Anti-vaxxers clicking on web links to get bogus vaccine passports are opening doors for cybercrooks to upload malicious software onto their phones and computers, a Burnaby cyberdetective says.
Such offers are called lures, part of efforts by cybercriminals to trick people into installing malware onto their devices. That malware can do many things, including giving crooks access to financial information and other private data.
As of September 13 in B.C., patrons must display vaccine passports at events and locations like concerts, sports games, pubs, restaurants and certain types of fitness activities. Grocery stores, retail outlets and health-care centres are exempt.
Those without vaccination can’t get them, leaving the door open for crooks to take advantage of a demand for fake passports.
The Canadian Anti-Fraud Centre says it has already received four reports of fake vaccine passports. And, B.C.’s Ministry of Citizens’ Services told Glacier Media it’s also “aware of the increase in COVID- and vaccine-themed scams.”
“At this point, there is no indication of malware being installed on their devices,” the centre said in a statement to Glacier Media. “This is only based on the reports we have received.
“First rule to protect would be not to download a fake vaccine passport. Always verify the source you are downloading from, but if they are looking for a fake passport, obviously it would not be a trustworthy source.”
Derek Manky, chief of security insights and global threat alliance for Fortinet (NASDAQ: FTNT), a California-based company with a research and development centre in Burnaby, said the offering of such fraudulent passports is becoming a worldwide issue, although his company has yet to see it in B.C.
There have been problems in Quebec in which hackers obtained QR codes tied to Quebec’s vaccine passport campaign, including those belonging to Premier François Legault and Health Minister Christian Dubé.
“It’s troubling,” Manky said. “It’s a problem.”
FortiGuard Labs has also noted dark web markets offering fake vaccine passports.
“A wide range of products and services are available, from blank vaccine cards to verifiable passports that can be checked against legitimate vaccine databases worldwide,” a FortiGuard blog post said. “A single blank vaccination card can be found for as low as $5.00, while buying in bulk may increase a buyer’s savings. Of course, there is no guarantee that a purchaser will ever actually receive these documents.”
Prices vary but increase with offers to buyers who want their information supposedly to be added to legal databases showing they have received the vaccine.
Demand for fake vaccine passports seems to be growing due to the large population of people who refuse (or are unable) to take the vaccine but want to avoid restrictions. Without missing a beat, email scammers and black-market criminals have acted on this demand.
The use of lures by cybercrooks during the pandemic is not new. Through different schemes, crooks have managed to target those desperate for information or solutions throughout the past 18 months.
And, Manky said, governments are aware of the threats that manipulation or “social engineering” of people by cybercriminals, and the harms data thefts pose as a result.
In some cases, crooks ask for information such as name, birthdate, regular passport number, ID card numbers and choice of country for the vaccine passport.
Manky said people are catching on to the potential harms and cybercrooks’ methods but he stressed vigilance remains essential.
And, vigilance is part of what B.C.’s government has built into the province’s passports.
“We’re taking all reasonable steps to prevent fraudulent activity, including protecting the integrity of the BC Vaccine Card by supplementing it with a secure QR code plus the requirement to show identification,” the ministry said. “Scanned QR codes are the most trusted and secure method to verify information. The BC QR codes follow SMART card standards and can only be scanned and read by SMART card scanner technology.”
Further, the ministry said, "SMART Card standards require that the B.C. QR code include a digitally encrypted signature and key to validate the QR code as from B.C. And, businesses in B.C. must use the BC Vaccine Verifier app and a forged QR code would be flagged as it would not include this key.”