Illegal online covid-19 themed activity has gone through several iterations this year. Before the global vaccine rollout took place, the coronavirus-linked online scams and frauds centred mainly around illicit PPE sales, unapproved and unlicensed pseudo-medication (like the infamous hydroxyclorochine) and malicious emails, as well as malware spreading mobile applications (I discussed all of those here early last year).
Now the landscape has changed and while some of the above activities are still taking place, they appear to have been sidelined by the sales of fraudulent covid vaccination certificates and stolen vaccine offerings (nearly all of which are blatant scams) – with the latter being targeted mainly towards third world, developing countries with low availability of legitimate vaccination opportunities.
It appears that currently the biggest and the most popular type of illicit activity is the covid vaccination certificate fraud – including both the paper vaccination certs and the digital one, with a fraudulently generated QR code.
Currently, darkweb vendors (at least in Ireland) offer the above for 350 euro, but there are several darkweb markets where one could obtain them cheaper.
With over 90% of the Irish population vaccinated with a freely available vaccine, this seems to be a bizarre, niche offering, targeting a small section of the society who would be willing to pay premium prices for fake versions of something they could have for free – due to their irrational beliefs in conspiracy theories.
Here is an example of an Irish based darkweb vendor’s posting – which appears to include genuine-looking HSE vaccination card template (impossible to tell if it’s real or not from the image though):
Obviously the idea here is that a purchaser would be able to have a seemingly valid covid vaccination cert with a QR code containing customised (and also valid) personal information – without ever taking the vaccine.
So here is an example of a similar fake covid vaccination cert, created by somebody using a private cryptographic key belonging to the Polish E-Health Centre (“Centrum e-Zdrowia” – I originally found this on a Polish speaking, clearnet forum).
Curiously enough, this QR code contains some rather shocking details (as seen below):
It’s one thing to be able to fake a vaccination pass document in order get into a restaurant or a pub without ever getting vaccinated. But if you are in possession of a fake covid pass that potentially allows you to board a plane or get through a border control check posing as a fully vaccinated person, then we might have a bigger problem.
So I used this official Android app released by the Polish Department of Health to scan the above QR code – and it appears that the QR is legitimate:
This made me spend nearly entire Halloween weekend trying to understand what happened here.
How to decode QR codes
Every QR code is encoded with an alphanumeric string using what’s known as the Base64 encoding scheme.
In simple terms, the information encoded there is reflected in the visual representation of seemingly random square patterns seen in QR codes. This information can be parsed back into Base64 using a great resource provided publicly by GCHQ – namely CyberChef.
- Select the “Parse QR code” option from the list in the top left corner of the web interface (or click here).
- Select the “Open file as input” option from the top right corner mini-pane. Upload the .png or .jpeg (or whatever other format you have) file containing the QR code.
- Select and copy the entire output from the bottom right side of the screen.
NOTE: The HC1: value at the beginning of the string is a verification prefix and not the actual part of the Base64 string, but it needs to be retained here for further examination.
The next stage requires translating the Base64 encoding into Base45 in order to convert the string into human readable format. For this, you will need to have some Python skills.
I really wish I was able to write this script myself – but I’m not. I used a ready-made Python3 script provided by Tobias Schlottke in his excellent Hackermoon article on decoding covid vaccination QR codes. I then ran it from the terminal, having previously installed all the required libraries.
NOTE: Make sure that you carefully follow the instructions from that article, step by step! A common and easily made mistake is forgetting the space between “decode.py” and ‘HC1:, which will prevent the script from running.
So, in the case of the “Adolf Hitler” covid certificate, the following details are presented:
“4”: 1685101990,
“6”: 1635098906,
“1”: “PL”,
“-260”: {
“1”: {
“v”: [
{
“dn”: 1,
“ma”: “ORG-100001417”,
“vp”: “J07BX03”,
“dt”: “2021-07-11”,
“co”: “PL”,
“ci”: “URN:UVCI:01:PL:1/AF2AA5873FAF45DFA826B8A01237BDC4”,
“mp”: “EU/1/20/1525”,
“is”: “Centrum e-Zdrowia”,
“sd”: 1,
“tg”: “840539006”
}
],
“nam”: {
“fnt”: “HITLER”,
“fn”: “Hitler”,
“gnt”: “ADOLF”,
“gn”: “Adolf”
},
“ver”: “1.0.0”,
“dob”: “1930-01-01”
Using the official EU covid QR codes specifications documents (one, two) as reference will allow to understand the less obvious parts of this output:
- “dn”: 1 – number of vaccine doses administered to the person
- “ma”: “ORG-100001417” – vaccine manufacturer code
- “vp”: “J07BX03” – vaccine type (details here)
- “dt”: “2021-07-11” – vaccination date
- “co”: “PL” – vaccination country
- “ci”: “URN:UVCI:01:PL:1/AF2AA5873FAF45DFA826B8A01237BDC4” – certificate ID value
- “mp”: “EU/1/20/1525” – Union Register of medicinal products
- “is”: “Centrum e-Zdrowia” – vaccination certificate issuer
- “sd”: 1 – the number of required doses
- “tg”: “840539006” – covid-19 disease code
This looks to be a legitimate covid-19 certificate!
How could this have happened?
How are fake covid certs generated?
Several theories are plausible here and in fact we can find evidence to support each of those:
- A compromise or a lack of appropriate security measures for login credentials to a legitimate system for issuing covid vaccine passes.
- Unintended leaks of confidential information into the public domain.
- Malpractice and corruption in the medical profession.
Let’s explore each of those below:
1. Blatant security flaws
Through several OSINT techniques (Shodan was of some help here; while I won’t reveal the exact steps taken, you check out my older Shodan content here and here) I was able to locate some scandalously unsecured subdomains of websites that seemingly allow just about anybody to access them and generate seemingly valid covid vaccination certs (or certificates confirming recent covid-19 recovery).
Neither of these were EU-based – but that’s not the point here, since the same situation could have in theory happened anywhere.
In the spirit of responsible disclosure, I obscured the logos of the entities in question and I will not include the exact URLs for these websites.
Also, I already made attempts to contact the website registrants to urge them to disable the subdomains.
The first one was in Uruguay…
As can be seen below, all of the fields can be populated with unverified or completely fictitious information:
The other link pointed to a website in Vietnam and this subdomain was completely unsecured too:
2. Credential leaks on Github
Unauthorised and unintended disclosure happens all the time, be it through regular software development or during major projects that have multiple contributors.
To anybody who works in cybersecurity and who has SOC or incident response experience, it is a well known fact that examples of such data can be found on Github.
So here is the Github page of the EU Digital COVID Certificates (EUDCC) project:
https://github.com/eu-digital-green-certificates
Three days ago one of the contributors submitted an issue, highlighting the exposure of possibly valid cryptographic private keys in a repository used for demo purposes:
The repo was removed, but the possibility of prior leaks of private keys used to cryptographically secure issuance of covid certs really cannot be discounted at this point…
The now defunct link to the Github resource:
https://github.com/eu-digital-green-certificates/dgca-issuance-web/blob/main/nginx/.htpasswd
3. Medical malpractice and corruption
There is a non-technical explanation of how illegitimate covid vaccination certificates can be issued as a result of greed and unethical behaviour of a small minority of trusted professionals.
Here are example posts from underground forums, where fraud resulting from corruption in the medical profession is widely discussed:
- I’m offering a service to make you an European Green Pass (CovidPass). It is not made through hacking the system, but directly through healthcare system and cannot be canceled later. The method is the same as you just visited the place and got the injection, but actually did not. You will receive a GreenPass which is valid all through Europe. Can modify the vaccination day backdating up to 21 days. Contact through Wickr Me: [redacted]. Price: 290USD/250EUR.
- I work at ministry of health of an extra-eu country and now I have the EU green pass valid for one year and it turns out that I am regularly vaccinated at the ministry of health of my state. Of course I did not inject anything. The whole thing cost $ 550, I have to pay two colleagues. I can do it for one person every 2 days. I need the passport details (not the photo) and at least $ 100 for the first dose, after 21 days the second dose is done and the green pass is available. The problem is that I don’t know how to prove the validity of this without disclosing my identity. I’ve already done this for friends but I don’t know how anyone could trust me.
- Selling valid C19 vax certs issued by a real doctor, DM me for details.
Concluding thoughts
Fake covid-19 vaccination certs and passes can pose a real headache to the authorities, who like in the case of the Irish based darkweb vendor above will probably have to investigate if these fraudulently issued certs were created using the true cryptographic private keys.
This approach will most likely require a test purchase, followed by a verification process like the one I used above.
I am not sure if there is a mechanism in place for recalling covid-19 vaccination certs, other than letting them expire over time.
Since it is expected that compromised / leaked / stolen private keys would have been used to create multiple certificates, then the only logical recall mechanism would be to create a ban list for all certificates issued with the use of a specific private key.
This would mean that potentially thousands of people would have to receive new covid-19 certs, created with a freshly made and secure cryptographic private key.
Unfortunately as demonstrated above, this is also a global problem and some countries do not treat the security of their systems as seriously as they should, making matters a hell of a lot worse for everybody.
Great job Matt, using Blockchain maybe a good way of validating certs and help curb counterfeits.
True that!
hola buenas, conseguí entrar en varios sitios web de ese estilo pero cuando me crea el qr no es valido en europa, las app no me da el pase verde.
genero el qr y el pdf pero no me valida el pase.
If anybody is wondering, the credentials have already been leaked for the EU digital green cert’s so I am guessing they have been changed. The credentials are:
dgca-user:$apr1$p/TIVIAC$UPG8QZSTcVd/iJ6AhzEX5/
I am posting them here so you can specifically search them up to research the stories on Twitter etc. and follow the chain backwards. They cannot be abused as they will most certainly have been changed by now.