Covid-19 vaccination certificates are being sold illegally on the Darkweb. That’s the conclusion of a group of cybersecurity experts who have investigated the way vendors offer forged vaccine certificates online.
The researchers have even verified the forged certificates using national covid vaccine apps. This raises the possibility that forgers have gained access to the private keys that health care systems use to guarantee the authenticity of vaccine certificates in Europe and elsewhere in the world.
First some background. Digital vaccine certificates should be hard to forge, at least in theory. For example, countries within the European Union issue certificates guaranteed by a digital certification process.
This works by encrypting information using a private key that only the health authority has access to. This information is then encoded in a QR code that can be scanned by national covid applications. In this process, the information is decrypted using a public key that is available to any organization wishing to check the certificates.
This is how the authenticity of the certificate is checked. And provided the private key is secret, these certificates should be almost impossible to forge.
Now Dimitrios Georgoulias and colleagues from the Cyber Security Group at Aalborg University in Denmark, say that forged certificates are openly available on the Darkweb, the part of the internet hidden from conventional search engines and accessible only with special browsers. The team have even verified that the certificates were valid.
Georgoulias and colleagues used Darkweb search engines, forums and introduction points to find 17 marketplaces and 10 online vendors who claimed to be selling valid vaccination certificates—both physical and digital versions–for countries ranging from the US and UK, to many in the European Union. “It is possible to buy fake vaccination certificates issued in most countries worldwide,” say the researchers.
They investigated several of these outlets, finding one vendor that demonstrated a sophisticated understanding of the way vaccine certificates are created and offered seemingly valid, but faked certificates. The sites showed images of the faked certificates, including the QR codes, which allowed the researchers to check them. Some of the certificates were offered with matching fake IDs.
As with much of the merchandise on the Darkweb, the certificates must be paid for with cryptocurrencies such as Bitcoin, which allows the vendors to maintain a level of anonymity. “The pricing differs greatly between the different listings, with the cheapest certificate starting at $39 and the highest price reaching almost $2,800, which included both a physical and a digital certificate, registered in the United Kingdom,” say Georgoulias and colleagues.
The researchers say that some vendors showed signs of being scammers with no product. However, others offer sophisticated payment systems, such as escrow accounts. In this case, the buyer pays the fee to a middleman, who releases it to the vendor only after the buyer has received the goods.
Another approach is for the vendors to offer stolen certificates. In these cases, the QR codes point to real individuals, who the team endeavored to find. In one case, the team contacted the individual involved. “After explaining the context of our finding, the owner informed us that they had publicly showcased the certificate for professional reasons,” they report.
The team report one particularly sophisticated vendor. “Out of the entire certificate trading market, there was a particular instance that really stood out,” say Georgoulias and colleagues. This site advertised the sale of forged European certificates for a vaccine of the buyer’s choice under a fake identity.
Most of these certificates seem to have been issued in Italy. Further investigation revealed that the certificates appeared valid when checked against national covid apps.
That’s worrying because it implies that the vendors have access to the private key that otherwise guarantees the authenticity of the certificates. “We manage to discover a number of certificates which we are able to verify, raising the issue of malicious individuals having access to governmental systems, which they can manipulate at will, or keys of national health organizations’ having leaked,” conclude the researchers.
That’s a discovery that warrants further investigation.
Ref: Covid-19 Vaccination Certificates In The Darkweb : arxiv.org/abs/2111.12472