Corp Comm Connects

Cybercriminals are offering to sell fake Canadian COVID-19 vaccination certificates online

Experts warn lure of fake certificates could also expose the unwary to ID theft or ransomware
Oct. 1, 2021
Elizabeth Thompson

As provinces and employers across Canada increase restrictions on the unvaccinated or introduce vaccine passports, cybercriminals are attempting to cash in by offering fake vaccination certificates for sale online.

Sellers are offering phoney proof-of-vaccination documents for several provinces that apparently look just like the real thing. Some of them even claim to be able to enter the data from the fake certificates into official government databases.

Prices and promises vary, according to offers viewed by CBC News on platforms like Telegram. One seller is offering fake proof-of-vaccination cards or QR codes for several provinces -- including Manitoba and B.C. -- for $200, payable in Bitcoin or Ethereum cryptocurrencies. They promise to deliver the fake documents within 48 hours by mail or in "just a few hours" if they're being sent electronically.

Just minutes after CBC News reached out to the seller, they sent a picture of an Ontario proof-of-vaccination form that appears to be identical to those being issued by many Ontario vaccination clinics. Photos posted online by the seller of fake proof-of-vaccination documents for B.C and Manitoba also mirror official documents.

The seller boasted that information on the bogus cards is entered in provincial databases.

Another seller claimed to be based in Montreal. His channel, which was being followed by 320,065 subscribers when it was viewed by CBC News, included offers of fake proof-of-vaccination from several jurisdictions around the world -- and featured photos of an Alberta proof-of-vaccination certificate that resembles the real one.

There is no way to know how many fake vaccination documents are in circulation in Canada.

Provincial health authorities call into question sellers' claims that they can ensure the fake vaccination data is inserted into government databases.

Provinces say they're protecting their data

Marielle Tounsi, senior public affairs officer for British Columbia's ministry of health, said the province has taken steps to protect the integrity of its vaccine card by using QR codes in addition to government-issued photo ID.

"There is a review process to confirm the validity of records that are uploaded online," Tounsi said. "This helps to ensure that only valid records are recorded in the provincial system.

"Each record submission is reviewed and validated by qualified reviewers that verify the information. Any records that require additional validation are escalated for further review. Any suspicious activity from this review is referred to Information Security and would be reported to the appropriate authorities."

Manitoba's health department says data must be entered into the provincial PHIMS database by government officials, based on an individual's address and immunization record. Anyone unvaccinated in Manitoba who enters a space where vaccination is required, or attempts to, can face a fine of $1,296.

Ontario Health Ministry spokesperson Bill Campbell said more than 80 per cent of Ontario residents over 12 years old already have received two doses and will have access to a secure certificate.

"In addition to the secure watermarked certificate available for download, QR codes will be available in October," said Campbell.

Campbell didn't address the question of whether someone could enter fake vaccination data in the provincial database. He did point out that providing false or inaccurate information to a business about vaccination status could result in a ticket for $750 or a penalty of up to $100,000 and up to a year in jail.

Cyber security experts say they are seeing a sharp increase in the number of offers of fake vaccine certificates in places like Telegram and the dark web -- from people who claim to be able to enter the bogus data into official databases.

Liad Mizrachi, senior researcher with Check Point Software Technologies, looked into some sellers' claims that they have access to the European Centre for Disease Prevention and Control's website of vaccinated people across Europe and can register their customers there.

"The sellers then send false documentation from a fake European Centre for Disease Prevention and Control website, which might convince unwitting border officials or venue staff that a person is genuinely registered as fully vaccinated, which is clearly not the case," Mizrachi told CBC News. "Our CPR team discovered this through a URL embedded in a QR code, which shows a link to the fake database."

Mizrachi said governments around the world should come together on a unified global database to verify legitimate vaccination certificates.

"Not only do unvaccinated people have easy and cheap access to forged documents, but those documents now appear to link to credible-looking websites, making it even easier for fraudsters to slip through the net," he said.