Initially, there were only a handful of fraudulent accesses, around twenty, sold for $25 each on Genesis Market. Ultimately, it was a massive fraud involving false health passes, undoubtedly one of the most important followed by French justice, which illustrates the effective division of tasks existing in cybercrime.
According to the prosecution’s latest count, the twelve defendants in this case judged a week ago by the 13th chamber of the Paris judicial court have in fact passed out more than 117,000 false health passes. That is, more than one false pass in ten reported by the National Health Insurance Fund, which identified in total around one million false health passes for 150 million doses injected and 40 million people vaccinated.
For Dylan and Morad, the two young men suspected of having been the hackers behind this massive fraud, it all started with a meeting. In the summer of 2021, in Bron, near Lyon, where they rent an “office” – a room with a TV, a sofa, and their computers – an acquaintance explains to them that they are capable of producing false health passes.
Curiosity piqued
The two young people are choosy. Their knowledge “has nothing to do with a computer hacker, it arouses my curiosity”, explains to the judges Dylan, a former system and network administrator, at the RSA since the health crisis. Morad, his friend, “gland” at his mother’s house. This young dropout, passionate about web development, has just failed at the Epitech engineering school swimming pool due to insufficient sociability.
The two geeks realize that their knowledge is based on a variant of “MFA fatigue” to produce fake health passes. This type of computer attack plays on the weariness of a target subjected to a mass sending of authentication requests. Their curiosity piqued, Dylan and Morad delve into the public documentation available on e-CPS, the application allowing health professionals to authenticate and access the digital services of the digital health agency.
This account, if compromised, allows health passes to be generated. But there is a weak link, note the two young people. QR codes are sent by email or SMS from the contact details provided on the website of the order of doctors or nurses. Two sites without “any security or double authentication”, notes Dylan.
Genesis Market
“Rather than waiting for the practitioner to validate, you put yourself in the doctor’s place,” summarizes the president of the court. “Yes, that’s it,” replies Morad. To hack health professionals, Dylan will simply do his shopping on Genesis Market. Fueled with raw material by infostealer campaigns, it has become one of the hubs for the resale of information and identification cookies.
The compromised access resale platform will finally be dismantled in April 2023 by Europol. “You can find everything on this site,” Morad tells the judges. But “we have to specify what we want in black and white,” he adds. “We will ask [aux vendeurs] if they have data in France, and then if they have accounts on this or that site,” Dylan continues.
Once in possession of an account on the order’s website, it is very easy for hackers to modify the email and telephone details of the healthcare professional. In total, they are suspected of having hacked the accounts of around thirty health professionals.
The account of their biggest victim will thus be the origin of more than 54,000 health passes. This nursing executive had opened an account on the order’s website for the purposes of training, in November 2020, which he no longer used after that.
Arrests in January 2022
The two hackers, however, denied having generated false passes themselves. In fact, they explain, they rented access to the hacked e-CPS accounts to third parties for around 3,000 euros per week. However, they were not the only ones to have identified this type of flaw. “In the end, we were not the only ones buying this type of account” on Genesis Market, notes Morad, pushing them to look for new compromised accesses on the Exploit.in forum.
“There are a lot of people who do health passes, not just us,” Dylan also observes, regarding a call recorded by investigators. He then requests the revocation of a health pass, clearly the result of hacking by another team. In another telephone recording, investigators hear him speaking with the medical order, a call clearly intended to understand the site’s new security procedures.
This criminal activity will finally be stopped by a series of arrests in January 2022, following two investigations carried out by the gendarmes of the Poitiers research section and the judicial police of Lyon. The trial of the two hackers is scheduled to end on November 30.