COVID-19 , Cybercrime as-a-service , Electronic Healthcare Records

Darknet Markets Advertise Fake COVID-19 Vaccine Passports

Separately, Italian Police Bust Scammers Selling Vaccine Passports via Telegram
Darknet Markets Advertise Fake COVID-19 Vaccine Passports
Fake Digital Green Certificates being sold in Italy (Source: Group-IB)

Criminals have been selling fake vaccine certificates online and may be able to fool an EU system designed to verify the certificates' validity, researchers warn.

See Also: OnDemand | Don't Get Hacked in the Cloud: The Essential Guide to CISOcial Distancing

That finding comes as some countries are now requiring proof of vaccination to gain access to restaurants, bars, clubs or other establishments, or to face fewer restrictions when traveling.

How widespread fake vaccine certificates may be remains unclear, as does the extent to which the QR codes contained on fake certificates might reliably pass for real.

But a report released last week, "COVID-19 Vaccination Certificates in the Dark Web," which has not yet been peer-reviewed, notes that some darknet markets continue to sell supposed vaccine certificates for use in multiple countries.

Four researchers - Dimitrios Georgoulias, Jens Myrup Pedersen, Morten Falch, Emmanouil Vasilomanolakis - who are all part of the Cyber Security Group at Aalborg University in Copenhagen, Denmark, reviewed vaccination certificate offerings from 17 marketplaces and 10 vendor shops. The researchers found that at least one vendor appears to be selling digital certificates, registered in Italy, that are being read as valid by mobile COVID-19 certificate-checking apps developed by both France and Denmark.

The Latest Wares From Darknet Markets

That darknet markets and vendors are selling fake vaccine certificates shouldn't come as a surprise.

Vendor site selling fake digital COVID-19 records (Source: "COVID-19 Vaccination Certificates in the Dark Web")

Darknet markets - typically reachable only via the anonymizing Tor browser or an anonymous, peer-to-peer distributed communication layer called I2P - have long promised customers the stars.

Many sell everything from illegal drugs and firearms to fake IDs and hacking tools. Whether they can reliably deliver, however, often remains an open question. While anecdotes abound about darknet market users contracting with a hitman and paying with bitcoins, the extent to which this and other services might simply be scams - if not law enforcement agents looking to entrap anyone who thinks it's OK to order a killing via the internet - remains unclear.

Not long after the COVID-19 pandemic began, meanwhile, darknet markets quickly began advertising coronavirus vaccines and testing kits that authorities warned were fake.

The Aalborg University researchers, however, note that many darknet markets forbid any listing containing any items related to COVID-19. But others, they say, do allow both physical and digital vaccine certificates to be offered for sale, and in some cases also "yellow vaccination cards" or other vaccination record cards that can be used as proof of vaccination, albeit only inside the country in which they were supposedly issued.

"The listings are heavily focused on European countries and the United States, but there are also listings from other continents and countries, such as Brazil, Canada, Mexico and Australia," as well as Russia, the researchers write.

Vendor shop offering vaccination certificate options (Source: "COVID-19 Vaccination Certificates in the Dark Web")

"The pricing differs greatly between the different listings, with the cheapest certificate starting at $39 and the highest price reaching almost $2,800, which included both a physical and a digital certificate, registered in the United Kingdom," they write. Most markets accept bitcoin and monero cryptocurrencies as payment, they add, while a smaller number also take such digital coins as ethereum, cardano, litecoin and zcash.

EU Digital COVID Certificate

The ability to trick nations' digital passport systems into accepting falsified proof of vaccination - or recovery from COVID-19 - would obviously be an unwelcome development from a public health standpoint. Anyone who has been issued a certificate of recovery, for example, is exempt from many quarantines or from having to be tested for travel purposes, for up to 180 days after their positive result.

The U.S. has no nationalized digital COVID-19 vaccination passport system, but seven states have developed their own mobile apps.

Another system has been developed by the European Commission: the EU Digital COVID Certificate. Available in both paper and digital formats, it includes a QR code that a venue or business establishment can scan, to verify that the named individual has received specified vaccine doses.

So far, 24 non-EU countries - including Israel, Norway, Switzerland, the U.K. and Vatican City - are also part of the so-called Digital Green Certificate system.

How the EU Digital COVID-19 Certificate Works

Source: EU Digital COVID Certificate website

The system relies on a Digital Green Certificate Gateway "through which all certificate signatures can be verified across the EU," according to an EU website devoted to the program. As the Aalborg University researchers note, how this works in practice is that an "issuance service" for each country handles all requests from any "verifier service" in a country where the certificate holder is present and attempting to validate their certificate. The system caches the public keys used in this system every 24 hours, which allows for certificates to be verified even if an app isn't online.

Widespread Scams

The Aalborg University researchers note that buying a fake digital certificate gives the seller ample opportunity to scam a buyer.

Some, but not all, darknet markets include an escrow system and offer a dispute resolution service in case a seller fails to provide a promised good or service. But stand-alone vendor pages do not offer such guarantees.

"After the payment has been confirmed by the marketplace, the client needs to provide their private information. This varies depending on the country that the certificate is being issued in and may include full name, country, address, Social Security number, state, ZIP code, and email address," the researchers write. "Such information, depending on the platform, is sent via different methods, with the main ones being ProtonMail and the platforms' own messaging functions. … All of this information is then used by the sellers to create the valid COVID-19 certificate."

Fake Green Passes with QR codes being sold from Italy (Source: Group-IB)

But how many of them work? In one case, the researchers tested a sample certificate listed on a darknet market and found it had been stolen from an individual in France who had posted an image of his vaccine certificate online. Such a certificate would fail to pass real-world inspection.

Certificate scams of all kinds appear to remain widespread. For example, cybersecurity firm Group-IB said that in mid-July it alerted Italian law enforcement authorities that via about 35 different Telegram channels, multiple vendors were offering for sale of "authentic Green Passes with QR codes" that would list a fake certificate of vaccination or recovery. "The sellers claimed it was possible thanks to the complicity of health workers," Group-IB says. "In reality, they were nothing but fake."

The security firm says that as part of Operation "No-Vax Free," agents searched residences in four cities and detained suspects, who have admitted selling the fake certificates.

"We urge the Italians not to use these phony, illegal services as they not only lose their money, but they submit their sensitive personal data to criminals and put themselves at a greater risk of follow-up scams," said Col. Gian Luca Berruti of the Guardia di Finanza law enforcement agency, which is continuing to probe such offerings, working with the Milan Public Prosecutor's Office.

Some Offerings May Work

But it's possible that not all offerings are scams. Reportedly, in some countries faked certificates - that work - have been issued by corrupt doctors, for example in Bulgaria, reports security researcher Alexander Stanev.

The Aalborg University researchers also report finding at least one vendor shop that appears to have "advanced forging capabilities" that may work. Specifically, they found an unlisted YouTube video apparently uploaded by the unnamed vendor site to advertise its wares, via which they were able to take screenshots of demonstration QR codes featured in the video, as well as see a dashboard displaying 1,700 sales to date.

"Architecture of the EU COVID-19 verification and issuance system. This figure was discovered on one of the vendor shops and it is an adaption of the architecture figure found in the European Commission official documentation." (Source: "COVID-19 Vaccination Certificates in the Dark Web")

"We did not manage to verify all of them due to issues in capturing a high-quality frame in the video, but the ones we did manage to check, appear to be valid," the researchers write, noting that they checked them using two different countries' verification apps. "Additionally, in the video, the sellers provide three specific QR codes for verification purposes, which also turned out to be valid. … The vendors stress the fact that they do not keep any of the personal information provided to them by the clients, since they have no intention of monetizing this data, and want to provide their services without jeopardizing their customers' privacy."

If these fake COVID-19 certificates can indeed pass for valid ones, then one unanswered question remains: How?

Many of the sites claim to have access to the systems used to issue certificates, either by hacking into them remotely, or having insiders who work at a healthcare or other health organization, the researchers say. "In the specific case of a listing on the Russian marketplace Hydra, the description even mentioned the exact location and hospital that the system was accessed from," they say.

But as the Guardia di Finanza investigation found, at least some claims of spoofing the system via inside assistance are outright lies.

Another possibility, however, is that criminals have somehow stolen one or more private keys for the European system, which were issued to participating health organizations. If so, it would be difficult to revoke these keys, the researchers say, since doing so would invalidate what might be a large quantity of legitimate certificates too.

Again, whether this vendor or others do possess the ability to spoof the EU system isn't clear. But the researchers say that they hope their efforts "will raise awareness on the situation, motivating the corresponding authorities to further investigate the security of the current certificate issuance systems."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.