Looking for a bargain? Buying pharmaceuticals online might not be your best bet.

Most online purveyors of prescription drugs are doing so without authorization from the pharmaceutical industry or without employing the proper security measures for online sales. That’s according to the quarterly Brandjacking Index, released Monday by brand research and protection company MarkMonitor.

“We thought we’d find some conclusions that raised some eyebrows, but what we found was a very dirty business on the web. Consumers and drug companies should be concerned,” said MarkMonitor Chief Marketing Officer Frederick Felman.

The report highlights several disturbing trends in online drug sales. In addition to faking accreditation, many online pharmacies spam users and perpetrate phishing attacks, in which they attempt to collect personal details such as a person’s health history and credit card information.

MarkMonitor analyzed 60 million emails and looked at six specific brands across the most popular categories of pharmaceuticals—those treating insomnia, erectile dysfunction, cholesterol, anxiety, and depression. One tenth of the 100,000 sites tracked by MarkMonitor in June do not require prescriptions from consumers who want to order drugs and few sites studied have Verified Industry Pharmacy Practice Site accreditation, which requires that pharmacies comply with state drug laws.

According to the study, the United States hosts 59 percent of online pharmacies and 38 percent of pharmacy-related spam comes from China.

Mr. Felman said the draw to online pharmacy sites for consumers is the promise of lower prices, but often the sales stemming from such sites provide users with expired or mislabeled drugs that may be past their expiration date.

In addition to pharmaceuticals, the report highlights ongoing concerns about general phishing on the web, which Mr. Felman said continues to grow “organically, as opposed to exponentially.”

Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle through domain names and IP addresses. They obscure their origin with botnets, which automate unwitting consumers’ computers to send out spam.

This type of phishing is more difficult to trace than other methods, according to MarkMonitor, because rock phishers operate on a previously unforseen scale and build multiple redundancies into their system that make a single point of origin difficult to detect. MarkMonitor has tracked an 11 percent increase in rock phishing since Q1.