromised"?
Christin: Search-redirection attacks implement a combination of attack techniques. The attacker first compromises a large number of websites and injects in them a number of (hidden) keywords relevant to the trade they want to promote (e.g., drug-related). Search engines in turn associate this extra content with the high profile website. This way, the compromised websites appear at or near the top of the results returned in response to search queries related to the business the attackers want to promote (e.g., online pharmacies). The catch is that, instead of using the compromised websites as a store front, the attacker merely uses them to immediately send traffic to an online pharmacy through one or more intermediaries. That redirection occurs only when visitors to these compromised websites get there from a search engine looking for drug-related keywords; otherwise, nothing happens -- which is what makes the compromise hard to detect for the legitimate operators of the compromised sites. From our measurements, we discovered that attackers mainly try to compromise sites with very high PageRank (e.g., .edu or .org sites).
CyLab Chronicles: What was your methodology for investigating such attacks and their consequences?
Christin: We basically ran a large number of drug-related search queries every day, over nine months. Our automated collection agent visited all search-engine results, and followed redirections until they stopped -- in general, at that point it had landed on an online pharmacy. We were then able to build a large graph showing relationship between compromised websites, intermediaries, and online pharmacies. Of course, the devil is in the details -- how we chose the query corpus, for instance -- but that is fully explained in the paper.
CyLab Chronicles: What are the consequences and implications for Pharma, and for other industries beyond Pharma?
Christin: Legitimate pharmacies are basically driven out of organic search-engine results related to drugs. Potentially, customers looking for certain drugs end up on very questionable sites without necessarily realizing it. Also, this kind of attack is not restricted to one specific product. Besides prescription drugs, we have gleaned anecdotal evidence that people peddling counterfeit software use the same type of technique.
CyLab Chronicles:What are the consequences and implications for the online consumer?
Christin:Consumers should be really careful about the websites they visit. When it comes to prescription drugs, get a real prescription, and visit a legitimate pharmacy. To be honest, given what we have found, I would pretty much stay away from searching for prescription drugs online and instead would directly go to a trusted pharmacy's website, or even better, to a brick and mortar pharmacy. The problem is that a lot of people have little or no health insurance, and are hunting for bargain prices online. Don't do that with prescription drugs -- you just don't know what you're going to get, and saving a few, or even a few hundred bucks is not worth risking a lot more.
CyLab Chronicles: How should organizations be protecting themselves? What are the countermeasures?
Christin: There is surprisingly little legitimate health resources can do here. On the other hand, search engines have started to fight back against this scourge -- we have started noticing warnings that some sites may be questionable; that's noted progress, but we think they need to do more. So far, they have been focusing on rooting out bad ads, but our study demonstrates they also probably need to look at organic search results as well. Also, we believe that, given that a few intermediaries seem to be handling large portions of traffic, taking down these intermediaries would actually impede the illicit pharmacies. Of course, their operators would likely move to different hosts after a take-down, but presumably, we can make them pay a pretty high price for that. Right now, it seems like the main redirectors are hosted on pretty much regular ISPs that are just a bit lax in checking what their customers are doing. That costs the operators of these hosts almost nothing, and they can pocket a nice profit. Aggressive take-downs of redirectors would definitely raise the costs of operating this business. In addition, it is important that website operators make sure that they periodically audit their servers. You really don't want a site at your university to be the first result in response to a query like "cialis no prescription". Making sure you're running patched and up-to-date systems, performing penetration testing and comprehensive log audits are all practices that any responsible website operator should routinely engage in.
CyLab Chronicles: What can online consumers do to protect themselves? What are the preventative steps for users?
Christin: Well unfortunately, as I mentioned above, there is not much that end-users can actively do, other than avoiding to blindly search for prescription drugs online.
CyLab Chronicles: Do we have any sense of who is doing this, and how much money they are making at it?
Christin: Our network analysis indicates there are probably about a dozen groups at most that are or have been involved in these advertising techniques. They fan traffic from several thousand compromised websites to a few hundred pharmacy websites. We're not sure how many actual individuals are behind those pharmacies, but advertisers and pharmacies seem to be two distinct entities; and given that there are not that many large advertisers, it may make sense to try to take them down, and stop the flow of traffic to online pharmacies, rather than going after the pharmacy operators themselves. As for how much that whole business is making, we found that there are probably in the order of 640,000 visits a month to payment processing sites working on behalf of illicit online pharmacies. Even if you are conservative, and you estimate that only one in ten of these visits results in an actual purchase of a drug (and remember, you only get to the payment processing site once you have filled up your cart and are ready to "check out"), that would be about 64,000 purchases/month. The lowest price for a drug package on these sites is usually around $32, so that gives you a conservative lower bound of $2M/month overall. And again, this is likely to be a very conservative estimate. Some people will likely buy a lot more, or more expensive packages. By way of comparison, consider that spam generated by Storm, arguably one of the largest botnets in existence, had been shown to facilitate only about 2,100 sales per month. With search-redirection attacks, we're talking about a sales volume thirty times bigger.
Some Related Posts
See all CyLab Chronicles articles