Security researchers have identified instances of bots stealing pharmacy accounts and reselling prescriptions on a secondary market for in-demand and illicit substances. Researchers have also identified an acceleration in this activity: over the past 60 days, the number of stolen pharmacy accounts available for sale has increased fivefold.

In April 2022, Kasada threat intelligence first observed the use of credential stuffing to attack pharmacies, steal active accounts, and exploit the distribution of prescribed medications. Credential stuffing is an automated attack where cybercriminals use lists of stolen or leaked usernames and passwords to try and login to various accounts. Once they are successful, they take over accounts and either sell them or exploit them by making fraudulent transactions.

Tens of thousands of stolen online pharmacy accounts are currently available for sale on underground marketplaces. These marketplaces offer stolen accounts from both physical and online-only pharmacies, many from the top 10 U.S. pharmacies. The price for a stolen account ranges from the cost of an insurance co-payment to several hundred dollars. What's more, stolen accounts often come with a guarantee — if the login or card on file doesn’t work, the provider will replace it with a new account.

For more report findings, click here.