Growing interest in the development and use of Covid-19 vaccine passport solutions and certificates – designed to help locked down countries reopen their economies – is attracting the attention of cyber criminals, with forged Covid-19 documentation now being openly sold on underground dark web markets, according to Check Point Research (CPR).
While malicious actors have been advertising fake vaccines on underground forums for a few months now, with high-profile “brands” such as AstraZeneca and Johnson & Johnson selling for upwards of $500, forged vaccine certificates and negative Covid-19 test documents are proving almost as lucrative.
CPR found fake government vaccination certificates purporting to be official Centers for Disease Control (CDC) documents selling for $150 each, while people wanting to skirt travel regulations can buy a “negative” Covid-19 test result in under half an hour for as little as $25.
“The dark net is booming with activity related to Covid vaccines. This wasn’t the case when we first started to study the dark net on this topic in January. Back then, we only saw a few hundred advertisements for just the Moderna or Pfizer vaccines,” said CPR head of product vulnerability research, Oded Vanunu.
“Today, adverts have tripled and offer every type of vaccine available. The new trend we’re starting to see is hackers offering fake vaccination and test certificates as they try to capitalise on the public’s interest in either getting a vaccine early or avoiding the vaccine but having proof of vaccination.”
In the interests of research, a member of the CPR team reached out to one dark web supplier of forged vaccine certificates, posing as somebody who wanted to travel abroad urgently. The researcher was told to supply their name and the dates they wanted the certificate to display they had been vaccinated on, for a total of $200. The seller told the researcher they had successfully provided this service to many other people in the past without problems.
“The dark net is booming with activity related to Covid vaccines. When we first started to study the dark net on this topic in January, we only saw a few hundred advertisements for just the Moderna or Pfizer vaccines. Today, adverts have tripled and offer every type of vaccine available”
Oded Vanunu, Check Point Research
In another instance, a seller was spotted running a “three for two” offer on negative Covid-19 test results, while others have automated their services, requiring the buyer merely to enter their details on a web form.
Vanunu said that apart from being illegal and potentially putting people’s lives in danger, attempting to obtain a vaccination card or negative test result by unofficial means was exceptionally risky.
“People who have not been vaccinated and try to use fake Covid test results or vaccine certificates are damaging the fight against the disease, [and] hackers are more interested in their money, information and identity for exploitation,” he said.
“We also strongly urge everyone to not share their vaccination cards or negative Covid-19 tests on social media, as the information on those pictures can make its way onto the dark net in some form,” added Vanunu. “I expect the activity on the dark net related to the coronavirus vaccine to continue to grow in the near term.”
Long-term pivot
The rapid pivot towards vaccine-related scams mirrors the coalescence of cyber criminal activity around the initial Covid-19 outbreak in the spring of 2020, demonstrating once again how malicious actors will exploit any opportunity to make a quick buck.
Lucas Hu of Palo Alto Networks’ Unit 42 research team said that in a year of tracking Covid-19-related crime, he had found that at each step along the way, attackers were changing tactics to adapt to the latest developments, “in hopes that maintaining a timely sense of urgency will make it more likely for victims to give up their credentials”.
In research just released by Unit 42, Hu reported how Covid-19 phishing attacks at first centred on personal protective equipment (PPE) and Covid-19 tests, followed by government stimulus programmes, and then vaccines. The number of vaccine-linked phishes observed by Unit 42 increased more than six times between December 2020 and February 2021.
In an attempt to stay ahead of the law, attackers are also constantly creating new websites for Covid-related phishes. At the point of detection, almost 25% of phishing websites are less than a month old, and the majority less than a year old.
Many of the vaccine-related websites found purport to represent pharmaceutical firms, such as Pfizer and BioNTech, and are supposedly a place where individuals can sign up to be vaccinated. One example uncovered by Hu asked for the user to sign in with their Office 365 credentials to add their name to the waiting list, effectively handing the keys to the user’s corporate network to cyber criminals.
“Individuals should continue to exercise caution when viewing any emails or websites claiming to sell any goods or services or provide any benefits related to Covid-19,” wrote Hu in a newly published disclosure blog.
“If it seems too good to be true, it most likely is. Employees in the healthcare industry, in particular, should view links contained in any incoming emails with suspicion, especially emails trying to convey a sense of urgency.”
