Criminals with ‘advanced forging capabilities’ selling valid vaccine certificates on dark web
The gang is believed to have brought in at least €425,000 (£360,000) in revenues and may either have access to government systems or have compromised the national health authority’s cryptographic keys.
Criminals with “advanced forging capabilities” are selling valid vaccine certificates on the dark web, according to new research, suggesting they may have compromised government systems.
Academics from Aalborg University’s Cyber Security Group warn there are many scams among the dozens of listings for COVID-19 vaccine certificates on underground digital markets.
The ability for unvaccinated people to bypass various protections in place to prevent the spread of the coronavirus could endanger other people and potentially contribute to the development of a variant which is vaccine-resistant.
Despite the wide range of unverified listings which the researchers found and suspected of being scams, they said they managed “to discover a number of certificates which we are able to verify” according to the preprint of the study which has not yet been peer-reviewed.
This raised the risk that “malicious individuals [have] access to governmental systems, which they can manipulate at will” or that the cryptographic keys used by national health organisations to authenticate the certificates had leaked.
The listing that provoked the most concern to the researchers was advertising certificates registered in 25 countries across the European Union, the samples from which they verified to be valid across Europe, using two different national COVID-19 apps
COVID-19: Is Omicron a serious worry or an evolutionary dead end?
This particular vendor shop “is the only platform that elaborates on the operation of their service in such detail” and details the technical mechanisms used to check the QR code on the vaccine certificate.
“To provide proof that the generated certificates sold are valid, the homepage of the site also includes a sample QR code, of a fictional individual, which we validated using two national COVID-19 mobile applications,” the researchers wrote.
A video uploaded by the gang also offered the researcher a short glimpse of their administration dashboard, which at the time showed they had made over 1,700 sales – amounting to more than €425,000 (£360,000) in revenue.
“The individuals behind this vendor shop present an advanced understanding of the system that surrounds the issuance and verification of certificates, which combined with the quality of their web page, the overall attention to detail in describing the operation of their business, and the verification use cases shown, raises the probability of the service being legitimate,” the academics wrote.