Fake Covid-19 Vaccine Certificates Are Being Advertised On the Dark Web

Criminals have been selling fake vaccine certificates online and may be able to fool an EU system designed to verify the certificates' validity, researchers warn. BankInfoSecurity reports: [A] report released last week, "COVID-19 Vaccination Certificates in the Dark Web," which has not yet been peer-reviewed, notes that some darknet markets continue to sell supposed vaccine certificates for use in multiple countries. Four researchers - Dimitrios Georgoulias, Jens Myrup Pedersen, Morten Falch, Emmanouil Vasilomanolakis - who are all part of the Cyber Security Group at Aalborg University in Copenhagen, Denmark, reviewed vaccination certificate offerings from 17 marketplaces and 10 vendor shops. The researchers found that at least one vendor appears to be selling digital certificates, registered in Italy, that are being read as valid by mobile COVID-19 certificate-checking apps developed by both France and Denmark. The Aalborg University researchers, however, note that many darknet markets forbid any listing containing any items related to COVID-19. But others, they say, do allow both physical and digital vaccine certificates to be offered for sale, and in some cases also "yellow vaccination cards" or other vaccination record cards that can be used as proof of vaccination, albeit only inside the country in which they were supposedly issued. "The listings are heavily focused on European countries and the United States, but there are also listings from other continents and countries, such as Brazil, Canada, Mexico and Australia," as well as Russia, the researchers write. "The pricing differs greatly between the different listings, with the cheapest certificate starting at $39 and the highest price reaching almost $2,800, which included both a physical and a digital certificate, registered in the United Kingdom," they write. Most markets accept bitcoin and monero cryptocurrencies as payment, they add, while a smaller number also take such digital coins as ethereum, cardano, litecoin and zcash. [...] The Aalborg University researchers note that buying a fake digital certificate gives the seller ample opportunity to scam a buyer. If these fake COVID-19 certificates can indeed pass for valid ones, then one unanswered question remains: How? Many of the sites claim to have access to the systems used to issue certificates, either by hacking into them remotely, or having insiders who work at a healthcare or other health organization, the researchers say. "In the specific case of a listing on the Russian marketplace Hydra, the description even mentioned the exact location and hospital that the system was accessed from," they say. Another possibility, however, is that criminals have somehow stolen one or more private keys for the European system, which were issued to participating health organizations. If so, it would be difficult to revoke these keys, the researchers say, since doing so would invalidate what might be a large quantity of legitimate certificates too.

Read more of this story at Slashdot.