A West African cybercriminal group has scammed the US government out of millions of dollars in Covid-19 business compensation, according to security firm Agari.
The Scattered Canary group appears to have targeted at least eight states, filing at least 174 fraudulent claims for unemployment with Washington. Each added up to a total of $20,540 over 26 weeks.
On top of this, under the CARES Act, the group has been able to claim $600 in Federal Pandemic Unemployment Compensation each week through July 31, by using social security numbers and personally identifiable information from identity theft victims. This all adds up to a potential $4.9 million in fraudulent claims for Washington alone, says Agari.
The other states affected are Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Wyoming and, most recently, Hawaii, where the group has filed two unemployment claims on Hawaii’s Department of Labor and Industrial Relations website.
Agari says that Scattered Canary is based in Nigeria and has been operating for about ten years. It’s been tracking the group for over a year, and has shared its information with the Secret Service.
“We’ve observed that this is by far one of the most complex and prolific cybercriminal organizations we have uncovered to date,” says Agari’s CMO and chief identity officer Armen Najarian.
“Scattered Canary perpetrates a range of fraudulent schemes, including business email compromise (BEC) scams, unemployment fraud, social security fraud, student aid fraud, and now COVID-19 related fraud.”
The group uses Green Dot prepaid cards to ‘cash out’ its fraudulent claims. Meanwhile, using Google Dot Accounts, it creates numerous email accounts for each of the targeted websites with all communications going to a single Gmail account. In one case, Agari identified 259 different variations of a single email address used to create accounts on state and federal websites.
“Using a feature within the Google Gmail email system that ignores any period in the address, the criminals could create multiple accounts with the government to exploit it financially,” comments James McQuiggan, security awareness advocate at KnowBe4.
“The criminal groups have discovered a loophole whereby the criminals have crafted a method to steal millions of dollars from the government. The payout system appears automated, as there does not appear to be a balance or check process with the information provided to the state government systems when it comes to the false email addresses.”