“Scattered Canary” Named In Unemployment Fraud Scheme

Investigators are on the hunt for Nigerian fraudsters that have been targeting the nation’s unemployment offices. Based on an article that appeared today, researchers believe that they may have located one of the groups responsible.

Investigators believe a Nigerian fraud ring called “Scattered Canary”, used the IRS and state unemployment websites to file hundreds of fraudulent claims on behalf of U.S. citizens, and receive benefit payments.

Agari Believes The Fraud Ring Is Responsible for Hundreds of Frauds

Agari Cyber Intelligence Division (ACID) is the security firm that is analyzing the patterns and they presented their findings this morning.

They issued a press release this morning and provided their research to the general public.

“We have been tracking Scattered Canary for more than one year and briefed the U.S. Secret Service on this new development yesterday,” said Armen L. Najarian, CMO and Chief Identity Officer, Agari. “We’ve observed that this is by far one of the most complex and prolific cybercriminal organizations we have uncovered to date. Scattered Canary perpetrates a range of fraudulent schemes, including business email compromise (BEC) scams, unemployment fraud, social security fraud, student aid fraud, and now COVID-19 related fraud.”

Observations and threat intelligence gathering from Agari Cyber Intelligence Division (ACID) indicates that as of Sunday, May 17, Hawaii became Scattered Canary’s latest unemployment fraud victim, joining Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.

While it is too early to measure the full fraud dollar loss impact on Hawaii, an assessment of Scattered Canary’s fraudulent attacks on the state of Washington could be a bellwether. Since April 29, the group has filed at least 174 fraudulent claims for unemployment with Washington. This is consistent with public reporting of a recent U.S. Secret Service alert mentioning that Washington has been the primary target of fraudulent unemployment claims.

Based on communications sent to Scattered Canary from the state of Washington, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss as a result of these fraudulent claims of $4.9 million.

Green Dot PrePaid Cards Were Used

Agari analysis shows that Scattered Canary exploits Green Dot prepaid cards to “cash out” its fraudulent claims. Prepaid cards have previously been exploited to facilitate payroll diversion BEC attacks because the cards can be used to receive direct deposit payments. Green Dot cards are also advertised as being able to receive government benefits, such as unemployment payments, up to four days before they’re due to be paid, making them an attractive vehicle for groups like Scattered Canary to use in scams.

We have identified 47 Green Dot accounts that have been used by Scattered Canary to receive fraudulent payments. Notably, each of these accounts has been set up using the name of the individual on behalf of whom the group is filing a fraudulent claim.

Dotted Gmails Were Used To Create Hundreds of Fake Accounts With Stolen Identities

Another tactic Scattered Canary employs to scale its operations is the use of Google Dot Accounts. The group sets up its attacks using versions of related Gmail addresses to mass-create email accounts for each target website. Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms.com), because Google ignores periods when interpreting Gmail addresses. This tactic provides Scattered Canary the ability to scale its operations more efficiently by directing all communications to a single Gmail account. Ultimately, use of “dot accounts” makes Scattered Canary very fast and efficient at committing large scale financial crimes.

The scam used by the group exploits the fact that Gmail addresses ignore dots inside the email address itself.

For example, if someone adds dots to your address, the email will still be sent to your undotted address. For example, if your email is [email protected], all these dotted versions will revert back to that email:

Scattered Canary organized itself more than 10 years ago and is based in Nigeria. Its long operating history hardened its methods and prowess for committing fraud and socially engineered attacks. Agari first alerted law enforcement to Scattered Canary in early 2019.

Read Their Full Research Here

For those interested, you can read their full report here – AGARI.