Boom in Fake Vaccine and Test Certificates on Darknet and Telegram Threatens UK and EU Covid Passport Schemes
May 2021 by Check Point
Check Point® Software Technologies Ltd. is warning that the UK and EU’s Covid passport schemes could unravel if measures are not taken to combat the threat of fake vaccination and counterfeit test certificates that are increasingly being sold on the Darknet and via the messaging app Telegram.
The EU agreement, which comes into law on 7th June, and which launches on 1st July, will provide a free certificate in the form of a QR code on a smartphone or as a paper document, which will show that a person is either vaccinated, has some immunity from having had the virus or has had a recent negative PCR test result. UK travelers who have had both vaccine doses will be able to use the NHS App as a vaccine passport and are expected to be covered under the EU scheme as a third country.
There are also other countries looking to launch their own Covid passports, such as the Czech Republic, France and Germany. Without a global unified approach to verifying the validity of certificates, the fragmented rules and ambiguity play into the hands of hackers and fraudsters, according to Check Point Research (CPR).
CPR also discovered a 500% increase in the number of forged certificate vendors from March to May, showing that the demand to evade inspections is high as we head into the summer holiday season. Customers could be either people who have tested positive, refused to take a test or are unwilling to have the vaccine. It could also be down to the exploitation of innocent users looking for information and guidance, who are lured to fraudulent or suspicious domains, thinking they are genuine.
Travelers need to be wary of misspelled websites and only install verified apps from official sources. They should also be wary of QR codes themselves, as they can serve as a gateway to information stored on the device. Hackers replace legitimate QR codes with one that launches a malicious URL or tries to download customized malware when scanned. The malicious code can then steal the login credentials used for other apps on the user’s phone – such as banking and retail apps – and even make payments.
"We urge governments to come together and act quickly to combat the increased sales of fake certificates on Telegram and the Darknet. Without a central system, it becomes much easier for hackers and fraudsters to fall through the cracks,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point Software. “Individuals must also remember that a QR code is nothing more than a quick and convenient way to access a website link; a link that in many cases they don’t even see. It’s not possible, therefore, to be certain that the resource is legitimate, and an attack could have already started. The EU says that its planned vaccination passports will be safe and secure, but hackers will always evolve to exploit new opportunities, and so we strongly advise everyone to use a mobile security solution that will protect their devices and data against phishing, malicious apps and malware.”