MarkMonitor - Brandjacking Index...Buying drugs online continues to be fraught with fraudsters and...

Brandjacking Index®Summer 2009

Contents

Executive Summary .................................................................................... 3

Pharmaceutical Brandjacking ...................................................................... 3

Phishing Trends ........................................................................................... 10

Conclusions ................................................................................................ 12

Methodology & Background ........................................................................ 13

Glossary ...................................................................................................... 14

Brandjacking Index®

Online Risks in Pharmaceutical Market - Summer 2009

“ ”

We observedcontinued growth in the online market for pharmaceuticals.

Executive Summary

In this edition of the Brandjacking Index®, we return our focus to the online pharmaceuticals marketplace. We found plenty of exploits as con artists who hijack well-known brands for their own profit continue to thrive selling suspicious drugs. We also saw increasing evidence of worsening supply chain abuses, whereby illicit business-to-business (B2B) sellers of pills and active pharmaceutical ingredients continue to operate with impunity. Phishing attacks are at record levels, while the number of attacks per individual organization is at an all-time high.

MarkMonitor® created the Brandjacking Index to measure how pervasive brand-based attacks are and to identify the potential threats to the world’s strongest brands. As in our previous reports, this edition of the Brandjacking Index tracked millions of emails and billions of web pages, including listings on online B2B exchange sites.

Pharmaceutical Brandjacking

Buying drugs online continues to be fraught with fraudsters and continues to be popular because of the high demand for inexpensive medicines. While tracking six different drug brands in July 2009, four of which were patented, we observed continued growth in the online market for pharmaceuticals including high levels of traffic to suspicious online pharmacies and increased numbers of listings for pharmaceuticals on B2B exchange sites.

As in previous studies, cybersquatting, the practice of abusing trademarks within the domain name system, continued to grow. Cybersquatted sites using the six brands from our study topped 19,000 during the study period, growing by 9% from the previous year. ‘Lifestyle’ drugs proved the most popular target for these efforts.

Percentage of cybersquatting activity by type of medication

3

Brandjacking Index®: Summer 2009

At close to $11B in estimated revenue, consumer pharmaceutical demand remains close to the level that we estimated last year. However, the total number of online pharmacies that we identified in the survey dropped slightly, from 2,986 last year to 2,930 this year. Only four of the pharmacies that we identified were VIPPS-certified, the certification program for online pharmacies offered by the National Association of Boards of Pharmacy. And while daily visitors dropped by more than half to 42,000 per site, we saw a marked increase in the number of online pharmacies experiencing this level of traffic—with 68% of the pharmacies having an Alexa rank.

To draw traffic, the illicit pharmacies utilize search engine advertising as well as spam emails. We counted that out of 186 advertisers for our six drug brands, only 19 of them are certified by VIPPS or CIPA, the Canadian authority. Consumers are well-advised to check the websites of each of these organizations to determine if a pharmacy is legitimate. Other informational resources include PharmacyChecker.com and LegitScript.com, which publishes lists of accredited and rogue pharmacies. In the example below, this pharmacy was advertising on a major search engine in the U.K., even though it appears on the ‘rogue pharmacy’ list maintained by PharmacyChecker.com.

Pharmacy is listed as a ‘rogue pharmacy’ on PharmacyChecker.com but is advertising on a major UK search engine

Online pharmacies abuse trends based on six drug brands

4


In a marked departure from earlier studies, 95% of these suspicious pharmacies appear to have some form of protection measures for customer data, in the form of secure sockets layer (SSL) browsing technology. However, this apparent increase could be caused by more hosting providers offering SSL as part of their default hosting plans. It’s important to note, too, that just because these ports show up on our scans doesn’t mean that they have been implemented or are really protecting any private data.

The old adage “if something is too good to be true, it probably is” works in spades when it comes to online pharmacies. Our findings show price discounts at illicit pharmacies, on average, of up to 90% from established and certified pharmacies. We examined pricing for one drug brand at the four VIPPS-certified pharmacies and at 30 randomly-selected non-certified pharmacies, using the same quantity and dosage across all listings. We found that the certified pharmacies were selling the drug at an average price of $14.16 while the illicit sites had posted prices ranging from 70 cents to less than $5! This level of discounting is much higher than the discounts available in legitimate channels and is a strong indicator that the drugs being offered at these illicit pharmacies are of suspicious quality.

Despite the suspicious nature of drugs, some of these illicit pharmacies are long-lived. Here is an example of one online pharmacy that was originally detected in 2007 and is still in operation. Its phone number no longer works, but the company is actively emailing prospective shoppers who visit the site. Last year it listed its phone number with a Los Angeles area code, but this year the company now shows a non-working Texas phone number. While labeled as Canadian, the site is hosted in the Russian Federation, according to its IP address. No matter where its real location, it continues to display faked credentials and presumably sells faked merchandise, including individual pills.

Example of one online fraudulent pharmacy

“ ”Some of these illicit pharmacies arelong-lived.

5


In terms of geography, we found that the U.S. continues to host the bulk of online pharmacies, with 36% of the total. Both Germany and the Netherlands increased their share of online pharmacies hosted in those countries with 13% and 10%, respectively. Pharmacies hosted in the U.K. dropped from 12% in 2008 to 7% in 2009 while Canada grew slightly to 6%.

In contrast, the spam emails that are used to lure shoppers to these sites originate outside the U.S. We have seen a shift in the location of the URLs used for spam landing pages in the past year, moving away from the U.S. to China. China now hosts 31% of the landing pages, contrasted with 4% in 2008.

Changes in hosting countries for online pharmacies

Spam landing pages by country of origin

6


As with the paid search pages, these landing pages are quite professional looking; in fact, many spam landing pages share the same look as our example below.

An example of a spam landing page with a professional appearance

But what is the source of supply for these illicit pharmacies? The role of online B2B exchange sites in supplying bulk quantities of branded pills and active pharmaceutical ingredients (APIs) cannot be underestimated. We found the number of exchange listings for the six drug brands in our study increased by 23% to 652 from the previous year. However, the number of listings selling APIs in powdered form grew by more than 80%, to 416 listings. This indicates a thriving trade in bulk pills as well as bulk quantities of their ingredients.

Changes in B2B exchange listings over the past three years

7


Nearly half of the listings for the six drugs in our study were from Chinese suppliers. No matter the country of origin, many of the listings appeared suspicious. Some listings advertised generic versions of patent-protected drugs, while other suppliers offered bulk quantities of patented pills along with branded sports clothing and sunglasses.

Patent-protected anti-flu drug listed as generic

We found several instances of a patented anti-flu drug being marketed as a generic on the B2B exchanges. This included both bulk quantities of pills as well as the powdered API. The pills were offered by a New Zealand-based company but originated in the U.K. while the powdered API was sourced from China.

Bulk quantities of powered API for patented anti-flu drug offered as generic

Percentage of abuse by country of origin

8


One manufacturer promoted a wide range of merchandise including bulk quantities of branded pills, sunglasses, sports jerseys and fashion apparel.

Listings for branded pills and unrelated clothing

We also saw evidence of suspected grey market activity on the B2B exchanges. One Irish seller offered large quantities of a patented flu drug labeled as Turkish while a Russian seller offered pills ‘from USA’.

Possible grey market activity on B2B exchange listings

All in all, these findings paint a disturbing picture of a parallel universe of pharmaceuticals where illicit drugs, pharmacies and suppliers pose significant challenges to public health and positive brand perception.

9


Phishing Trends

In the past quarter, we observed record levels of phishing attacks. Contrary to other published reports, in Q2 of 2009, phishing attacks numbered more than 150,000, surpassing the levels seen in 2007 when fast-flux and other techniques pushed the number of attacks to a previous high.

Phishing attacks near record levels

In addition, the average number of attacks per organization increased to 351 in the period, the highest level since Q3 of 2007. A total of 431 organizations were phished in Q2 of 2009.

Number of phishing attacks per organization reaches a new height

10


The industry breakdown of these attacks shows a small increase in attacks against the Payment Services category, which received almost half of all phishing attacks in Q2 of 2009. The Auction category continued its decline as a target, falling to 9% of all attacks, while the Financial category declined slightly to 32% of all attacks.

However, social networks continued to see a significant increase in phish attacks, as the number of attacks soared by 168% against the same period in 2008. In fact, with few exceptions, phish attacks against social network brands have continued to climb each quarter since Q1 of 2007 when we saw the first phish attack against a social network brand. One exception to the trend was in Q3 of 2008 when the turmoil in financial markets lured phishers to financial brands, highlighting phishers’ opportunistic nature.

Phish attacks against social network brands continue to climb

Phishing by industry sector in Q2 2009

11


Finally, we examined the host countries for phish attacks and saw that the U.S. now hosts 50% of all phish sites. Canada substantially increased its second position, more than quadrupling its percentage from last quarter, now hosting 13% of all phish sites, and Germany moved into the top five for the first time, hosting 3.6% of all phish sites.

Geographic phishing trends for Q2 2009

Conclusions

Brand abuse continues to increase, and in the pharmaceutical market, we see brandjackers profiting from sup-plying illicit online pharmacies with suspicious drugs as well as from consumer demand. Unfortunately, drug brands continue to see some very aggressive marketing online from fraudsters with a growing supply chain, professional promotion and best practices in eCommerce at online pharmacies. Left unchecked, this parallel universe of unscrupulous online pharmacies and questionable suppliers will continue to proliferate.

In the phishing world, contrary to earlier published reports, we saw phishing attacks hit record levels with more than 150,000 attacks recorded in Q2 of 2009 and record levels of phish recorded per targeted organization. Social network brands continue to demonstrate the greatest amount of growth in phish attacks while payment services and financial brands attract the lion’s share of attacks.

12


Methodology and Background

The Brandjacking Index is an independent report, produced quarterly by MarkMonitor to explore numerical trends and statistics about brand abuse. It contains anecdotal information about the business and technical methods used by brandjackers, along with analysis and discussion of the business and social implications of brand abuse.

The cornerstone of the Brandjacking Index is the volume of public data analyzed by MarkMonitor using the company’s proprietary algorithms. MarkMonitor searches approximately 134 million public records and 60 million suspected phishing email solicitations for brand abuse. These records come from various public domain data sources, along with Internet feeds from leading international Internet Service Providers (ISPs), email providers and other alliance partners. None of this data contains proprietary customer information.

This report is based on the following information and analysis:

Six leading drug brands surveyed in July 2009, identifying 2,930 pharmacies, 19,163 domains abusing drug •trademarks and 652 listings on online business-to-business exchange sites

Phishing data is based on analysis of suspect emails reported in Q2 of 2009 from more than 650 million email •inboxes hosted by the largest ISPs resulted in 60 million suspicious emails being studied for the phishing analysis

13


Glossary

Brandjacking – To hijack a brand to deceive or divert attention; often used in abusive or fraudulent activities devised for gain at the expense of the goodwill, brand equity and customer trust of actual brand owners.

Cybersquatting – The practice of abusing trademarks within the domain name system.

Domain Kiting – The process whereby domains are registered and dropped within the five-day ICANN grace period, and then registered again for another five days. Kiting a domain lets the registrant gain the benefit of ownership without ever paying for the domain.

eCommerce Content – Websites containing a specified brand that appears in visible text, hidden text, meta tags or title in conjunction with other site content that indicates online sales are being transacted on the site.

False Association – The practice of using a specified brand or trademark in web content to imply a relationship with a company or brand where none exists.

Offensive Content – Websites containing a specified brand that appears in visible text, hidden text, meta tags or title in conjunction with pornographic, online gaming or hate content.

PPC (Pay-Per-Click) – Paid placement advertising appearing on web pages. Operators of websites hosting PPC advertising derive revenue from ads that are clicked, hence the name PPC.

Phishing – Criminal use of email to divert traffic to websites in order to fraudulently acquire usernames, passwords, credit card details and other personal information. The email and websites used in these operations employ “social engineering” techniques to trick users into believing they are interacting with a business or organization that they trust.

Rock Phishing – A method of phishing first implemented by the ‘rock’ phish gang that utilizes multiple layers of redundant infrastructure to increase the difficulty of shutting down the attack. Other phishers are now using these tactics as well.

SEO Manipulation – The use of brands, slogans or trademarks located in visible text, hidden text, meta tags and title in order to manipulate search engine rankings so that the brandjacker’s site can gain a more favorable search engine placement.

Traffic Diversion – Hijacking a brand to drive web traffic to a competitive or illicit site in order to generate revenue at the expense of the rightful brand owner.

14


About MarkMonitorMarkMonitor, the global leader in enterprise brand protection, offers comprehensive solutions

and services that safeguard brands, reputation and revenue from online risks. With end-to-

end solutions that address the growing threats of online fraud, brand abuse and unauthorized

channels, MarkMonitor enables a secure Internet for businesses and their customers. The

company’s exclusive access to data combined with its patented real-time prevention, detection

and response capabilities provide wide-ranging protection to the ever-changing online risks

faced by brands today. For more information, please visit www.markmonitor.com.

More than half the Fortune 100 trust MarkMonitor to protect their brands online. See what we can do for you.

MarkMonitor, Inc.

U.S. (800) 745-9229

Europe: +44 (0) 207 840 1300www.markmonitor.com

©2009 MarkMonitor Inc. All rights reserved. MarkMonitor® is a registered trademark of MarkMonitor Inc. and Brandjacking Index® is a trademark of MarkMonitor Inc. All other trademarks included herein are the property of their respective owners.

Boise | San Francisco | Washington D.C. | New York | London | Frankfurt

MarkMonitor - Brandjacking Index...Buying drugs online continues to be fraught with fraudsters and...

Documents

Transcript of MarkMonitor - Brandjacking Index...Buying drugs online continues to be fraught with fraudsters and...