Updated on January 12th, 2021
Since the publication of this report, multiple vaccines have gained approval and the largest-ever global vaccination campaign is rolling out, with nearly 30 million vaccine doses administered to people in over 40 countries. However, this hasn’t stopped dark net vendors from touting fake offers of vaccines. In fact, the opposite has happened: the numbers of vaccine advertisements has exploded and the asking prices have doubled or even quadrupled. We believe this is because of a spike in demand from individuals who don’t wish to wait weeks or months to receive their vaccination from their countries’ governments.
In the past month, we noticed that a dark net search for Covid-19 vaccines returns multiple pages of results, amounting to hundreds of advertisements, presenting an overall 400%-plus increase since early December. The screenshot below shows a simple search query that returned over 340 advertisements, in 34 pages, compared to just 8 pages of results from a similar query we ran early December.
The prices of vaccines have also risen sharply. In our previous report we saw an average median price tag of $250. Now our research shows vendors have now doubled or even quadrupled their prices, asking $500 or even up to $1000 for an unspecified dose.
The range of vaccine brands has also changed. Before approved vaccines started to be distributed globally, we saw sellers offering ‘made in China’ vaccines, which were unbranded and not FDA approved. Since the distribution of FDA-approved brands globally, most sellers are now advertising selling these as named brands, or simply not specifying the vaccine’s brand.
To test how trustworthy a dark net transaction is, our researchers placed an order for a vaccine dose from a vendor, using Telegram for the interaction. We got the vendor’s contact details and phone number via a dark net forum and contacted them via their Telegram user name. We were offered a Chinese vaccine – with the price tag of $750. We made the payment using Bitcoin, sent our delivery address and asked for the shipment details. After a few days with no response, we received a message from the vendor saying the vaccine had been shipped to our address. A few days later, the vendor’s account was deleted and – you guessed it – we are still waiting to receive our package. This is just one example, but you can perhaps draw your own conclusions about how reliable a dark net transaction is likely to be.
We also noticed that several vendors claim to supply vaccine doses in bulk, not just single shots. One of the vendors we communicated with claimed to be able to sell an order totaling in 10,000 vials, enough for 5000 people (every vaccine needs to be delivered in two doses, 21 days apart). Due to the size of the shipment the vendor suggested shipping it in 3 – 4 different shipments, at a total price of $30,000. Based on our experience of attempting to purchase a single dose, it is likely that a buyer would never receive anything at all, let alone genuine approved vaccines.
Published December 11th, 2020
- Range of counterfeit coronavirus vaccines and medicines offered on darknet
- Vaccine-related phishing campaigns take advantage of the global race to deliver the shots
- Covid vaccine-related domains show sharp rise in parallel to news of successful results in clinical trials
Although the Covid-19 pandemic continues to spread and disrupt our lives, societies and economies, there is now light appearing at the end of the tunnel. Several vaccines are being fast-tracked towards mass production in a race to overcome the coronavirus crisis and, in the longer term, to improve our response to future pandemics.
The past year has seen an unprecedented global effort to develop shots that will bring the pandemic to an end, with the eyes of the world watching. Moreover, we are seeing progress. Pfizer Inc. and BioNTech SE’s vaccine has already been approved for use in the UK, with other countries expected to follow suit in the coming weeks after a study showed it was 95% effective while vaccines from Moderna Inc. and the Russian Sputnik vaccine have achieved similar results, according to trial analyses. AstraZeneca Plc and its partner, the University of Oxford, has also had favorable results for its vaccine.
Unfortunately, while most of us are watching with hope, there are some watching with greed and malice in their minds, with the intent of capitalizing people´s concerns about Covid-19 and desire to be protected against the risk of catching it.
Coronavirus ’medicines’ and vaccines available on the dark net – at a price
The news that coronavirus vaccines are now available and in the process of being administered at scale via the world countries healthcare systems has driven global interest and expectation. Yet for those who have the means and do not want to wait, there are of course vendors on the dark net claiming to have a range of vaccines for sale Check Point Research (CPR) found a stream of posts on the dark net from sources claiming to have a range of “Coronavirus vaccines ” or “Coronavirus remedies” for sale. In fact, Europol, the European Union Agency for Law Enforcement Cooperation, has already issued an early warning notification on vaccine-related crime during the pandemic.
The range of medicines advertised by these vendors is extensive, from “available corona virus vaccine $250” to “Say bye bye to COVID19=CHLOROQUINE PHOSPHATE”” to “Buy fast.CORONA-VIRUS VACCINE IS OUT NOW.”, and we have no way of knowing whether these are genuine.
All of the vendors found only accept payments in bitcoin, minimizing the chance of being traced; casting further doubt on the authenticity of the medicines, they are selling. When researchers communicatedwith one vendor, they offered to sell an unspecified Covid-19 vaccine for 0.01 BTC (around US$300), and claimed that 14 doses were required. This advice contradicts official announcements, which state that some coronavirus vaccines require two shots per person, each administered three weeks apart.
In this example, the seller claims to have stock from a leading pharmaceutical, a newly approved vaccine available for sale and delivery to the UK, U.S. and Spain that isjust one WhatsApp or Telegram chat away!
In the following advert, we see a vendor offering Chloroquine as a regular coronavirus “treatment”, for only US$10 with the claim that “Hydroxychloroquine, a medicine for malaria that has been touted as a treatment for coronavirus.” This follows statements from outgoing U.S. President Donald Trump who touted the use of hydroxychloroquine to ward off coronavirus, in contradiction to the advice from his own public health officials.
Sharp rise in Covid-19 vaccine related domains in November
November’s positive news about vaccine trials and imminent availability has also driven a surge in new web domains that relate to Covid-19 or vaccines being registered. Our data shows that since the beginning of November there were 1062 new domains, which contain the word “vaccine” that were registered, out of which 400 also contain “covid” or “corona”. 6 of these sites were found to be “suspicious”. These figures are equivalent to the previous 3 months (August, September and October) combined.
New vaccine-related phishing email campaigns
Besides trying to sell fake Covid-19 medications and vaccines, threat actors are also using vaccine-related news as bait for their phishing campaigns. We have previously reported that cyber criminals are taking advantage of vaccine developments, resulting in malspam campaigns seen in the wild.
These emails delivered malicious .EXE files with the name “Download_Covid 19 New approved vaccines.23.07.2020.exe” that when clicked on, installs an InfoStealer capable of gathering information, such as login information, usernames and passwords from the user’s computer to enable threat actors to take over accounts.
Another recent email campaign detected by Check Point Research, contained the subject “pfizer’s Covid vaccine: 11 things you need to know” (in English and Spanish) and a malicious executable file named “Covid-19 vaccine brief summary” which has been detected as Agent Tesla.
Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting a victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
We expect that this vaccine-related campaign is the first of many more that will target both organizations and individuals over the coming months, as the race to deliver vaccines globally approaches the final stages.
Attacks have been attributed to state-backed hackers as well as criminal groups. Microsoft said in a recent report that it has detected attempts by Russian- and North Korean-backed hackers to steal valuable data from leading pharmaceutical companies and vaccine researchers. The company said that most of the attacks in recent months were unsuccessful, but provided no information on how many succeeded or how serious those breaches were. Chinese state-backed hackers have also been targeting vaccine-makers, the U.S. government said in July while announcing criminal charges.
Pandemic-related developments will feature in 2021’s cyber threats
The Covid-19 pandemic has been a true ‘black swan’ – an ultra-rare yet high impact event that has derailed business as usual. Hackers have also sought to take advantage of the pandemic’s disruption: 58% of security professionals have reported an increase in cyber threats since lockdowns started.
In a recent report, we detailed what we expect to see in the cyber landscape over the next 12 months, and Covid-19 related issues were prominent. As Covid-19 will continue to dominate headlines, news of vaccine developments or new national restrictions will continue to be used in phishing campaigns, just as they have been through 2020. The pharma companies developing vaccines will also continue to be targeted by malicious attacks from criminals or nation-states looking to exploit the situation.
To protect yourself and your organization against stealthy phishing attacks, here are our tips:
- Check the full email address on any message you receive and be alert to hyperlinks that may contain misspellings of the actual domain name.
- Verify you are using a URL from an authentic website: One way to do this is not to click on links in emails, and instead click on the link from the Google results page after searching for it.
- Beware of lookalike domains: spelling errors in emails or websites, and unfamiliar email senders.
- Protect mobile and endpoint browsing with advanced cyber security solutions, which prevent browsing to malicious phishing web sites, whether known or unknown
- Use two-factor authentication to verify any change to account information or wire instructions
- Never supply login credentials or personal information in response to a text or email.
- Regularly monitor financial accounts.
- Keep all software and apps up to date.
- Always note the language in the email: Social engineering techniques are designed to take advantage of human nature. This includes the fact that people are more likely to make mistakes when they are in a hurry and are inclined to follow the orders of people in positions of authority. Phishing attacks commonly use these techniques to convince their targets to ignore their potential suspicions about an email and click on a link or open an attachment.
Data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research (CPR) – The intelligence & Research Arm of Check Point.