Tracing the Path of our Drugs

How a Packet of Prozac Took Us on A World Tour

By Kristina Peterson, Jake Pearson, Danielle Douglas, Rhiannon Coppin and Hilke Schellmann

To peek into the world of rogue online pharmacies, our class decided to become a customer. We purchased drugs without a prescription in the hope of uncovering who might be running this transnational trade. Tracing that purchase took us on a far-flung world tour as we followed how the drugs—and our money—crisscrossed the globe.

Our purchase of generic Prozac slipped past the watch of numerous regulators tasked with preventing this kind of trade, including customs and postal agents, internal bank monitors and credit card processors around the world. While we were never able to pinpoint the merchant’s precise identity, we were able to trace the purchase’s global arc.

The drugs were purchased on a computer in New York City, shipped from a pharmacy in India, processed by a bank in Latvia and may even be connected to a network of Russian cybercriminals. Our purchase also showed how the rogue online pharmacy industry is supported and enabled by illegitimate and legitimate businesses alike.

Our online drug purchase began on March 26, when we logged onto the Web site http://www.ypills.com and ordered 20 pills of generic Prozac. We chose to buy from this site after seeing it advertised on a YouTube video. In order to buy the drugs, we simply filled out an online questionnaire. At no point did we have to produce a valid prescription or speak to a physician. In short order, we were buying the pills with a Capital One Visa credit card. Strangely, we did not receive any sort of confirmation e-mail until roughly 10 days later, when we received an email from the "Canadian Pharmacy Support Team" informing us that our drugs were on their way.

Roughly five days later, we received a package shipped through India Post and the United States Postal Service containing our drugs -- plus two Viagra pills thrown in for free -- wrapped in a sheet of the Bombay Times.

The accompanying customs slip said the drugs were a "sample for trade" and the box for "a gift" was checked in blue pen. A purple rubber stamp listed the sender as Pratham Pharma, Shop No. 8, Surusha Apartment, V.N. Purav Marg, Chunabhatti (East), Mumbai in India. Pratham Pharmacy did not return multiple phone and e-mail requests for comment.

Pratham Pharma is located in the Lokmaniya Complex in Mumbai. Although the company’s name matched the one on our return slip, it had a slightly different address. Online, the company is listed as a medical supplies business, but we could not ultimately determine whether it makes its own drugs or simply supplies them. Sandwiched between two major highways, Pratham Pharma is situated in a cluster of five nondescript buildings, near several technical colleges, as seen from Google Earth.

After receiving our drugs from Pratham Pharma, we had them tested by Alliance Technology, a New Jersey laboratory. The lab found fluoxetine hydrochloride in the pills we got from India. “The capsule we tested does appear to contain the active ingredient in Prozac®,” said Dr. Jonathan Chun. In other words, we actually received a prescription-only drug through the mail.

International mail like ours is processed at one of the United States Postal Service’s 14 postal gateways, located in cities such as New York or San Francisco. There, postal inspection agents, including the law enforcement arm of the USPS and Immigration and Customs Enforcement agents, can flag and inspect suspicious packages.

There are certain "profile characteristics" that usually raise alarms, said Peter Rendina, national public information officer and inspector for U.S. Postal Inspection Services .

“When someone is trying to send something illegal, they tend to want to be anonymous,” Rendina said.

But our package did not display the traditional red flags -- it had a return address and there were no misspellings or protruding wires. However, the customs form stated clearly that the package had been shipped from an Indian pharmacy and oddly, was labeled “a gift.” Nonetheless, the pills seemingly breezed through customs and postal agents’ scrutiny. Though federal agencies told us they have strict standards, our purchase’s easy journey to New York suggests the system may be more porous than they think.

The Internet can enable members of the e-pharma network to remain anonymous and elusive. Regulators are still adapting to how the Web changes the cat-and-mouse game.

Rendina said his agents are increasingly using the Internet in their investigations. “There is always a trial back to somebody, using IP addresses or hits on websites,” he said. We also decided to use a similar approach.

Following the cybertrail

In our own cybersearch, we unearthed connections between our purchase and suspicious organizations like the Russian Business Network. The cybercriminal organization links to rogue online pharmacies by sending out spam and programs spiked with viruses, according to a 2008 report by Cisco Iron Port Systems, an online security company.

We started with four clues: a Web site domain (ypills.com), a phone number (1-800-383-7433), an email address header (vdsking3.ispvds.com), and another Web site domain that was printed on our credit card bill (RX-CS7.COM).

By performing a name and IP lookup on the three available domains, we were led to registrars and IP hosts in New York, the Grand Cayman Islands, Irkutsk, Prague, and Moscow.

We also came up with several names for registrants: Isai Wayne, Max Schultz, Peter A Svistunov, Alexandr Brukhanov, and Andrey Smirnov.

Unfortunately, name, address and phone numbers are all voluntarily reported. Anyone can hide himself with a pseudonym or impersonate another in the information listed with their domain, according to Danny Watson, an analyst at Spamhaus.org, a nonprofit that tracks spam.

"It could be a completely made up name. It could be that its the name or address of a relative of the spammer -- we've seen that in the U.S. quite a bit," Watson said.

The IP address linking to the domain (RX-CS7.com) on our credit card bill connected to a group of Moscow-based IP addresses supposedly managed by someone also called Andrey Smirnov. Smirnov, a name that repeatedly pops up in our searches, has been identified as being part of the Russian Business Network, according to various spam-tracking experts.

The Russian Business Network deals in rogue online pharmacies and was responsible for the “Canadian Pharmacy” spam operation, according to the Cisco Iron Port Systems report. Watson warned that the network may have dissolved. But its members are likely still operating independently or even further under the radar.

Georgian officials and security experts blamed the Russian Business Network for either launching or enabling politically motivated Internet attacks on Georgian government Web sites and communication networks according to an August 2008 Wall Street Journal article.

Researchers at Hostexploit.com, an open-source research group, published a 2008 report that names Alexandr A. Boykov and Andrey Smirnov as "hacktivists" who launched the attacks on Georgia.

"Nord Bank is likely doing something differently or failing to do something that other banks throughout the world are doing to drive these allegedly illegal merchants out of their customer base."

E-commerce: tracking our purchase

We also wanted to follow the money behind our purchase. So we called Capital One. It took almost an hour on the phone with seven employees before a supervisor of the credit card's fraud department was able to provide us with the unique identification numbers for our purchase.

The crucial 23-digit reference number for our transaction provided us with a six-digit bank identification number tucked into the second through seventh digits. Using the Mars Bank Database, a free downloadable software program, we were able to determine that the acquiring bank in the transaction -- the middleman connecting the merchant to the credit card -- was JSC Pirma Banka. The bank, which later changed its name to Nord Bank, is located in Riga, Latvia.

Nord Bank has surfaced frequently in investigations of suspicious online pharmacies, said Jon Praed, a cybercrime attorney. That likely means either multiple merchants are funneling their transactions through Nord Bank, or one very busy merchant is doing a lot of business with them, he said.

"It's not a coincidence," Praed said. "The fact that so many sales are going through Nord Bank indicates that Nord Bank is likely doing something differently or failing to do something that other banks throughout the world are doing to drive these allegedly illegal merchants out of their customer base."

Merchants find other ways to stay anonymous throughout the transaction. For instance, no one ever picked up when we dialed the 1-800 customer service number listed with our credit card purchase. A Google search of the 1-800 number yielded dozens of customers, complaining that they had been scammed. And Capital One noted that, unusually, the merchant identification number was all zeroes.

The merchant has an incentive to remain invisible -- obscurity makes it harder for consumers to watch out for potential fraud. Some banks take action to protect against merchants with bad intentions, like MasterCard’s Member Alert to Control High-Risk Merchants (MATCH) program. When either an acquiring bank or a transaction processor terminates a contract with a merchant, the merchant and its principals are supposed to be reported to the program, which publishes a list of the high-risk merchants.

But the system is flawed. The MATCH list is only as strong as the data that banks and transaction processors provide it: if they don't report problems, then the list is incomplete. Asked about our purchase, Nord Bank said our complaint was the first they had heard of. Spokeswoman Teika Lapsa said Nord Bank planned to end its agreement with the merchant, who does business with the bank as part of a large group. However, Lapsa would not disclose the identity of either the merchant or the broader group. The bank regularly inspects its merchants and requires them to comply with credit card regulations, Lapsa said.

"We can't check everything," she said of suspicious transactions. "We cannot avoid [it] 100 percent."