Fraudulent COVID-19 Relief Claims Earn Gang Millions
A business email compromise gang, or BEC, has submitted hundreds of fraudulent unemployment claims with state and coronavirus relief funds. Researchers tracked the fraud think cybercriminals may have made millions. The BEC gang, Scattered Canary, has filed more than 200 fraudulent claims for unemployment benefits and for COVID-19 relief funds. Scattered Canary is a highly-organized Nigerian gang that employs dozens of hackers to target U.S. organizations and government institutions. Since April 29, Scattered Canary has filed more than 200 fraudulent claims on the online unemployment websites of eight U.S. states.
In addition to the fraudulent unemployment activity, researchers have also found evidence that links Scattered Canary to previous attacks targeting CARES Act Economic Impact Payments, which were meant to provide Covid-19 relief. Researchers have identified the methods Scattered Canary is using to create numerous accounts on government websites and where the stolen funds are directed. So far, the gang has targeted the unemployment websites of Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming. Based on Scattered Canary’s activity, the group seems to be setting their sights on Hawaii as their next target of fraudulent unemployment claims, which has not been previously reported,” said researchers.
Researchers noted that Scattered Canary have used almost 50 Green Dot prepaid cards to cash out its fraudulent claims. Prepaid cards have previously been exploited to facilitate payroll-diversion BEC attacks because the cards can be used to receive direct deposit payments. Green Dot cards are also advertised as being able to receive government benefits, such as unemployment payments, up to four days before they're due to be paid, making them an attractive to groups like Scattered Canary to use in scams.
The group also used a trick that researchers call Google dot accounts to scale its operation. This trick abuses a legitimate Google feature that directs incoming email to the same account, regardless of where the period placement is within the email address. So, someone creates a Gmail account with an email address containing a period such as firstname.lastname@example.org, Google strips out the period in it is interpreted as email@example.com.
Hackers leveraged this to create multiple versions of the same Google address for each target website creating an efficient method for carrying out the crime. Researchers found 259 different variations of a single email address used by Scattered Canary to create accounts on state and federal websites to carry out these fraudulent activities.