Using the Web to ‘fool’ the FDA

Hot U.S. Attorney Action in Drug Misbranding, Device Sales and Supplement Frauds

[Via Eye on FDA]

There were a spate of announcements last week about actions taken by U.S. attorneys – one that involves a guilty plea for misbranding a drug; one person getting a 51 month sentence for selling unapproved medical devices and one guilty plea for the fraudulent marketing of dietary supplements. Let’s check that out.


So I was reading the various cases, seeing that fraudulent sellers of drugs and medical devices got what was coming to them. Then I ran across this one:

  • Guilty Plea to Fraudulent Marketing of Dietary Supplements – It will be interesting to compare the sentence for this plea to the sentence for the sale of the unapproved medical devices. One case was in Albany, the next in San Diego, and this time from the heartland of Springfield, Missouri. Here was an Internet business that generated nearly $12 million, according to the release by the U.S. Attorney in the Western District of Missouri by making claims to prevent and cure diseases through the use of dietary supplements sold on the site. The supplements sold over various Internet sites were supposedly demonstrated by clinical trials to treat and prevent diabetes, IBS, gout, high cholesterol, high blood pressure, heartburn and diarrhea and promotional materials were said to include fraudulent customer testimonials using photo stock images. The Internet sites also produced a “sanitized” version of the promotion when it was detected that the Web sites were accessed from an IP address that was within the FDA network. No insight into how the FDA cracked this one or overcame the IP address issue.

I highlighted the interesting text. Some people might know that websites can provide different pages depending on who requests the pages. Mostly this is to provide something like a mobile specific version of the web page when the website detects that a cell phone is asking for the page.

In this case, the website looked at the IP address of the computer asking for the page. Knowing the IP address is critical so that the web server knows where to send the page.

So, knowing what the range of IP addresses were for computers being used by the FDA, the web site would return one page if the request came from an FDA computer and another page if it was requested by someone else. They hoped that any FDA computers snooping around would see only the sanitized page and not the page everyone else saw.

Kinda clever but it can easily be overcome. First, use a computer with an IP address that does not look like it is from the FDA. Or, and I think this could be likely, the FDA can mask the IP address of some of its computers so that, from the outside world, they do not look like they come from the FDA. A relatively simple matter and one that could easily get around any of the sorts of approaches these frauds used.

Plus, it makes it harder for the frauds to claim naiveté, since they were obviously attempting to mislead by having two different web pages.