RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayMcAfee Blogs

“Fool’s Gold”: Questionable Vaccines, Bogus Results, and Forged Cards

11 May 2021 at 04:01
By: Anne An


Countries all over the world are racing to achieve so-called herd immunity against COVID-19 by vaccinating their populations. From the initial lockdown to the cancellation of events and the prohibition of business travel, to the reopening of restaurants, and relaxation of COVID restrictions on outdoor gatherings, the vaccine rollout has played a critical role in staving off another wave of infections and restoring some degree of normalcy. However, a new and troubling phenomenon is that consumers are buying COVID-19 vaccines on the black market due to the increased demand around the world. As a result, illegal COVID-19 vaccines and vaccination records are in high demand on darknet marketplaces.

The impact on society is that the proliferation of fraudulent test results and counterfeit COVID-19 vaccine records pose a serious threat to public health and spur the underground economyIndividuals undoubtedly long to return to their pre-pandemic routines and the freedom of travel and behavior denied them over the last year. However, the purchase of false COVID-19 test certifications or vaccination cards to board aircraft, attend an event or enter a country endangers themselves, even if they are asymptomatic. It also threatens the lives of other people in their own communities and around the world. Aside from the collective damage to global health, darknet marketplace transactions encourage the supply of illicit goods and services. The underground economy cycle continues as demand creates inventory, which in turn creates supply. In addition to selling COVID-19 vaccines, vaccination cards, and fake test results, cybercriminals can also benefit by reselling the names, dates of birth, home addresses, contact details, and other personally indefinable information of their customers. 

Racing Toward a Fully Vaccinated Society Along with a Growing Underground Vaccine Market

As we commemorate the one-year anniversary of the COVID-19 pandemic, at least 184 countries and territories worldwide have started their vaccination rollouts.[1] The United States is vaccinating Americans at an unprecedented rate. As of May 2021, more than 105 million Americans had been fully vaccinated. The growing demand has made COVID-19 vaccines the new “liquid gold” in the pandemic era.

However, following vaccination success, COVID-19 related cybercrime has increased. COVID-19 vaccines are currently available on at least a dozen darknet marketplaces. Pfizer-BioNTech COVID-19 vaccines (and we can only speculate as to whether they are genuine or a form of liquid “fool’s gold”) can be purchased for as little as $500 per dose from top-selling vendors. These sellers use various channels, such as Wickr, Telegram, WhatsApp and Gmail, for advertising and communications. Darknet listings associated with alleged Pfizer-BioNTech COVID-19 vaccines are selling for $600 to $2,500. Prospective buyers can receive the product within 2 to 10 days. Some of these supposed COVID-19 vaccines are imported from the United States, while others are packed in the United Kingdom and shipped to every country in the world, according to the underground advertisement.

Figure 1: Dark web marketplace offering COVID-19 vaccines

Figure 2: Dark web marketplace offering COVID-19 vaccines

A vendor sells 10 doses of what they claim to be Moderna COVID-29 vaccines for $2,000. According to the advertisement, the product is available to ship to the United Kingdom and worldwide.

Figure 3: Dark web marketplace offering COVID-19 vaccines

Besides what are claimed to be COVID-19 vaccines, cybercriminals offer antibody home test kits for $152 (again, we do not know whether they are genuine or not). According to the advertisement, there are various shipping options available. It costs $41 for ‘stealth’ shipping to the United States, $10.38 to ship to the United Kingdom, and $20 to mail the vaccines internationally.

Figure 4: Dark web marketplace offering COVID-19 test kits

Proof of Vaccination in the Underground Market

On the darknet marketplaces, the sales of counterfeit COVID-19 test results and vaccination certificates began to outnumber the COVID vaccine offerings in mid-April. This shift is most likely because COVID-19 vaccines are now readily available for those who want them. People can buy and show these certificates without being vaccinated. A growing number of colleges will require students to have received a COVID-19 vaccine before returning to in-person classes by this fall.[2] Soon, COVID-19 vaccination proof is likely to become a requirement of some type of “passport” to board a plane or enter major events and venues.

The growing demand for proof of vaccination is driving an illicit economy for fake vaccination and test certificates. Opportunistic cybercriminals capitalize on public interest in obtaining a COVID-19 immunity passport, particularly for those who oppose COVID-19 vaccines or test positive for COVID-19 but want to return to school or work, resume travel or attend a public event. Counterfeit negative COVID-19 test results and COVID-19 vaccination cards are available for sale at various darknet marketplaces. Fake CDC-issued vaccination cards are available for $50. One vendor offers counterfeit German COVID-19 certificates for $23.35. Vaccination cards with customized information, such as “verified” batch or lot numbers for particular dates and “valid” medical and hospital information, are also available for purchase.

One darknet marketplace vendor offers to sell a digital copy of the COVID-19 vaccination card with detailed printing instructions for $50.

Figure 5: Dark web marketplace offering COVID-19 vaccination cards

One vendor sells CDC vaccination cards for $1,200 and $1,500, as seen in the following screenshot. These cards, according to the advertisement, can be personalized with details such as the prospective buyer’s name and medical information.

Figure 6: Dark web marketplace offering COVID-19 vaccination cards

Other darknet marketplace vendors offer fake CDC-issued COVID-19 vaccination card packages for $1,200 to $2,500. The package contains a PDF file that buyers can type and print, as well as personalized vaccination cards with “real” lot numbers, according to the advertisement. Prospective buyers can pay $1,200 for blank cards or $1,500 for custom-made cards with valid batch numbers, medical and hospital details.

Figure 7: Dark web marketplace offering COVID-19 vaccination cards

One vendor offers counterfeit negative COVID-19 test results and vaccine passports to potential buyers.

Figure 8: Dark web marketplace offering negative COVID-19 test results and vaccination cards

A seller on another dark web market sells five counterfeit German COVID-19 certificates for $23.35. According to the advertisement below, the product is available for shipping to Germany and the rest of the world.

Figure 9: Dark web marketplace offering German COVID-19 vaccination certificates


The proliferation of fraudulent test results and counterfeit COVID-19 vaccine records on darknet marketplaces poses a significant threat to global health while fueling the underground economyWhile an increasing number of countries begin to roll out COVID-19 vaccines and proof of vaccination, questionable COVID vaccines and fake proofs are emerging on the underground market. With the EU and other jurisdictions opening their borders to those who have received vaccinations, individuals will be tempted to obtain false vaccination documents in their drive to a return to pre-pandemic normalcy that includes summer travel and precious time with missed loved ones. Those who buy questionable COVID-19 vaccines or forged vaccination certificaterisk their own lives and the lives of others. Apart from the harm to global health, making payments to darknet marketplaces promotes the growth of illegal products and services. The cycle of the underground economy continues as demand generates inventory, which generates supply. These are the unintended consequences of an effective global COVID vaccine rollout. 

[1] https[:]//

[2] https[:]//

The post “Fool’s Gold”: Questionable Vaccines, Bogus Results, and Forged Cards appeared first on McAfee Blogs.

How Chinese Cybercriminals Use Business Playbook to Revamp Underground

11 February 2020 at 05:01
By: Anne An


Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends from other, less prominent, cybercriminal undergrounds.

Recent data shows that the Chinese cybercriminal underground’s profits exceeded US$15.1 billion in 2017, while causing more than $13.3 billion worth of damage relating to data loss, identity theft and fraud. Over the years, the McAfee Advanced Programs Group (APG) has observed Chinese non-state threat actor groups gradually transform from small local networks targeting mostly Chinese businesses and citizens to large, well-organized criminal groups capable of hacking international organizations.

The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the growing risks of cybercrime in the Asia Pacific region to include a DDoS attack against the People’s Bank of China in December 2013, a $1 billion SWIFT hack against Bangladesh Bank in February 2016 and a $60 million theft from Far Eastern International Bank in Taiwan in October 2017, to name just a few.

This blog provides a rare glimpse inside the Chinese cybercriminal underground. Analyzing its current business models and techniques has yielded insights into the drastic changes in its operations, including the tactics and strategies it is borrowing from Russian cybercriminals.

Timeline: The Rise of the Chinese Cybercriminal Underground

China established its first cable connection to the world wide web in 1994, around the same time as cybercrime syndicates from Russia and other emerging cybercriminal undergrounds were executing their first major cybercrimes. Chinese leaders have since prioritized the development and acceleration of Internet technologies and, today, the size of China’s Internet use is massive and unparalleled at 800 million users.

However, this growth in Internet usage is not without irony as it has been accompanied by a significant increase in cybercriminal activity. Despite the Chinese government placing high importance on running one of the world’s most sophisticated Internet censorship systems, local cybercriminals are finding workarounds that contribute to China having one of the fastest growing cybercriminal underground economies.

China’s cybercrime enterprise is large, lucrative and expanding quickly. According to 2018 Internet Development Statistics, China’s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China’s cybercrime is growing at a rate of more than 30 percent a year. An estimated 400,000 people work in underground cybercriminal networks.

Changes in Tactics, Techniques and Procedures

In order to quickly scale up their businesses and maximize return on investment (ROI), Chinese cybercriminals have continuously adapted their tactics, techniques and procedures (TTPs). One significant change is that Chinese cybercriminals are slowly moving away from a high degree of one-to-one engagement through China’s popular QQ instant messaging platform to now establishing more formal cybercriminal networks. These networks use centralized advertising and standard service processes similar to Russian and other more sophisticated cybercriminal underground forums. Cybercriminals can access these centralized networks hosting on the deep web to post their products and services. A large amount of stolen data is available via automated services, where carders can order the credit and debit card information they want without having to interact with another user. With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing. Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs.


Similar to other prominent cybercrime underworlds, Chinese cybercriminal underground markets are focused on providing excellent customer service. Many of the hackers expand their working hours to include weekends and even provide 24/7 technical support for customers who do not have a technical background. Distributed Denial of Service (DDoS) botnets, traffic sales, source code writing services, email/SMS spam and flooding services are available on the Chinese black markets.

Despite government censorship, a small number of Chinese cybercriminals still use dark web marketplaces to offer their services and products. Those marketplaces are typically specialized in the commercialization of stolen personally identifiable information (PII), bank accounts with high balances, hacking services, and malware customization. However, these darknet markets or hacking forums are not easily accessible because the Chinese government blocks the Tor anonymity network. A large number of Chinese cybercriminals continue to use exclusive and opaque QQ groups, Weibo fora and Baidu Teiba for advertising and communication. Chinese cybercriminals are also active on the clearnet. To avoid government censors and crackdowns, Chinese cybercriminals extensively use slang or other linguistic tactics for communication and advertising, which can be difficult for outsiders to comprehend. For instance, Chinese cybercriminals call a compromised computer or server “chicken meat.” Stolen bank accounts, credit card passwords, or other hijacked accounts are referred to as either “letters” or “envelopes.” Malicious websites and email accounts used for credential phishing attacks or spamming are referred to as “boxes.” Stolen information or details stored in the back of the magnetic stripe of a bank card are referred to as “data”, “track material” or simply “material.”

Moving Operational Base Abroad

Another noticeable trend is that an increasing number of Chinese cybercriminal gangs are moving their operational base abroad, using cryptocurrencies to launder money. They appear to prefer countries and jurisdictions with weak cybercrime legislation or weak enforcement, such as Malaysia, Indonesia, Cambodia and the Philippines. Since 2017, China’s Ministry of Public Security has uncovered over5,000 cases of cross-border telecommunication fraud involving more than US $150 million. Some of the cybercriminal groups are highly structured and work as traditional mafia-like groups that engage delinquent IT professionals; some Chinese cybercrime gangs are well-structured with clear divisions of labor and multiple supply chains. Members are typically located in close geographic proximity, even when the attacks are transnational.

Unique Culture and Practices

Chinese hackers employ different payment methods, recruiting strategies, and operating structures from other cybercriminal undergrounds. AliPay and bank transfers are the generally accepted payment methods advertised by Chinese-language hacking forums; many other forums typically prefer Monero and Bitcoin.

The “Master-Apprentice Mechanism,” which is a form of mentorship, plays a significant role in the Chinese hacking communities. Many Chinese hacker groups utilize the strategy to recruit new members or make profits. As shown in the following graph, QQ hacking group masters, usually masterminds of an organized crime group or an administrator of a hacking community, collect training fees from the members they recruit. These members, known as “apprentices” or “hackers-in-training” are required to participate in multiple criminal “missions” before they complete the training programs. Once training is complete, they are eligible to upgrade to full-time hackers working for their masters and responsible for downstream operations, such as targeted attacks, website hacking and database exfiltration.

Figure 2: Master-Apprentice Mechanism (Source: Author)

Growth of Chinese Cybercrime

The Chinese cybercriminal underground has gone through drastic changes over the years. It gradually transformed from small local networks, targeting mostly Chinese businesses or citizens, to larger and well-organized criminal groups capable of hacking international organizations. My research indicates that there has been a growing threat activity targeting individuals and organizations in South Korea, Taiwan, Singapore, Germany, Canada and the United States. Chinese cybercriminals offer a wide variety of goods and services, ranging from physical counterfeit of US and Canadian driver’s licenses, scans of counterfeit US and Canadian driver’s licenses, US cell phone numbers, credit cards and identification cards to stolen social media and email accounts.

Figure 3: Growth of Chinese cybercrime (Source: Author)

As shown in the following screenshots, 1 million stolen US emails accounts with encrypted passwords are selling for US $117; 1.9 million stolen German email accounts with clear text passwords are available on the Chinese black market for US $400. Counterfeit or scans of US or Canadian passports or drivers licenses are also for sale for as little as US $13.

Figure 4: 1 million US email accounts with encrypted passwords are for sale in the Chinese cybercriminal underground
Figure 5: 1.9 million stolen German email accounts with clear text passwords are for sale in the Chinese cybercriminal underground
Figure 6: Chinese cybercriminals sell physical counterfeit of Canadian driver’s licenses

As shown in the following screenshot, Chinese hackers are also selling stolen personal data, including identification cards and passports from Taiwan and South Korean citizens.

Figure 7: Stolen PII from Taiwanese citizens, including national identification numbers, physical addresses, cell phone numbers, etc. are for sale in the Chinese cybercriminal underground
Figure 8: Chinese hackers selling 17 million South Korean national identification numbers

Login credentials for banks around the world are available on the Chinese cybercriminal underground market, and the higher the available balance of an account, the higher its selling price. Packages of hacked accounts from major US social media companies and networking platforms, gaming service providers, as well as media service providers are sold for as little as US $29 in the underground cybercrime market. These social media accounts are sometimes hacked with the intention of using them as a way to generate fake accounts to ensnare even more web users. A large number of email accounts from Taiwanese (i.e., and South Korean email service providers (i.e.,, are being sold on the Chinese black market.

Increasingly Difficult to Separate Cybercrime From Cyberespionage Activity

As the Chinese cybercriminal underground quickly expands its scope and sophistication, it is increasingly difficult to separate cybercrime from cyber espionage activity. This is especially true as I observe that Chinese cybercriminals offer services to spy on businesses and sell commodities that can be used to target businesses or government officials for economic and political espionage purposes. One of the most interesting items I found for sale in the Chinese cybercriminal underground is a full business dossier on Chinese companies and government agencies. Some Chinese hackers sell internal employee directories from high-profile technology companies. Chinese cybercriminals appear to work with malicious insiders or hire hackers to work as undercover agents inside of telecommunications service providers, financial services and technology companies to steal company secrets or other proprietary information. Documents include detailed contact information of CEOs and senior management from China’s top 50 companies. Other business proprietary information, such as credentials associated with a company’s various bank accounts, funding history, marketing strategies, and Tax Identification Number (TIN) are also available for sale on the black market. Malicious actors can use the above-mentioned information to launch targeted attacks against a business or leverage third-party vulnerabilities, such as trusted financial services, staffing firms and IT service providers to infiltrate a target system.


China’s cybercrime networks are rapidly growing in scope and sophistication. Compared to my earlier research paper on China’s cybercriminal underground from three years ago, Chinese cybercriminals have begun to embrace a sophisticated business-model approach and develop complex hierarchies, partnerships and collaboration with cybercriminal groups at home and internationally. These globally operating and organized cybercrime networks are basing themselves in countries with weak legal systems and law enforcement, while taking full advantage of global Internet connectivity to attack targets worldwide. A growing number of Chinese cybercriminals from these networks leverage the deep web to host their infrastructure and sell illegal goods and services, instead of relying on traditional peer-to-peer engagement through the QQ platform. To accelerate profitability, the Chinese hacking community has adopted tactics and techniques similar to Russian and other prominent cybercriminal underground markets to become more structured and service-oriented. In contrast, the Russian cybercriminal networks have been known for their multi-faceted criminal organizational structure specialized in monetizing PII theft and financial fraud. Yet, China’s cybecriminal underground, on the other hand, has placed greater emphasis on community and discipleship in achieving financial gains. Many of China’s cybercriminal networks incorporate this discipleship, also known as the “master-apprentice mechanism”, into a recruiting strategy that is largely different from their Russian counterparts. As China’s cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets. Intellectual property and identity theft can also cause substantial economic consequences.

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.