WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
There is light at the end of the coronavirus tunnel: Countries are now beginning a gradual return to normalcy thanks to vaccination programs. Many people—cybercriminals included—are most looking forward to going on post-vaccination vacations and catching up on all the travel that’s been missing over the past year. Countries are opening up their borders to foreign visitors, albeit with restrictions or requirements such as proof of vaccination or a negative coronavirus test. We’ve seen before how COVID has had a particularly significant impact on the dark web travel market, with dark web travel agencies offering cut-price airline tickets and hotel reservations.
With that in mind, our team at Photon wanted to examine the dark web response to COVID vaccinations. In this blog, we traverse the deep and dark web to investigate how the beginning of the end of the pandemic is impacting the microeconomy of cybercriminal marketplaces and forums.
Our research revealed that the so-called “renderers”—dark web document service vendors who have traditionally supplied fake drivers’ licenses, passports, and bank statements—have pivoted to producing coronavirus-related documentation in response to enquiries from other threat actors.
At the start of the pandemic, negative test certificates were highly sought-after, often requested by buyers looking to get out of a country. For example, one cybercriminal forum user requested a COVID-19 “certificate” for “escaping from Mexico.” A threat actor on a different platform requested a “rendering of an international COVID certificate.” We found similar requests for certification of a negative test across multiple sites, with buyers typically expressing their need to leave or enter a foreign country.
Dark web graphic design services have also been in demand since the start of the pandemic. An 18GB folder of “Covid-19 Graphics, Photos, Videos & More” that was shared on an English-language cybercriminal forum in July 2020 was still being downloaded in March 2021, likley for use in coronavirus-related targeted phishing campaigns.
Document vendors responded quickly to this demand, with many established sellers updating their dedicated threads to advertise “Covid” document services. One established document vendor posted in their dedicated forum thread in March 2020 that they would provide a “coronavirus fake.” Another offered a “covid quarantine passport” alongside their other document services. One particularly sinister offering came from a vendor who advertised fake death certificates with “COVID” listed as the cause of death. The mind boggles thinking of the many potential malicious schemes that could benefit from such a document.
From October 2020, we even saw document service vendors who only sell fake medical documentation, thus forgoing the more established practice of offering such documents alongside passports, drivers licenses and utilities.
It wasn’t just fakes created from scratch either. A seller of stolen medical documents announced in the title of their thread that their haul included 300,000 negative “COVID tests.” We found many such databases on English language forums in particular. Vendors usually stated the number of available COVID-19 test records in the titles of their thread—a clear indicator of what they believe their target market desires.
Negative test certificates were “all the rage” in 2020 and are still highly sought after. However, nowadays we’re seeing many more vaccination-related requests, with users across multiple platforms seeking “Covid vaccine certificates.” For example, one threat actor requested “a high quality replica/scan of COVID vaccine certificate” that must be “authentic, and re-created properly,” adding that it “need[s] to be able to be modified for personal use.”
Similar to the start of the pandemic, document service providers are responding to the shift in demand by offering up these fake COVID-19 vaccine certificates. For instance, one seller on a Russian-language forum advertised an “inoculation certificate for Covid” for “those who don’t want to get vaccinated” for the asking price of RUB 10,000 (USD 132.25). They remarked in a later post that it would also be possible to get “an official one” through “government services,” which was priced at RUB 35,000 (462.88 USD). The availability of such documents is not limited to a particular geography; a vendor on one English-language forum advertised a “COVID-19 (SARS-CoV-2) Vaccination Paper/Card”, and remarked “I’m not responsible for anything you do with this card”.
However, it appears that supply has not entirely caught up with demand: Not all vendors have made the switch from negative tests to vaccination certificates. This is reflected in the high number of users requesting these certificates and the high price charged by those selling them. It’s possible that this is simply because vaccination was not a valid option until recently, especially for those under a certain age demographic. It would raise a few eyebrows if you arrived at a hotel with an inoculation certificate before vaccines were even available. The nascent demand for this new documentation is there, though, and it is surely only a matter of time before supply catches up.
In short, work and travel. Our research uncovered some unusual drivers for the supply chain in vaccination certificates. For instance, one forum user wrote, “Work has asked that I get vaccinated, but for various reasons I don’t want to.” They expressed interest in “a medical form, certificate for antibodies presence etc.”
Yet most vaccine certificates bought on cybercriminal platforms are highly likely intended to help get around travel restrictions. One forum user explicitly asked if such a certificate would allow them to travel abroad. In March 2021 a vendor on an English-language platform addressed this specifically, advertising a COVID-19 “vaccine passport” to buyers who “want to travel freely without being jabbed.”
Our last blog on travel vendors reported that they had been forced to adapt to the restricted landscape of international travel. These vendors offer heavily discounted flight tickets and hotel rooms, either stolen or purchased with airline points or stolen credit cards. While some greatly reduced their services or shut up shop, many sellers simply switched the destinations they offered depending on what travel was available to them at the time. One vendor explained that they couldn’t offer hotels in Russia or Bali at the time, though “we’re still doing all other countries.”
Several prominent travel vendors we mentioned in previous blogs, such as “serggik00” and “Patriarh”, have resumed regularly updating their dedicated threads, posting reviews from those using their service. sergik00 even uploaded a post to their dedicated thread in April 2021 to celebrate the anniversary of their sixth year in business – and business is good. For various reasons, including those unrelated to the coronavirus, others have failed to weather the storm. “Rapesec”, for instance, shut up shop after law enforcement took down the cybercriminal marketplace Dark Market in January 2021.
While some travel vendors have taken a “not my problem” approach to the possibility that their customers won’t be able to realize their bookings due to a lack of medical documentation, others have recognized the restrictions and passed on this warning to their customers. One travel vendor announced on their dedicated thread: “!!! Warning !!! If you are planning to holiday in Krasnodar Krai in the near future, then understand that hotels require a negative Covid test certificate. The certificate must be obtained no earlier than 48 hours before checking in.”
We had wondered if any travel vendors would have moved into the document service scene in order to provide a sort of “package deal” that would include travel documents such as airline tickets and hotel bookings, as well as vaccination and test certificates, but this does not appear to be the case. Similarly, we did not find any evidence that travel vendors were forming partnerships with or recommending document vendors, in their dedicated threads. It is up to travelers to sort out all the documents they need on their own. Perhaps the skills needed to organize fraudulent hotel bookings and airline travel have little cross-over with medical document forgery. Best leave that up to the traditional document renderers.
Just like they’ve always done, users of dark web forums and marketplaces are responding to real-life events. They’re taking full advantage of the prospect of international travel resuming once again. As travel restrictions are lifted, we can expect to see more and more document “renderers” offering COVID vaccination certificates or travel papers.
If you’d like to keep up to date with this and similar trends on the dark web and in the cybercriminal underworld, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight across open, deep, and dark web sources on COVID-19 related intelligence and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free, seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.