Since the onset of the COVID-19 pandemic, DomainTools Research has kept an eye on all new COVID-themed domain registrations, producing both our COVID-19 Threat List as well as uncovering CovidLock, a COVID-themed Android ransomware APK that preyed on user’s fear of the virus. During the course of this research, the DomainTools Research team opened the floodgates on COVID-related domains in order to continuously monitor and analyze what domains are spun up on a daily basis. Each day, some 300,000 domains are registered and a small subset of those are pandemic-related.
As the pandemic continues to evolve, these themes shifted from conjuring fear and uncertainty of the virus to personal protective equipment (PPE), and at present, to a range of vaccine information or misinformation. Most of these domains are benign, in fact, most never leave a domain parking page, but some go on to host phishing pages or sell counterfeit vaccines. With vaccinations on the rise and many choosing to “opt-out” of the vaccine, a new trend in counterfeit vaccination cards has arisen including UK-themed cards for sale on eBay.
CDC Vaccination Record Cards
Starting January 31st, 2021, the first Shopify-backed store observed by the DomainTools Research team began selling US-themed CDC cards through covid-19vaccinationcards[.]com which redirects to vaccination-cards[.]com with individual proof of vaccination cards selling for $20 USD a piece or a four-pack for $60 USD. While the covid-19vaccinationcards[.]com domain is just a simple redirect hosted on Google, the vaccination-cards[.]com domain features a Let’s Encrypt TLS certificate with the accompanying SHA hash of 7fea9a4003128cdc442394488781995817a52df0dc948d9ba0e7e3226195ba62 at the time of this writing.
Though selling a printed card is not necessarily illegal, the pricing, logo, and cardstock of these “vaccination records” demonstrate a level of intent to pass as legitimate cards from the CDC. The DomainTools Research team has reached out to Shopify regarding this site and is monitoring for similar instances of COVID-19 vaccine cards. Screenshot from vaccination-cards[.]com on February 1, 2021.
With the lack of a nationwide, or even international, database for verifying vaccinations in place, the record cards are the sole source to corroborate an individual has been vaccinated. We are already seeing between 20% and 40% of healthcare workers opting not to take the vaccine and 13% of adults saying they will never take the vaccine. As cities begin opening up for those that have been vaccinated, we believe there will be enhanced demand and incentive for counterfeit card production. Social media is flooded with pictures of vaccination cards as the excited and eligible get their vaccinations. This gives would-be fraudsters a chance to copy details such as batch numbers and other information that would be used for individual verification of vaccination. Government agencies are already asking that vaccinated individuals take down any photographs they’ve posted due to the amount of data on each card and its inherent value to fraudsters.
This isn’t the first time the DomainTools Research team has seen COVID-themed Shopify stores. Since the beginning of 2021, there are over 350 COVID-themed Shopify stores online with domains like 15minrapidcovidtests[.]com registered on January 5th, 2021, or 2021vaccinatedshirt[.]com registered on January 4th, 2021. In fact, if we analyze domain data from DomainTools and look for COVID-themed Shopify stores back to January of 2020, near the beginning of the pandemic, we then see over 18,500 stores registered that are selling everything imaginable, from bracelets that say “I’ve Been Vaccinated” to likely-fraudulent rapid home tests to shirts with images of the COVID-19 virus under a microscope.
Screenshot from covid-19vaccinebracelet[.]com February 1, 2021
While many of the things sold in these stores are not illegal, there are a number of items that are not what they would seem. Many stores have been caught selling non-medical grade masks listed as medical grade or PPE that are not up to specification. This continues to be a problem for many hospitals as they have had to source their own PPE from a number of creative places as production still hasn’t come up to what they need. We urge any user shopping on these stores to keep in mind that what they are purchasing may not be what the website claims, as much of what is sold through these Shopify stores is drop-shipped from China without ever being inspected by those that set up the website.
The DomainTools Research team continues to monitor the ever-changing landscape of COVID themes in domain registration and the threats that sit behind them. This shift can best be seen with the change in interest from domains registered using the term “covid” early in the pandemic to domains using the term “vaccine” much later after vaccine research had been announced.
Plot of Term “covid” in Domains Since January 2020
Plot of Term “vaccine” in Domains Since January 2020
As scams continue to shift with these new themes, we urge users to be extra vigilant when signing up for medical services online as many phishing, both over text message and email, are already appearing leveraging COVID-19 vaccinations as a lure. Furthermore, we’d encourage you to not pay for anything through a web portal if it isn’t through your official healthcare provider.