Last August, federal agents searched the Redmond, Washington, laboratory of Johnny Stine, a bootleg biotechnician whom they’d been investigating since March. As they fanned across Stine’s warehouse, they encountered your typical scientist fare: lab equipment, test tubes, a microscope, but also “empty beer bottles and a surfboard,” according to a complaint made public by the Food and Drug Administration in January. Throughout 2020, Stine had been selling homemade covid-19 “vaccines” for $400 a pop—having expanded into a new market after years of peddling home-brewed cancer “treatments.” By the time he was arrested and his property raided, Stine told investigators that he “had vaccinated 50-100 individuals” with his covid-19 cure. At least one recipient of the bunk treatment later landed in the hospital with coronavirus. Stine’s case wasn’t only bizarre—it was also a harbinger of things to come.
The cyber frontier’s snake oil salesmen are busier than ever.
Since the beginning of the pandemic, opportunists online have capitalized on fear and desperation with quack cures and PPE mirages, raking in more than $160 million in the process. Now, as the legitimate vaccines’ rollout enters its third month, internet grifters are shifting to this year’s con: bunk vaccines. And with public immunization advancing at a glacial pace—recent estimates say herd immunity could arrive in July—counterfeiters are betting against our better impulse control. They’re building mock pharmaceutical websites, launching malware attacks, and putting marquees on the dark web: “AVAILABLE CORONA VIRUS VACCINE $250.” Some dark web posts advertised doses for $1,000. But the truth is unambiguous. According to a Pfizer spokesperson, “Patients should never try to secure a vaccine online” because “no legitimate vaccine is sold online.”
On the open web, grifters are mirroring the ramp up of vaccine distribution with cons of all shapes and sizes—from faux healthcare providers seeking personal information, to sophisticated phishing attacks in search of unsuspecting victims, to vaccine passport fraud. One sign of this pivot is a spike of domain name registrations using the word “vaccine” in the name. According to Check Point software, a cybersecurity company that’s been tracking coronavirus-related fraud online, more than 6,300 websites have appeared since November, about 300 of which it identified as malicious or suspicious, meaning anything from malicious code to a shady domain registrar. But scams are showing up as close as users’ email inboxes. “I have not seen this level of scale from an attack perspective—or a phishing or misinformation perspective [before],” said Mark Ostrowski, a security expert at Check Point with two decades of experience.
Meanwhile, Homeland Security Investigations has analyzed more than 10,000 websites over the last three months as part of its effort to counter pandemic-related fraud—a job that’ll likely outlive the pandemic.
Other sectors of the government have undertaken a similar effort. As part of Operation Quack Hack, the FDA said it has examined more than 1,200 websites and distributed hundreds of complaints and warning letters to companies like online marketplaces notifying them that they’re hosting fraudulent or unproven covid-19 treatments. “Building upon our previous experience with illegal online pharmacies, a team of consumer safety officers, special agents and intelligence analysts triage incoming complaints about fraudulent and unproven medical products,” an FDA spokesperson said in an email. On its website, the agency has also posted 146 warning letters it’s sent so far to help the public avoid purchasing products like “Corona Destroyer Tea” or “VIRUS BIOSHIELD.”
After all, from the digital swindler’s perspective, we’re a bunch of sitting ducks. Since last March, ecommerce has exploded, by one measure growing by 40 percent compared to 2019. Now, few websites replace the supermarket—or the drug store; products that aren’t usually purchased online become a daily feature of digital shopping carts. “This is prime real estate for counterfeiters,” said Jay Kennedy, an associate professor at Michigan State University’s Center for Anti-Counterfeiting and Product Protection. And for some of this transition, the government’s information on covid-19 seemed at war with itself: mask or no mask? Hydroxychloroquine or Remdesivir? “Once there is some ambiguity in terms of a message, when consumers are going online to get information or products, counterfeiters are operating in a largely unguarded space,” he noted.
In other words: It might be easy to think that only a fool could fall for one of these schemes, but society’s relationship with the internet shifted considerably over the last year. We’re all potential victims.
What’s more, as covid-19 vaccines become more available, the torrent of online vaccine scheduling opens up vulnerabilities to a phishing attack or malware. Say, the CVS down the street receives an inventory of vaccines, Ostrowski suggests. Someone looking for the location’s digital storefront to register for a vaccine might wander onto a site with a slightly-misspelled version of the real URL: “A look-alike domain that’s redirecting people to enter in their personal information to sign up for a vaccine,” he said.
Last December, the Department of Justice seized a pair of webpages: mordernatx.com and regeneronmedicals.com. They were masquerading as the sites of two legitimate biotechnology companies—modernatx.com and regeneron.com—with similar spellings and identical imagery. According to the DOJ, “[T]he logos, markings, colors, and text of the mordernatx.com webpage showed no substantive differences from the genuine company website’s landing page.” Despite its appearance, the website was registered in Malaysia and apparently created to capture the personal data of visitors “for nefarious purposes, including fraud, phishing attacks, and/or deployment of malware,” according to a department release. Those sites no longer pose a threat, but they’re small potatoes when fake pharmaceutical domains are created by the thousands. “It’s cheap and easy to do,” said Kennedy, explaining the mindset of bad actors: “I’m going to put up 1,000 websites; if you take down 20% that’s fine, it’s just the cost of doing business. I’m getting enough traffic and making enough money off the other sites that I can afford to keep putting these things up ad nauseum.”
The fate of the remaining 80% of the sites is downright Darwinian: Fraudsters will take the characteristics of the most successful websites—the aesthetic, the advertising, the pricing structure—and plug it into the next generation of sites. “This is where counterfeiters learn,” said Kennedy. The reproduction rate of fake pharmaceutical sites can be difficult to keep up with for law enforcement, he posits, calling site seizures “the epitome of whac-a-mole.”
But somebody has to push the boulder up the hill. Last November, ICE-HSI launched Operation Broken Promise 2.0, a joint effort with pharma companies and academia to counter the threat posed by quack vaccines and cures. According to Michael Alfonso, an ICE-HSI agent assigned to the covid-related fraud investigative effort, seizing a website after identifying it as fraudulent can take from hours to days. The most direct way is to contact the domain registrar directly, a process that, at its fastest, takes six hours. Less often, if HSI needs to marshall the forces of criminal justice for a seizure, it works with an attorney general or jurisdictional prosecutors to procure a warrant for the service provider. “Those often take days to do,” he said. “There’s a lot that goes into it.” But sometimes, he said, “We’ll go down that rabbit hole before we seize it, often.” That was the case last month when HSI conducted a sting in Baltimore, Maryland, after scammers behind a fake Moderna website offered federal agents 200 vaccine doses for $6,000.
Another chief concern for the feds lies further beneath the surface: the dark net, where greater anonymity makes HSI’s job “a challenge,” admits Alfonso. There, bunk vaccines are available beside an inventory of drugs and guns. But that’s the thing: the guns and drugs are authentic, and the fact that felony-level contraband is available lends a veneer of credibility to the internet’s highway underpass. “There’s this expectation that you can go onto these marketplaces and websites and be able to actually acquire goods,” said Ostrowski. “This kind of expectation that it’s not all just scams.”
Further complicating everything is the hopeful rapid expansion of vaccine distribution in the coming weeks. Only two vaccines are currently available in the U.S., and Pfizer’s is so fragile to temperature that theft just about guarantees spoilage. Yet other, less ornery options are due for FDA emergency authorization soon. Once they’re more widely available, the larger (but still inadequate) total supply of vaccines creates an opportunity for supply line disruption—the theft of the real thing. Last month, several vaccine doses were stolen from a hospital in Mexico. If there’s a public perception that actual doses are suddenly appearing alongside the fake ones, the situation can degrade even further. “That gives some plausibility to the authenticity of what they’re selling” on the black market, said Nikos Passas, the co-director of Northeastern University’s Institute for Security and Public Policy. If that becomes the case in the U.S., the prospect of coming across the real deal while web browsing creates even greater incentive and danger for whoever is willing to click.
Will Peischel is a writer who sometimes asks good questions, as seen in Mother Jones, Vox, High Country News, and others.