Two men are currently on trial by the Paris judicial court. They were at the head of one of the largest health pass frauds in France. In total, they generated more than 117,000 false documents and pocketed several thousand euros. Here’s how they did it.
Remember, during the summer of 2021, the French government introduced the famous health pass, a certificate of vaccination against Covid-19 necessary to access cinemas, restaurants or any other public establishment capable of bringing together more than 50 people.
Fatefully, this restrictive measure quickly had its share of detractors, determined to circumvent the system. In just a few months, offers for fake health passes have multiplied on the web, giving way to a vast parallel market. In June 2023, we mentioned in our columns the case of these pirates who sold no less than 63,000 health passes during periods of confinement.
“Amateurs” compared to the twelve defendants currently on trial by the Paris judicial court. Indeed, this team would have sold more than 117,000 false health passes. Or 10% of false certificates in circulation in France, if we are to believe data from the National Health Insurance Fund. In total, the institution detected one million false health cases in France, for 150 million doses administered and 40 million people vaccinated.
Scammers exploited multi-factor authentication
Dylan and Morad, the two alleged masterminds of the operation, explain that they embarked on this vast fraud after a meeting during the summer of 2021. This acquaintance claims to be capable of producing sanitary forgeries. Enough to pique the curiosity of the two men, then in a rather precarious financial situation (one is on the RSA, the other lives with his mother).
According to them, this knowledge exploited the principle of MFA Fatiguea computer attack technique which is based on a simple principle: a hacker targets a user and sends him an avalanche of authentication requests via push notifications on your smartphone.
The idea is then to make the victim break down and push them to validate one of the notifications… Which allows hackers to access his account. A perfect example social engineeringwhere the manipulation of human psychology allows scams to be set up.
Also read: Health pass – he sells fake certificates on eBay and risks 120 years in prison
Next target, the e-CPS health platform
After carrying out some research, the two accomplices realize that it is possible to generate false health certificates by compromising an e-CPS account. This is the mobile application used by health professionals to access the services of the Digital Health Agency.
But how to get an account? Hackers quickly detect the existence of a flaw in the platform’s system. Indeed, the e-CPS regularly transmits QR-Code by email or SMS based on the contact details of the nursing staff displayed on the website of the order of doctors or nurses. Sites without any security system according to the two accused.
It now remains to obtain access to the order’s website. To do this, the duo shopped at Genesis Market, a pirate platform closed in 2023 which housed thousands of identification data stolen during phishing and other campaigns. “Rather than waiting for the practitioner to validate, you put yourself in the doctor’s place,” deduces the president of the court.
54,000 fake health passes generated with a single account
Now in possession of several identifiers and passwords to access accounts on the order’s website, all that remained was to modify the telephone contact details of the health professionals with their own. In total, they hijacked the accounts of more than 30 healthcare professionals. To give you an idea, the account of a nursing executive made it possible to generate more than 54,000 false health certificates.
After revealing their modus operandi, the two men still deny having generated these falsified health passes themselves. According to them, they were content to rent access to hacked e-CPS accounts to individuals, for 3,000 euros per week. Justice will be responsible for determining their responsibility in this case, the conclusion of which is expected by November 30, 2023.
Source: Zdnet