Telegram Fraudsters Ramp Up Forged COVID-19 Vaccine Card Sales

A new type of fraud is spiking across the platform: Selling fake vax records to people who want to lie their way into places where proof of vaccine is required.

Telegram groups are being abused by fraudsters peddling fake COVID-19 vaccination cards to the unvaccinated and anti-vaxxer communities, according to researchers.

Brittany Allen, trust and safety architect at Sift, noticed the illicit sales on the encrypted messaging platform as the COVID-19 vaccination began to ramp up earlier in the year. Several groups circulating on Telegram specialize in different types of fraud, including selling stolen credentials or credit-card numbers, as well as guides to how to defraud certain companies. Lately though, fraudulent vaccination cards have become a hot commodity, she said.

Ads on Telegram – click to enlarge. Source: Sift.

“When it became a bigger possibility of being able to travel, or when certain events began to require proof of vaccination, we started to see people posting vaccine cards for sale or soliciting vaccine cards for themselves,” she told Threatpost in an interview.

It is illegal to make or buy fake COVID-19 vaccination record cards with an official government agency’s seal, according to the FBI. “[T]he unauthorized use of an official government agency’s seal (such as HHS or the Centers for Disease Control and Prevention (CDC)) is a crime, and may be punishable under Title 18 United States Code, Section 1017, and other applicable laws,” according to an FBI warning about fake vaccination cards.

Even so, “more and more posts or messages about cards for sale started popping up in February, and then it really began to take off towards the end of March and through April,” Allen said. “I saw in the news recently that you can now travel to Iceland, and vaccinated U.S. citizens can travel to the E.U., and some universities are actually now requiring that for the fall. As the need to show proof of vaccine increases, we’re definitely going to see even more of this; we haven’t reached the peak yet.”

She said that some of the activity consists of one-off posts in fraud-oriented groups with names like “Bitcoin Bandits” – but increasingly, some Telegram groups (with hundreds or even thousands of members) now specifically focus only on selling fake vaccine cards.

Fake Cards, Fake News, Real Vaccine Recipient Data

Allen also noted that while the cards themselves may be forged, the data included on them may not be. One ad, which she called “pretty standard,” hawks CDC cards for U.S. citizens, with the claim that they’re “registered, checked and verified within the CDC system online.”

“It’s likely that they are either pulling vaccine batch numbers and names from people who have publicly posted pictures of their vaccine card to social media, or from some kind of phishing source,” Allen explained. “But they’re saying that these numbers will check out.”

Another aspect of the activity is a reliance on misinformation, she added, with posters offering videos and articles spreading anti-vax propaganda and fear-mongering stories about vaccine side effects. One “news story” for instance is making the rounds that claims that rapper DMX was killed by a vaccine.

Misinformation pairs with fake card offers – click to enlarge. Source: Sift.

“What I find really significant is that they also pair the card offers with fake news,” Allen said. “Time and time again in these groups, videos will come up supposedly showing someone dying from receiving the vaccine. Or someone has a reaction and drops the floor. You’ll commonly see posts about how the vaccine will cause you great harm.”

The fake news is then followed by an exhortation to group members to benefit from the freedom that being vaccinated gives people, without having to actually take the jab – by of course, buying a fake card.

“They’re definitely using those sort of fear factors within their pitch,” Allen said.

Those selling the cards will also locate potential customers by leveraging misinformation on social media and haunting message boards. For instance, sellers may respond to anti-vaccination comments on Facebook news stories, asking the commenter to join them on Telegram.

“I have seen within some of the cryptocurrency Reddit groups that I also follow several invite links to Telegram,” Allen said. “In some subreddits that can get the user throttled, and it will say, ‘this comment has been deleted because it contained a Telegram invite link,’ which to me says that Reddit is seeing a lot of abuse. Going outside of Telegram and trying to invite others to join them, that’s a prevalent way of getting people to come to the communication platform that’s preferred by the fraudster.”

Vax-Card Fraud: An Easy-to-Enter Enterprise

The cards are easy to forge – click to enlarge. Source: Sift.

Many of the fraudsters will post examples inside their Telegram groups of the cards that they have ready to sell, which are indistinguishable from the genuine article. Vax cards after all don’t have watermarking or any other particularly difficult-to-replicate features. Allen noted that, just like on illicit markets, there’s an entire economy wrapped up in the Telegram fraud community that relies on different goods and services being on offer – which means that good-quality document forgers are readily accessible.

“There is a great interconnected web of fraudsters who have specializations,” she explained. “There are fraudsters who specialize in document creation, whether that’s fake IDs, or a fake proof of address so that you can register a house on Airbnb to then commit money laundering. And so for them to make one of these cards is pretty easy.”

In terms of cracking down on the vaccine-card enterprise overall, Allen said that Telegram group members can report inappropriate conversations or illegal activity. However, group shutdowns are rare.

“I’ve only ever seen one or two of them actually shut down, and in that case, they just shift to a different channel and their names pop up again,” Allen said. “Telegram is an app that’s very privacy-forward, so privacy-focused fraudsters feel comfortable talking there.”

Usually, the postings will include direct contact information to take any conversation with prospective buyers outside of Telegram. The researcher said that even if fraud groups are shut down by Telegram, the postings will remain accessible, which still gives people an avenue to participate in the fraud.

For now, there’s very little standing in the way of the activity. That could change, Allen said, if checks are actually done to make sure that the vaccine information given is legitimate and actually attached to an identity.

“What would really be beneficial is for agencies or countries become able to make some assessments on the validity of that proof of vaccine,” Allen said. “But there isn’t really a precedent for it, even in today’s day and age, there’s no overall governing check that matches the name of somebody to their Social Security number, for instance. One possibility is leveraging machine learning and large sets of data, maybe trying to see if there’s a geographic mismatch between where a vaccine batch was sent to versus where this person said they got the shot. And the obvious next step is to kick up the difficulty and go beyond the paper cards, to then start using vaccine-passport apps.”

As ever, there’s likely to be an arms race if the level of difficulty in carrying out the fraud increases.

“We could potentially see fraudsters leveraging data breaches of the companies that do have records of vaccine, distribution and administration – such as maybe CVS Pharmacy or Walgreens, or even data breaches of those types of passport apps such as the one that IBM is developing,” Allen said.

COVID-19 Telegram Fraud: No End in Sight

It’s unlikely that the activity will wane anytime soon. Telegram hit more than 500 million users in January, and has long offered plenty of havens for scammers and fraudsters. COVID-19 has simply offered new opportunities for the criminally minded, Allen said.

“There are of course other scams related to COVID-19, whether they are spreading fake vaccination web registration websites to harvest information from people ,or are actually selling vaccine vials that have been stolen from pharmacies and other locations,” she said. “But the cards are really ramping up, just for that purpose of being able to participate in the things that increase mobility or attending events that a vaccine card will give you access to.”

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles