A group of business email compromise (BEC) Nigerian scammers has been targeting U.S. unemployment systems and COVID-19 relief funds provided through the CARES Act.
The threat actor, which researchers call Scattered Canary, used the IRS and state unemployment websites to file hundreds of fraudulent claims on behalf of U.S. citizens, and receive benefit payments.
Exploiting Gmail feature
Scattered Canary used social security numbers and personally identifiable information from identity theft victims to create fake accounts on websites for processing CARES? Act payments.
By taking advantage of a feature in Gmail, they were able to use for the fraudulent claims variations of the same email address. Replies to any of those addresses would be delivered to a single Gmail account, though.
This works because Google does not read the dots in usernames and treats addresses that are visually different as belonging to the same user. Using Google’s example, sending messages to the addresses below will reach the same account:
The Agari Cyber Intelligence Division (ACID), a company that offers protection against advanced email attacks, identified 259 different variations of a single address that was used by Scattered Canary for this large-scale fraudulent activity.
Hundreds of fraudulent claims
The researchers found that the BEC scammers over two weeks (April 15-29) filed through the website set up by the IRS at least 82 fraudulent claims for CARES? Act for financial relief caused by the COVID-19 pandemic.
Of the 82 claims, at least 30 passed verification and likely paid, the researchers say in a report today.
At least 174 fraudulent claims for unemployment were filed by the threat actor since April 29 in Washington. The scammer received notifications regarding the amount they were eligible to receive based on previous year earnings.
One email from the Washington Employment Security Department (ESD) informed them that they could receive up to $790 each week.
The researchers found that Scattered Canary also filed 17 unemployment claims in Massachusetts on May 15 and 16, and based on their visibility, all were accepted. Each claim is eligible for a different sum, with a maximum weekly benefit of $823.
In Hawaii, where such activity has not been reported previously, the fraudsters filed two unemployment claims on May 17.
Old scammers know how to cash in
The illegal payments are cashed through Green Dot prepaid cards, which can be used to receive government benefits up to four days in advance.
Agari identified 47 such cards, all set up in the name of the same person Scattered Canary defrauded.
Recently, the U.S. Secret Service issued an alert regarding a spate of fraudulent unemployment claims across the country, listing Washington as the most targeted state, followed by North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida.
Scattered Canary is likely one of the groups involved in these illegal schemes. The group has been in this business for at least 11 years, its activity focusing on various types of fraud (tax, unemployment, disaster relief, student aid, social security), romance scams and fake jobs for money muling.
Agari has been tracking the actor since its early days, as it started as a one-man operation running Craigslist scams. It soon moved to romance scams