For our free coronavirus pandemic coverage, learn more here.
Cybercriminals are exploiting the confusion around vaccine passports to sell fake credentials and steal sensitive information, as the federal government races to put together a fully functioning proof of vaccination system.
With vaccination certificates set to dictate whether a person can travel overseas or participate in public activities, security software company Check Point’s research has found sellers of fake vaccine certificates have increased from about 1000 in August 10 to more than 10,000 this month, with criminals utilising a range of tactics to collect cash and credentials.
Fake Australian vaccination certificates are for sale on Telegram for as low as $110.
“Cybercriminals, obviously, are trying to leverage the news of the day, and right now that’s vaccine certificates and vaccine passports,” said Check Point security expert Ashwin Ram.
Many reports in the media have highlighted the fact that Australians will soon need to prove their vaccination status to enjoy certain freedoms, including travel and access to venues. But with details about how that proof will be delivered still up in the air, criminals are crafting scams to convince vaccinated people they need to pay to get an official certificate.
In other cases the scammers offer the certificate for free, but the targets are asked to fill out a form with sensitive data that the criminals can use for identity theft, Mr Ram said.
“They’re being fooled into thinking that the only way to gain access to vaccine proof is through this method. But what they’re actually doing is providing threat actors with just so much information. Legitimate, current information. Which can be weaponised.”
Fake vaccination certificates for 28 countries, including Australia were also being sold online by cybercriminals to individuals who don’t want to get vaccinated. An Australian certificate goes for about $110. Rather than lurking on the dark web, Mr Ram said criminals spread misinformation about the risks of vaccination on secure messaging app Telegram to spot victims.
“Right now there is no real way to quickly validate if a vaccine certificate is actually fake or legitimate, and cybercriminals are using that to their advantage,” he said.
“[The certificate you get from Medicare] can be easily manipulated using various off-the-shelf editing tools for example. And as agencies have updated the requirements, and the configuration of the way the document looks, cybercriminals have been able to do that rapidly as well.”
Check Point even found a bot on Telegram that offered free doctored certificates, and all customers had to do was input their personal information to customise the forgery. Of course, their information was passed back to the scammers for use.
The federal government’s lead agency for cybersecurity, the Australian Cyber Security Centre (ACSC), is providing guidance on the various vaccine certificates systems currently under construction.
An ACSC spokesman said the pandemic has provided fertile ground for cybercriminals to peddle their dodgy digital wares.
“From 1 July 2020 to 30 June 2021, ACSC received over 1500 cybercrime reports, or around four per day, that related to the COVID-19 pandemic.”
“The ACSC has disrupted over 110 malicious COVID-19 themed websites, with assistance from Australia’s major telecommunications providers,” the spokesman said.
Solution needs to be secure, accessible
Both the New South Wales and Victorian state governments are working to allow their smartphone apps to display vaccine status from Medicare. Home Affairs Minister Karen Andrews also said recently that a new digital declaration form would soon be used to validate international travellers’ vaccination status.
Sean Duca, regional chief security officer at cybersecurity company Palo Alto, said in the near future people will likely need to be issued with digital credentials to eliminate forgeries.
“I’ve got a digital driver’s licence in that same app, so I would assume moving forward there’s probably going to be a similar level of sophistication [for vaccine certificates],” he said, suggesting the credential could be swiped or manipulated in real-time to prove it was genuine.
In the meantime, apps could generate QR codes on demand that could be scanned by authorities or customer service people, validating a person’s identity and their vaccination status.
“It will be generated on the spot, with a time stamp built in; that’s the way we’re going to avoid anyone fudging the system,” Mr Duca said.
State apps currently used to scan QR codes will be updated to keep track of the users’ vaccine status.Credit:Eddie Jim
However, Shane Day, chief technology officer of identity and security firm Unify Solutions, warned that creating a secure and effective digital system was only half the battle. Government agencies also need to get the message across to people who didn’t necessarily have a lot of technological literacy, and prove it was secure before mandating its use.
“There’ll be sectors of the community that will just accept it because they’ve grown up accepting these kinds of things already. Others will be sceptical but they’ll go along with it. And there will be other parties that will want to know it’s secure, but possibly don’t have the experience to understand if the technology proves that it is,” he said.
“And they can’t be separated from society because of that. There’s got to be industry and government collaboration to educate people on how these things work. I don’t think we do enough of that to be honest.”
David Spriggs, chair of the Australian Digital Inclusion Alliance, said access to the technology and skills needed to use QR codes and digital health certificates remain an issue for a significant number of Australians, including older people, people in low-income households, people living in rural and remote areas, and Indigenous Australians.
“While there is rightly much focus on older members of the community, the issue is much broader as we have seen with so many families on the wrong side of the digital divide, as part of homeschooling during the pandemic,” he said.
“The goal is to ensure every Australian has the skills and access necessary to participate in a digital economy. But until we reach that goal, it is necessary from an inclusion perspective to build non-digital options for mandated activities.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Most Viewed in Technology
From our partners
Source: Read Full Article