Security researchers discovered that the Scattered Canary group had filed hundreds of fraudulent unemployment claims in the wake of COVID-19.
According to Agari Cyber Intelligence Division, at least some of the threat actors who took part in a large-scale fraud campaign targeting dozens of states’ unemployment insurance programs belonged to a Nigerian digital crime group called “Scattered Canary.” This collective is known to have committed unemployment fraud, student aid fraud and similar types of attacks over its 10+ year history. It’s therefore no surprise that group would abuse coronavirus 2019 (COVID-19) to launch additional campaigns.
Agari determined that Scattered Canary used Gmail “dot” accounts to mass-produce the accounts they used to target state unemployment websites as well as IRS sites dedicated to processing CARES Act payments. This technique helped to streamline the attackers’ efforts. As quoted in Agari’s research:
By using this tactic, Scattered Canary is able to scale their operations more efficiently by directing all communications to a single Gmail account. This removes the need to create and monitor a new email account for every account they create on a website, ultimately making crimes faster and more efficient.
The Agari intelligence team found 259 variations of a single email used by attackers to target the locations mentioned above and to commit their fraudulent activity.
Broken down by state, Scattered Canary filed at least 174 fraudulent claims for unemployment benefits in Washington. That was far more than the 17 claims filed by the group in Massachusetts and the two claims submitted by its members in Hawaii. Even so, Agari found evidence suggesting that the group would likely continue to file unemployment claims in Hawaii for at least several more days.
The group was also behind at least 82 fraudulent claims associated with the CARES Act.
Scattered Canary ultimately leveraged Green Dot prepaid cards to accept payments for their fraudulent claims. In at least some of the cases observed by Agari, the group had registered those card accounts in the names of individuals for whom they claimed they were filing for benefits.