Threat Research

Vaccine Passports for Sale on the Dark Web

By Fred Gutierrez | September 20, 2021

FortiGuard Labs Threat Research Report

Many thanks to Shunichi Imano and Val Saengphaibul, who helped contribute to this blog.

Affected Platforms:    Email clients
Impacted Parties:       Email users
Impact:                        Loss of personally identifiable information and/or money
Severity Level:            Low

The battle against COVID has been waged for almost two years. With over 2 billion people around the globe now fully vaccinated, some countries have introduced a vaccine passport (certificate) program to allow people with proof of vaccination to travel, return to the office, and participate in public events.

For a time, the United Kingdom considered having nightclubs and other similar indoor venues require proof of vaccination for entry by the end of September. However, that idea has since been rescinded. In the United States, President Joe Biden recently mandated that certain members of the workforce be vaccinated, and proof of vaccination may be required. Other activities, like shopping or travel, may be impacted as people abuse the honor system. In the EU, digital COVID certificates already make travel between member states easier. 

Overall, for a variety of purposes, global demand for proof of vaccination is increasing. Because of this trend, opportunistic cybercriminals have begun selling counterfeit vaccine passports on the black market. While this is not necessarily new, unlike other criminal activities, this strategy is going mainstream. FortiGuard Labs has now begun to encounter offers of fake vaccine passports as lures in email scams. Successfully enticing the general population to open a malicious email attachment with the promise of receiving an illegal product may be a first. It reflects how polarizing this issue is and why cybercriminals think that they can successfully exploit it. 

Digital Covid Vaccination Passport

FortiGuard Labs recently observed one email spam that uses the following lure:

Figure 1: Email using social engineering lures to scam victims out of bitcoin, along with their personally identifiable information (PII)

This advertisement for a fake COVID vaccine passport requests payment in bitcoin. As of writing this blog, this bitcoin address has had zero transactions, and no user seems to have fallen for this scam. We also don't know if these criminals ever deliver a fake vaccine passport or if it is just a regular phishing attempt (or both). But what's clear is that scammers ask the target for personally identifiable information (PII) along with USD 149.95 worth of Bitcoin for a potentially double windfall.

Other, more official-looking emails have also been seen using the address of the well-known Center for Disease Control (CDC) of the United States to appear legitimate. Below is a fake CDC email that was recently spotted in the wild.

Figure 2: Fake CDC email

The link in this email did not lead to any official document but instead redirected the user to a legitimate server that had been compromised. While the link has been taken down, indicators suggest that this compromised server was used in a phishing attempt.

FortiGuard Labs has also found various markets on the dark web offering fake vaccine passports. As expected, a wide range of products and services are available, from blank vaccine cards to verifiable passports that can be checked against legitimate vaccine databases worldwide. A single blank vaccination card can be found for as low as $5.00, while buying in bulk may increase a buyer's savings. Of course, there is no guarantee that a purchaser will ever actually receive these documents.

Figure 3: Blank vaccination cards

This is a worldwide phenomenon.

Figure 4: Vaccine passport for Mexico

Figure 5: Italian Green pass

The price increases for those buyers who want their information to be added to legal databases showing they have received the vaccine.

Figure 6: Discounted vaccine passport

Because the market is being flooded with opportunistic counterfeiters, some sellers have begun offering sales and discounts. Others provide an escrow service in an attempt to protect the buyer and the seller. 

On the other hand, not all deep web markets support the sale of fake vaccine passports.

Figure 7: No sale

Vaccine Passport Conclusion

Demand for fake vaccine passports seems to be growing due to the large population of people who refuse (or are unable) to take the vaccine but want to avoid restrictions. Without missing a beat, email scammers and black-market criminals have acted on this demand. FortiGuard Labs recommends practicing due diligence when receiving emails and keep an eye out for these types of scams. 

Fortinet Protections and Recommendations

FortiMail users are protected against this phishing attack.

Because these criminals use phishing techniques to socially engineer and lure victims into following steps laid out by the attacker, it is vital to address these challenges.

The most effective tool in the fight against spam and malicious email links and attachments is a secure email gateway with advanced detection and response technologies. Fortinet's Secure Email Gateway not only sees and effectively stops such threats but can be easily integrated into an organization's larger security strategy, rather than operating as a stand-alone solution, enabling organizations to deploy FortiMail as part of a complete end-to-end security solution.

Organizations are also strongly encouraged to conduct ongoing training designed to educate and inform personnel about the latest phishing/spearphishing techniques and how to spot and respond to them. This should include encouraging employees to never open attachments from someone they don't know and always treat emails from unrecognized/untrusted senders with caution. 

Since it has been reported that many phishing and spearphishing attacks are being delivered as part of social engineering distribution mechanisms, end-users within an organization must also be made aware of the various types of attacks currently in use. This can be accomplished through regular training sessions and impromptu tests using predetermined templates originating from an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links can also help prevent initial access into the network.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.