The health pass no longer exists, but two counterfeiters are currently facing the judge of the 13th chamber of the Paris judicial court for having sold more than 117,000 fake health passes, recovered using well-established hacking techniques.
Established on May 31, 2021, the health pass system was stopped on August 1, 2022. In the meantime, many counterfeiters have taken advantage of the fear of injections or the rejection of part of the population to generate and sell fake passes. sanitary facilities. A way for buyers to evade the measures put in place, and for counterfeiters to take advantage of the situation. Unfortunately for the counterfeiters and pirates, some of them have been found and are now on trial.
From curiosity to massive fake pass trafficking
Originally, we find Dylan and Morad, two young people from Lyon who sometimes lost their jobs because of the health crisis, sometimes because of a failure in the highly contested Epitech swimming pool test. In a premises that they rent, they learn from an acquaintance, although far removed from the world of computer hacking, that it is quite easy to recover access and then generate false health passes.
Intrigued, the two hackers study the documentation of e-CPS, an application dedicated to health professionals and allowing access to digital services. They therefore discover that if they obtain access to registered accounts, they will be able to generate QR codes for health passes.
It is then sufficient to divert the sending of validation requests by connecting to the site of the order of nurses or doctors, two platforms which, according to the accused, do not have any security worthy of the name. According to ZDNET, a single account, left abandoned by a nursing executive following training, alone generated more than 54,000 valid QR codes out of the 117,000 attributed to them.
Behind the traffic, easier access to stolen information
The technique presented by Morad and Dylan’s acquaintance is actually derived from MFA fatigue, a strategy targeting authentication processes and aiming in particular to confuse a potential victim so that, annoyed, they end up clicking on a corrupted link. Once the hacking plan was established, the two friends went to Genesis Market, a platform dismantled in the spring on which a lot of data stolen and resold by other pirates was found.
They rented a certain number of e-CPS accounts at $25 each, allowing the generation of more than 117,000 false passes. A cost of around $3,000 per week, largely offset by the result, even if they deny having generated the QR codes themselves. Other pirate groups quickly became interested in health passes, as did other platforms taking advantage of the rise of infostealers.
Their project will end in January 2022, when two investigations, carried out by the Poitiers gendarmerie and the Lyon PJ, made it possible to trace them back to them. The trial ends on November 30, and they are at risk. Last February, four people were sentenced to up to four years in prison for selling around 11,000 fake passes.
Source : ZDNET