8 targeted states in CARES Act scams from a cybercrime group

1641576711 8 targeted states in CARES Act scams from a cybercrime

Scattered Canary has invested more than $ 4 million in unemployment benefits and federal funding through several scams, according to the Secret Service and cybersecurity company Agari.

At least eight U.S. states and the federal government have lost millions of dollars as a result of cyber scams targeting unemployment benefits and funding from CARES Act money, according to the Secret Service and cybersecurity company Agari. In a report that has been making headlines all week, Agari CEO and founder Patrick Peterson said it was possible for Scattered Canary, a cybercrime group that traced the company to Nigeria, the IRS and state governments. fraud to send more than $ 4 million to fraudulent accounts. .

As a result of the economic crisis caused by the coronavirus pandemic, states have come under pressure to try to raise money for more than 34 million Americans who are now unemployed. Most states have received a staggering number of applications for funding, making it virtually impossible for the organizations with short staff to scrutinize every application. More than $ 48 billion in unemployment insurance payments were issued by states during the month of April.

Cybercriminals with Scattered Canary have taken advantage of the situation according to Peterson, who wrote that the group submitted more than 80 false claims for CARES Act Economic Impact Payments and even more claims for unemployment insurance. for Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, Wyoming and more recently Hawaii.

Unfortunately, the IRS and some states have already withdrawn the money before being told that the claims came from people whose personal information was stolen or misused by hackers side by side. inside Scattered Canary.

“Between 15 April and 29 April, Scattered Canary submitted at least 82 false claims for the CARES Act Economic Impact Payments, which aim to provide relief to families due to the COVID-19 pandemic. The same information that Scattered Canary needs to file. these claims were the name, address, date of birth, and Social Security number of an individual. Of the 82 Scattered Canary claims filed, at least 30 were accepted by the IRS and may have been paid out, "Peterson wrote.

SEE: Special report: Cybersecurity in the IoT and mobile world (Free PDF) (TechRepublic Premium)

Agari researchers have been looking into Scattered Canary's activity for years after the company's CFO was targeted in 2022. The company found out where the Scattered Canary boss came back to Ibadan, Nigeria and discovered that the director first started out as a low-ranking Craigslist. scammer in the early 2000s before moving into lucrative “romantic scams”.

Following his success, he again moved on to Business Email Negotiation attacks and attempts to defraud government agencies in the US through “unemployment fraud, Social Security fraud, disaster relief fraud. , and student support fraud, ”said Peterson.

The group is now making millions in a number of different ways as a result of the release of COVID-19.

Peterson said since April 29, the group has filed nearly 180 unemployment claims in Washington state and adding to the money raised through CARES Act scams, they are at around $ 4.7 to collect a million. The situation worsened that the state closed all unemployment payments last week because it received so many false claims.

"The payment system appears to be automated, as there does not appear to be a balance or check process with the information provided to state government systems when it comes to fake email addresses," said James. McQuiggan, security awareness advocate at KnowBe4.

"Like events that take place during the tax season, criminal groups will continue to work around the system to steal money without being caught. ”

Massachusetts reported at least 17 false unemployment claims on May 15 and May 16, causing potential losses of approximately $ 500,000. Other states are also seeing a number of false claims.

The situation has made headlines over the past few weeks and the U.S. Secret Service has been forced to jump in, alerting site offices of scammers using stolen Social Security numbers. and other personally identifiable information.

The Seattle Times spoke to several people who simply realized that their Social Security numbers were being used for false unemployment claims. Local news outlets in Rhode Island reported the same after the state call the FBI for help with widespread fraud as well.

READ  Real bosses, you get caught with legal AI scams

“It is assumed that the fraud ring behind this has a substantial PII database to record the number of claims seen so far. Washington is the main target state so far, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida, "the Secret Service warned in memos received by KrebsonSecurity and The New York Times.

According to research from Agari, Hawaii is the next state to be hit. On Tuesday, Scattered Canary filed two unemployment claims on the Hawaii Department of Labor and Business Relations website and more states are sure to be hit in the coming days and weeks.

In their research into Scattered Canary tactics, Agari analysts found that the "Gmail dot trick" was one of the main ways in which they managed to execute their scams on government agencies. The Gmail quirk allows people to make one email account look like hundreds by moving times around a username.

Gmail automatically leaves the dots in an email address, so [email protected] can still receive emails sent to [email protected], scaipthecanar.y @ gmail.com no [email protected] The feature has been built into Gmail as a way to help people who did not receive emails where times have gone wrong, but has quickly been used by cybercriminals as a way to fill in dozens of submissions. with different email addresses that all send calls back to one. single account.

Peterson wrote that, in one scenario, Agari researchers found 259 variants of the same address used to create accounts on state and federal websites to accomplish these deceptive actions.

“Scattered Canary is able to create dozens of accounts on state unemployment websites and IRS websites dedicated to handling CARES Act payments for tax-free filers (freefilefillableforms.com) , "wrote Peterson.

"Using this tool, Scattered Canary can make their work more efficient by directing all communications to a single Gmail account. This will eliminate the need for a new email account create and analyze for every account they create on a website, ultimately making crimes faster and more efficient. "

Once their application was approved, Peterson noted that cybercriminals with Scattered Canary used prepaid Green Dot cards and at least 47 Green Dot accounts to get the money. Krebs On Security also noted that the memo from the Secret Service stated that not everyone involved in the scam is aware.

“In Washington state, out-of-state individuals receive a number of investments BUT from the Washington State Unemployment Benefits Program, all in the names of different individuals unconnected to a custodian. the account, "KrebsOnSecurity said in a statement, adding that" Scattered Canary "" mule "helped clean up the money.

It seems that some of the "mills" are unemployed and agree to take a cut of the money while they put most of it forward, wrote Brian Krebs.

Since the Agari investigation came out on Tuesday, dozens of news outlets have dealt with the state 's handling of fraudulent claims, highlighting the appalling plight of most unemployment insurance systems across the country. .

Security researchers said the attacks used by Scattered Canary to steal personal information and spam unemployment sections meant it was ultimately vital for organizations to pay more attention to cybersecurity.

Chris Rothe, co - founder and chief production officer at Red Canary, said that attackers have now realized the benefits of these relatively low - level attacks on campaigns and are increasing usage.

“The attacker usually impersonates a senior executive in a company and instructs individuals in the company to send money to a random location. scam, "Rothe said.

"Unfortunately, the attackers are very good at their job and low technology works just as well as high tech for them. Attacks are often carried out with the feeling that the invader is moving mountains to enter a fully secure fortress and, in fact, the bulk of the compromise. They are in much simpler ways. It's just that no one wants to admit it. "


    See also


    Related Posts

    Deja una respuesta

    Tu dirección de correo electrónico no será publicada.


    We use cookies to ensure that we give the best user experience on our website. If you continue to use this site we will assume that you agree. More information