Summer Brandjacking Index

Transcription

1 Summer 2009 Brandjacking Index

2 Brandjacking Index Online Risks in Pharmaceutical Market - Summer 2009 Contents Executive Summary... 3 Pharmaceutical Brandjacking... 3 Phishing Trends Conclusions Methodology & Background Glossary... 14

3 Executive Summary In this edition of the Brandjacking Index, we return our focus to the online pharmaceuticals marketplace. We found plenty of exploits as con artists who hijack well-known brands for their own profit continue to thrive selling suspicious drugs. We also saw increasing evidence of worsening supply chain abuses, whereby illicit business-to-business (B2B) sellers of pills and active pharmaceutical ingredients continue to operate with impunity. Phishing attacks are at record levels, while the number of attacks per individual organization is at an all-time high. MarkMonitor created the Brandjacking Index to measure how pervasive brandbased attacks are and to identify the potential threats to the world s strongest brands. As in our previous reports, this edition of the Brandjacking Index tracked millions of s and billions of web pages, including listings on online B2B exchange sites. Pharmaceutical Brandjacking Buying drugs online continues to be fraught with fraudsters and continues to be popular because of the high demand for inexpensive medicines. While tracking six different drug brands in July 2009, four of which were patented, we observed continued growth in the online market for pharmaceuticals including high levels of traffic to suspicious online pharmacies and increased numbers of listings for pharmaceuticals on B2B exchange sites. As in previous studies, cybersquatting, the practice of abusing trademarks within the domain name system, continued to grow. Cybersquatted sites using the six brands from our study topped 19,000 during the study period, growing by 9% from the previous year. Lifestyle drugs proved the most popular target for these efforts. We observed continued growth in the online market for pharmaceuticals. Percentage of cybersquatting activity by type of medication 3

4 At close to $11B in estimated revenue, consumer pharmaceutical demand remains close to the level that we estimated last year. However, the total number of online pharmacies that we identified in the survey dropped slightly, from 2,986 last year to 2,930 this year. Only four of the pharmacies that we identified were VIPPS-certified, the certification program for online pharmacies offered by the National Association of Boards of Pharmacy. And while daily visitors dropped by more than half to 42,000 per site, we saw a marked increase in the number of online pharmacies experiencing this level of traffic with 68% of the pharmacies having an Alexa rank. Online pharmacies abuse trends based on six drug brands To draw traffic, the illicit pharmacies utilize search engine advertising as well as spam s. We counted that out of 186 advertisers for our six drug brands, only 19 of them are certified by VIPPS or CIPA, the Canadian authority. Consumers are well-advised to check the websites of each of these organizations to determine if a pharmacy is legitimate. Other informational resources include PharmacyChecker.com and LegitScript.com, which publishes lists of accredited and rogue pharmacies. In the example below, this pharmacy was advertising on a major search engine in the U.K., even though it appears on the rogue pharmacy list maintained by PharmacyChecker.com. Pharmacy is listed as a rogue pharmacy on PharmacyChecker.com but is advertising on a major UK search engine 4

5 In a marked departure from earlier studies, 95% of these suspicious pharmacies appear to have some form of protection measures for customer data, in the form of secure sockets layer (SSL) browsing technology. However, this apparent increase could be caused by more hosting providers offering SSL as part of their default hosting plans. It s important to note, too, that just because these ports show up on our scans doesn t mean that they have been implemented or are really protecting any private data. The old adage if something is too good to be true, it probably is works in spades when it comes to online pharmacies. Our findings show price discounts at illicit pharmacies, on average, of up to 90% from established and certified pharmacies. We examined pricing for one drug brand at the four VIPPS-certified pharmacies and at 30 randomly-selected non-certified pharmacies, using the same quantity and dosage across all listings. We found that the certified pharmacies were selling the drug at an average price of $14.16 while the illicit sites had posted prices ranging from 70 cents to less than $5! This level of discounting is much higher than the discounts available in legitimate channels and is a strong indicator that the drugs being offered at these illicit pharmacies are of suspicious quality. Some of these illicit pharmacies are long-lived. Despite the suspicious nature of drugs, some of these illicit pharmacies are longlived. Here is an example of one online pharmacy that was originally detected in 2007 and is still in operation. Its phone number no longer works, but the company is actively ing prospective shoppers who visit the site. Last year it listed its phone number with a Los Angeles area code, but this year the company now shows a non-working Texas phone number. While labeled as Canadian, the site is hosted in the Russian Federation, according to its IP address. No matter where its real location, it continues to display faked credentials and presumably sells faked merchandise, including individual pills. Example of one online fraudulent pharmacy 5

6 In terms of geography, we found that the U.S. continues to host the bulk of online pharmacies, with 36% of the total. Both Germany and the Netherlands increased their share of online pharmacies hosted in those countries with 13% and 10%, respectively. Pharmacies hosted in the U.K. dropped from 12% in 2008 to 7% in 2009 while Canada grew slightly to 6%. Changes in hosting countries for online pharmacies In contrast, the spam s that are used to lure shoppers to these sites originate outside the U.S. We have seen a shift in the location of the URLs used for spam landing pages in the past year, moving away from the U.S. to China. China now hosts 31% of the landing pages, contrasted with 4% in Spam landing pages by country of origin 6

7 As with the paid search pages, these landing pages are quite professional looking; in fact, many spam landing pages share the same look as our example below. An example of a spam landing page with a professional appearance But what is the source of supply for these illicit pharmacies? The role of online B2B exchange sites in supplying bulk quantities of branded pills and active pharmaceutical ingredients (APIs) cannot be underestimated. We found the number of exchange listings for the six drug brands in our study increased by 23% to 652 from the previous year. However, the number of listings selling APIs in powdered form grew by more than 80%, to 416 listings. This indicates a thriving trade in bulk pills as well as bulk quantities of their ingredients. Changes in B2B exchange listings over the past three years 7

8 Nearly half of the listings for the six drugs in our study were from Chinese suppliers. No matter the country of origin, many of the listings appeared suspicious. Some listings advertised generic versions of patentprotected drugs, while other suppliers offered bulk quantities of patented pills along with branded sports clothing and sunglasses. Percentage of abuse by country of origin We found several instances of a patented anti-flu drug being marketed as a generic on the B2B exchanges. This included both bulk quantities of pills as well as the powdered API. The pills were offered by a New Zealandbased company but originated in the U.K. while the powdered API was sourced from China. Patent-protected anti-flu drug listed as generic Bulk quantities of powered API for patented anti-flu drug offered as generic 8

9 One manufacturer promoted a wide range of merchandise including bulk quantities of branded pills, sunglasses, sports jerseys and fashion apparel. Listings for branded pills and unrelated clothing We also saw evidence of suspected grey market activity on the B2B exchanges. One Irish seller offered large quantities of a patented flu drug labeled as Turkish while a Russian seller offered pills from USA. Possible grey market activity on B2B exchange listings All in all, these findings paint a disturbing picture of a parallel universe of pharmaceuticals where illicit drugs, pharmacies and suppliers pose significant challenges to public health and positive brand perception. 9

10 Phishing Trends In the past quarter, we observed record levels of phishing attacks. Contrary to other published reports, in Q2 of 2009, phishing attacks numbered more than 150,000, surpassing the levels seen in 2007 when fast-flux and other techniques pushed the number of attacks to a previous high. Phishing attacks near record levels In addition, the average number of attacks per organization increased to 351 in the period, the highest level since Q3 of A total of 431 organizations were phished in Q2 of Number of phishing attacks per organization reaches a new height 10

11 The industry breakdown of these attacks shows a small increase in attacks against the Payment Services category, which received almost half of all phishing attacks in Q2 of The Auction category continued its decline as a target, falling to 9% of all attacks, while the Financial category declined slightly to 32% of all attacks. Phishing by industry sector in Q However, social networks continued to see a significant increase in phish attacks, as the number of attacks soared by 168% against the same period in In fact, with few exceptions, phish attacks against social network brands have continued to climb each quarter since Q1 of 2007 when we saw the first phish attack against a social network brand. One exception to the trend was in Q3 of 2008 when the turmoil in financial markets lured phishers to financial brands, highlighting phishers opportunistic nature. Phish attacks against social network brands continue to climb 11

12 Finally, we examined the host countries for phish attacks and saw that the U.S. now hosts 50% of all phish sites. Canada substantially increased its second position, more than quadrupling its percentage from last quarter, now hosting 13% of all phish sites, and Germany moved into the top five for the first time, hosting 3.6% of all phish sites. Geographic phishing trends for Q Conclusions Brand abuse continues to increase, and in the pharmaceutical market, we see brandjackers profiting from supplying illicit online pharmacies with suspicious drugs as well as from consumer demand. Unfortunately, drug brands continue to see some very aggressive marketing online from fraudsters with a growing supply chain, professional promotion and best practices in ecommerce at online pharmacies. Left unchecked, this parallel universe of unscrupulous online pharmacies and questionable suppliers will continue to proliferate. In the phishing world, contrary to earlier published reports, we saw phishing attacks hit record levels with more than 150,000 attacks recorded in Q2 of 2009 and record levels of phish recorded per targeted organization. Social network brands continue to demonstrate the greatest amount of growth in phish attacks while payment services and financial brands attract the lion s share of attacks. 12

13 Methodology and Background The Brandjacking Index is an independent report, produced quarterly by MarkMonitor to explore numerical trends and statistics about brand abuse. It contains anecdotal information about the business and technical methods used by brandjackers, along with analysis and discussion of the business and social implications of brand abuse. The cornerstone of the Brandjacking Index is the volume of public data analyzed by MarkMonitor using the company s proprietary algorithms. MarkMonitor searches approximately 134 million public records and 60 million suspected phishing solicitations for brand abuse. These records come from various public domain data sources, along with Internet feeds from leading international Internet Service Providers (ISPs), providers and other alliance partners. None of this data contains proprietary customer information. This report is based on the following information and analysis: Six leading drug brands surveyed in July 2009, identifying 2,930 pharmacies, 19,163 domains abusing drug trademarks and 652 listings on online business-to-business exchange sites Phishing data is based on analysis of suspect s reported in Q2 of 2009 from more than 650 million inboxes hosted by the largest ISPs resulted in 60 million suspicious s being studied for the phishing analysis 13

14 Glossary Brandjacking To hijack a brand to deceive or divert attention; often used in abusive or fraudulent activities devised for gain at the expense of the goodwill, brand equity and customer trust of actual brand owners. Cybersquatting The practice of abusing trademarks within the domain name system. Domain Kiting The process whereby domains are registered and dropped within the five-day ICANN grace period, and then registered again for another five days. Kiting a domain lets the registrant gain the benefit of ownership without ever paying for the domain. ecommerce Content Websites containing a specified brand that appears in visible text, hidden text, meta tags or title in conjunction with other site content that indicates online sales are being transacted on the site. False Association The practice of using a specified brand or trademark in web content to imply a relationship with a company or brand where none exists. Offensive Content Websites containing a specified brand that appears in visible text, hidden text, meta tags or title in conjunction with pornographic, online gaming or hate content. PPC (Pay-Per-Click) Paid placement advertising appearing on web pages. Operators of websites hosting PPC advertising derive revenue from ads that are clicked, hence the name PPC. Phishing Criminal use of to divert traffic to websites in order to fraudulently acquire usernames, passwords, credit card details and other personal information. The and websites used in these operations employ social engineering techniques to trick users into believing they are interacting with a business or organization that they trust. Rock Phishing A method of phishing first implemented by the rock phish gang that utilizes multiple layers of redundant infrastructure to increase the difficulty of shutting down the attack. Other phishers are now using these tactics as well. SEO Manipulation The use of brands, slogans or trademarks located in visible text, hidden text, meta tags and title in order to manipulate search engine rankings so that the brandjacker s site can gain a more favorable search engine placement. Traffic Diversion Hijacking a brand to drive web traffic to a competitive or illicit site in order to generate revenue at the expense of the rightful brand owner. 14

15 About MarkMonitor MarkMonitor, the global leader in enterprise brand protection, offers comprehensive solutions and services that safeguard brands, reputation and revenue from online risks. With end-toend solutions that address the growing threats of online fraud, brand abuse and unauthorized channels, MarkMonitor enables a secure Internet for businesses and their customers. The company s exclusive access to data combined with its patented real-time prevention, detection and response capabilities provide wide-ranging protection to the ever-changing online risks faced by brands today. For more information, please visit More than half the Fortune 100 trust MarkMonitor to protect their brands online. See what we can do for you. MarkMonitor, Inc. U.S. (800) Europe: +44 (0) Boise San Francisco Washington D.C. New York London Frankfurt 2009 MarkMonitor Inc. All rights reserved. MarkMonitor is a registered trademark of MarkMonitor Inc. and Brandjacking Index is a trademark of MarkMonitor Inc. All other trademarks included herein are the property of their respective owners.