Fraudsters sell forged COVID-19 vaccination certificates on the dark web in a fast-growing pandemic scam, cyber security analysts say
By Umberto Bacchi
April 8 (Thomson Reuters Foundation) - Fake coronavirus vaccine passports are being sold online for "peanuts" in a fast-growing scam that has alarmed authorities as countries bet on the documents to revive travel and their economies, cyber security experts said.
From Iceland to Israel, a number of countries have started to lift lockdown restrictions for people who can prove they have been vaccinated - letting them visit leisure venues or cross borders if they show vaccine papers.
"People are trying to circumvent that by creating false documents, essentially putting the lives of others at risk," Beenu Arora, founder of cyber intelligence firm Cyble, told the Thomson Reuters Foundation in an online interview.
"We've seen hundreds of websites on the dark web where these documents are being sold ... at the price of peanuts" he said.
The dark web is a part of the internet that lies beyond the reach of search engines, where users are largely anonymous and mainly pay with cryptocurrencies such as bitcoin.
Fake vaccination papers can be bought for as little as $12, Arora said, adding that the number of listings had mushroomed since the first started appearing in late February.
Oded Vanunu of cyber-security company Check Point said researchers at the firm had found numerous dark web adverts offering documents purportedly issued in the United States, Russia and other countries.
"There's a big demand for it," he said.
Forgeries have also appeared on regular websites and e-commerce platforms, said Chad Anderson, a senior security researcher at online threat intelligence firm DomainTools.
Last week, 45 attorney generals from the United States signed a letter calling on the heads of Twitter, eBay and Shopify to take immediate action to prevent their platforms from being used to sell fraudulent COVID-19 vaccine cards.
"The false and deceptive marketing and sales of fake COVID vaccine cards threatens the health of our communities, slows progress in getting our residents protected from the virus, and are a violation of the laws of many states," it read.
EBay said it was taking significant measures to block or quickly remove items that made false health claims including vaccine cards. Twitter and Shopify did not immediately reply to a request for comment.
Twitter said the sale of fake COVID-19 cards was not permitted on the site and it took "enforcement action" when violations were identified. Shopify did not immediately reply to a request for comment.
Days earlier, the FBI urged people not to post photos of their vaccination cards on social media, warning that the information could be used by scammers to forge documents.
Anderson of DomainTools said forging paper documents had become "so easy" nowadays.
"It's trivial, especially with the editing tools that we have today," he said.
Vanunu said that to make forgery more difficult vaccination cards should be digitally signed with encrypted keys using a QR code system similar to that adopted in Israel.
Once scanned, the codes would reveal vaccine information as well as the name of the holder - to be checked against identity documents. But to work for international travel, such a system would require countries to share data, he said.
China, Bahrain and a few other nations have already introduced vaccine passports, with South Korea and the European Union also announcing plans for digital documents.
But the concept has faced strong opposition in other countries, including Britain, where more than 70 lawmakers described the idea as "divisive and discriminatory".
(Reporting by Umberto Bacchi @UmbertoBacchi; Editing by Helen Popper. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers the lives of people around the world who struggle to live freely or fairly. Visit http://news.trust.org)
Our Standards: The Thomson Reuters Trust Principles.