Cybercriminals threaten to hack EU hospitals in latest COVID-19 vaccine scam

Cybercriminals are demanding people's personal information and claiming to have the ability to falsify vaccination records at hospitals across the European Union.
Written by Jonathan Greig, Contributor

Cybersecurity experts have uncovered a new COVID-19 vaccination scam involving hackers tricking victims into providing their personal information under the assumption that cybercriminals can hack into European Union hospitals and falsify vaccination records.

DarkOwl, the cybersecurity firm that uncovered the scam, notes that the EU Digital COVID Certificate program and most EU hospitals have stringent cybersecurity measures in place to protect user data. 

But hackers that are allegedly part of a gang called Xgroup are offering to add non-vaccinated people to the national COVID-19 vaccine registers that feed into the EU database, asking victims for a trove of personal data under the guise of theoretically adding it to the EU Digital COVID Certificate program. DarkOwl's lead analysts said they believe the culprits behind the scam are based in the US. 

"This is very likely a scheme to steal people's information and money. Scammers are always willing to prey on the vaccination-hesitant and those who desire a record of vaccination without actually getting the vaccine," DarkOwl CEO Mark Turnage told ZDNet. 

"The offer has been circulated across multiple darknet forums and discussion groups. The cyber criminals also host a dedicated hidden service promoting their services. This very well could be a scam and they do not have the skills or access to actually hack any EU hospitals' vaccination databases. Nevertheless, the idea is novel and it not out of the realm of possibility that hospitals are vulnerable to such record alterations."

Turnage said Xgroup is a relatively new brand without any known direct attributions to cyberattacks. The group does market itself as being able to "ruin someone's life" through hacking social media accounts and financial accounts. 

Researchers with DarkOwl said the group has also posted "recruitment" advertisements across malware and "hacking" forums for personnel with penetration testing and criminal hacking experience.

While the scam is focused mostly on pilfering information from vaccine-hesitant victims, Turnage noted that ransomware as a service gangs have demonstrated they can easily exploit hospital information systems for their extortion agendas. Significant parts of the healthcare system in Ireland were brought down by a ransomware group this summer. 

"Therefore, we must consider the remote possibility that this is a legitimate offer on the darknet. Hospitals in the EU should be aware of this possibility and mitigate with increased security and auditing of logs accordingly," Turnage said, adding some advice to those considering turning to the darknet for fake COVID-19 vaccination verifications. 

"Don't be foolish enough to pay anyone money for fake vaccination records (digital, paper certificate, or otherwise)."

In their report on the scam, DarkOwl researchers said Xgroup is offering to hack into EU-based local hospital digital vaccination records on behalf of their darknet customers. 

Victims submit payment along with their personal information which is supposedly added to their local hospital's vaccination records database. 

"This information is then theoretically accessible by the EU Digital Certificate application as each issuing body (e.g. hospital, test center, or health authority) has its own digital signature key that communicates with the program," the researchers wrote. "The cost for the vaccination record addition is $600 USD paid via Bitcoin."

According to DarkOwl, Xgroup hosts a dedicated V3 hidden service on Tor where they advertise their solutions widely. The researchers could find no proof that the group can follow through with their claims after tracking them since July. 

The offers only apply to EU citizens because the US does not have a nationwide COVID-19 vaccine record system, but DarkOwl noticed that the service being offered by the cybercriminals uses US mailing address formats and lists the price in US dollars. 

Since COVID-19 emerged, scammers have used it as a way to trick people into sending them money and information in exchange for fraudulent cures or protection schemes. 

Cybercriminals are now offering fake COVID-19 vaccination cards widely, and The Daily Beast reported this week that US Customs and Border Protection officials in Chicago managed to seize multiple shipments of fake vaccine cards that originated in China.

In August, researchers with Check Point found that prices for EU Digital COVID certificates as well as CDC and NHS COVID vaccine cards had fallen as low as $100. Fake PCR COVID-19 tests are also sold widely, and Check Point Research's study found groups advertising the fake vaccine verifications in forums with more than 450,000 people.  

DarkOwl was previously involved in a multi-organization effort to ensure the safe and secure transportation, storage, and distribution of the Pfizer, Moderna, AstraZeneca, and Johnson & Johnson vaccines in the United States and abroad.

Editorial standards