Homeland Security’s Latest Target: Vaccine Scams



ARLINGTON, Va. — A team of agents from the Department of Homeland Security was combing thousands of websites scouting for evidence of the next phase of fraud schemes: offers of treatments or vaccines for the coronavirus.

One of those agents, in Jacksonville, Fla., spotted a lead on what looked like a website for Moderna, just days before the company entered the final stages of authorization by the Food and Drug Administration for emergency use of its version of the vaccine. But the website listed the wrong phone number for the company and misspelled Moderna in its web address.

The agent quickly established that the site was not owned by Moderna at all.

Given the intense global demand for protection from Covid-19, it is perhaps not surprising that law enforcement authorities are already uncovering fake sites looking to cash in on the desperate search for alternative ways to obtain a vaccine for a disease that has ravaged the world.

That work from the team of agents from the Department of Homeland Security helped secure the latest takedown of a website posted by fraudsters looking to steal personal information under the guise of offering treatments for the coronavirus — and one of the first online schemes to use the name of a company approved by the United States to distribute the vaccine.

Investigators on Friday shut down the website claiming to belong to Moderna but was rather a trap set up to steal personal information and potentially deploy malware, according to a statement issued by the U.S. attorney for the District of Maryland.

The team from Homeland Security Investigations, a division of Immigration and Customs Enforcement, was brought together last spring to combat online fraud that has become pervasive during the pandemic.

The efforts were first focused on fraudulent personal protective gear during widespread shortages for the needed supplies. Now the ICE mission, “Operation Stolen Promise,” has turned to fraudsters claiming to sell the vaccine, deploying special agents trained in searching the dark web to work with private health care companies in shutting down the websites.

The efforts by the investigations unit — which is working in coordination with the F.B.I., the Justice Department and Customs and Border Protection — come as the international organization Interpol warned this month that organized crime networks were looking to take advantage of the high demand for the vaccine, calling it “liquid gold.”

“You have an elderly percentage of the population that’s very concerned about getting the right products and vaccines and P.P.E., and they’re not as internet savvy so they’re more likely to fall victim to these schemes,” said Matthew Swenson, the investigation unit’s network intrusion chief for its cybercrimes center. “If you could create a perfect environment for cyberfraud, this would be it.”

Homeland security officials said there was no evidence yet of criminal groups disrupting the supply chain with actual fake vaccines. But the department told customs officers at the border to be on high alert, advising them on the appearance of approved treatments and products and directing the agents to report back to the team any import that might look suspicious.

“We don’t want to really discourage the American public from accepting vaccinations,” said Steve K. Francis, the director of Homeland Security Investigations’s Intellectual Property Rights Coordination Center. “It’s a completely secure supply chain at this point with some vulnerabilities in the treatment.”

But special agents have been pulled in to search the dark web for those claiming to sell fake vaccines on the black market. And as vaccine distribution continues in the weeks ahead, homeland security officials are anticipating that Americans will look for alternative ways to obtain a vaccine, presenting an ample opportunity for criminals who have already taken advantage of a competitive market and widespread shortages of medical equipment.

ICE, best known for its division that deports unauthorized immigrants, has investigated more than 500 cases involving counterfeit protective gear, test kits, medications or websites offering illegal vaccines and treatments. The agency conducted another nearly 240 investigations into loan fraud when online fraudsters shifted this summer to schemes claiming to issue pandemic unemployment assistance.

The work of the operation has resulted in more than 180 arrests and in the seizure of more than $27 million in illicit profits. Most of those efforts have been focused on personal protective equipment, but about two months ago, Mr. Francis called together companies that were expected to develop the vaccine to prepare for the next stage of fraud.

Mr. Francis’s team uses different methods. The agents will message a seller on the dark web, asking questions about medical gear or a treatment to gain intelligence and help build a case.

But most of the online fraudsters are setting up on traditional websites, seeking customers who want to be safe from the coronavirus.

The Justice Department blocked one of the first such websites in March when investigators discovered a site that claimed to offer World Health Organization vaccine kits in exchange for entered credit card information to pay for the costs of shipping. In July, the homeland security agents helped shut down a website offering to register users for a coronavirus vaccine that did not yet exist in exchange for $100 of Bitcoin.

And on Friday, investigators shut down websites pretending to belong to an actual biotechnology company: Moderna. The investigation into the site began after the company’s corporate security team flagged it to the homeland security team.

Such referrals happen often. But Mr. Francis’s team also has a filtering system in which agents punch in keywords, like “vaccine” or “hydroxychloroquine,” and the tool will flag hundreds of websites that require further analysis.

The team of 12 analysts will then inspect the sites to spot an error, typo or irregularity. Besides the two errors on the fake Moderna site, the display nearly mirrored the company’s actual site.

But the agents will also look up what date the online domain was established. They found that the domain name for the fake Moderna site was registered on Dec. 8.

“That’s another red flag for cyberfraud,” Mr. Swenson said as he explored the web from the property rights coordination center. “If it doesn’t have a presence on the internet, that’s usually a dead giveaway.”

The agents will confirm with the pharmaceutical companies and other stakeholders, like the World Health Organization, that the sites are fake. ICE will then perform a “sink hole,” in which the agency can use a court order to shut down the website and replace it with page displaying a law enforcement warning for online users.

“Moderna would refrain from commenting on ongoing security matters and precautions,” said Ray Jordan, a spokesman for the company. “But we would say we are grateful for the collaboration with the U.S. government in the process of developing our Covid-19 vaccine candidate, from the perspectives of career scientists as well as logistics and security experts.”

It is not a perfect science.

If someone hosts their website through a company in a foreign country with a fractured relationship with American law enforcement, there may be nothing the analysts, even with a court order, can do.

“The criminals aren’t just buying them one at a time, two at a time,” Mr. Swenson said, referring to website domains. “They’re buying them in groups of 50 or 100. We take down 100 and they go buy 50 or 100 more. It makes it very difficult to stay ahead of the game.”