Image: Check Point Research

Picture these two scenarios. You can get a safe and effective vaccine for free that will protect you and everyone around you from the potentially deadly effects of COVID-19. Or you can spend money to buy a phony vaccine certificate from some anonymous and potentially untrustworthy cybercriminal on the Dark Web. Seems like the right choice is a no brainer. But not for a lot of people.

SEE: COVID vaccination policy (TechRepublic Premium)

Sales and advertisements of fake vaccine cards have been spiking to new levels on the Dark Web, according to a report published Wednesday by cyber threat intelligence firm Check Point Research. Previously, the fake certificates were primarily being sold from the U.S., the U.K. and Germany. But Check Point said it’s now seeing them hawked from all around the world.

Most of the sales are coming from European countries such as Greece, the Netherlands, Italy, France and Switzerland. Cybercriminals are selling fake versions of the NHS COVID pass available in the U.K. and the EU Digital COVID Certificate available through the European Union. Ads for phony COVID certificates have also been floating around in Pakistan and Indonesia.

As the supply of fake vaccine cards have increased, the prices have come down. In March 2021, Check Point found that they were selling on the Dark Web for around $250. Since then, prices have been hovering at $100-$120.

Cybercriminals look for a specific need or desire or fear among people and try to capitalize on it, and the phony vaccine card is a perfect example of this. With anti-vaxxers and others spewing propaganda and conspiracy theories about the vaccine, many people are still resistant to get the shot. However, proof of vaccination is increasingly becoming a requirement for many venues. New York City, for example, will require proof for indoor dining, theater performances, gym attendance and other events.

The need for evidence of vaccination puts anti-vaxxers in a lurch, thus creating a need for phony cards they can use to sneak into public events. The irony here is that these same people who don’t trust the government or scientists or even their own doctors willingly trust a cybercriminal on the Dark Web to sell them a seemingly legitimate-looking but counterfeit vaccine card.

To quell any concerns from potential buyers, the sellers proclaim that their certificates are “verified.” The advertisements try to simplify the process by telling buyers to “let us know what country you are from and what you want.” Offering to contact buyers by Telegram, WhatsApp or email, the sellers promise that payment can be made through PayPal or cryptocurrency.

The ads for the fake certificates also play up the propaganda and the whole anti-vax movement as some type of fight for freedom. Check Point spotted ads with such come-ons as “We are here to save the world from this poisonous vaccine,” “You don’t need to take the jab (vaccine) to have the certificate,” and “Stay away from the vaccine and be safe while we continue this fight.”

Image: Check Point Research

As the delta variant spreads and more organizations and regions require proof of vaccination, sales of phony vaccine cards are likely to continue to rise. As such, Check Point offers a few recommendations for individuals as well as for entire countries.

Avoid the Dark Web. The Dark Web acts a black market for the internet with criminals selling drugs, cybercrime tools, forged documents and much more. Given the illicit and illegal nature of the Dark Web, Check Point advises people to avoid this type of underground marketplace and its sellers.

Maintain a repository of vaccinated people. Countries should create and manage a central repository of tests and vaccinated people to separate those who’ve gotten the shot from those who’ve obtained fake vaccine cards. These repositories should be securely shared with authorized entities within the country.

Manage and secure vaccination certificates. All green passes and vaccination certificates should be managed and encrypted by the approved officials in each country. A QR code should be used to scan and authenticate each certificate.

Foster cooperation. Different countries should cooperate with each other to share vaccination data and create a secure repository with encryption keys. People with legitimate vaccine certificates would then be able to travel among countries, while those with fake cards would be detected.