American unemployment checks have become the latest target for cyber thieves who have lurched from one scam to another as the world battles the coronavirus pandemic. Unemployment benefit has three factors that makes it a veritable honeypot for thieves—the amount of money being made available, the sheer scale of recipients eligible, and the confusion around the application processes and verification, both among recipients and many of those administering schemes.
In a report that’s equally dispiriting and unsurprising, the threat intelligence firm IntSights has exposed the how-to guides now on Russian dark web forums, detailed explainers on identity theft, state-by-state benefit regulations and the various options to physically collect the cash. IntSights has highlighted underground Russian forums, but says there are also Nigerian, European and American networks operating.
“The process is pretty straight forward for an attacker, Etay Maor, IntSight’s CSO told me. “File a claim under a real person or synthetic ID (combining real and fake data)—the person does not even have to be eligible, we have seen CEOs of large organizations used for filing a claim. Then connect the benefits to a prepaid debit card.”
Maor explained that a combination of both victims and prior employers ignoring emails, plus overloaded benefits centres, gives the attacks a good chance of a percentage of their claims succeeding—it’s a numbers game. The Russian networks are even hiring male and female staff to scam call centres over the phone—all done through these forums. “Then as soon as the money is transferred to a debit card, they convert it to bitcoin or wire the money to an offshore account.”
The Russian forums reviewed by IntSights shared tips on how to buy identities and then fill in any data gaps (required for the applications) with fake data or with open-source information. The forums were even used to recruit local mules to help in the process. This combination of real and fake data, known as Synthetic Identify Fraud, is central to the scam—using enough real data to tick the relevant boxes. The approach is not new, already running to hundreds of millions of dollars in annual fraud.
As IntSights explains, “the attacker will need to collect data on the target, but what data does the attacker need? The requirements are available online.” Everything is available online. IntSights refers to this underground marketplace as Fraud as a Service. “The Russian forums are so big on cybercrime dealings that a potential scammer can buy anything there,” Maor warned.
According to Maor, such attacks are now commonplace. “I have seen cybercriminals discussing almost all the states—what I don’t think we sometimes realize is how relatively simple this type of attack is. On the one hand you have an overburdned system, flooded with claims, trying to help citizens through a very hard time. On the other hand. an attacker that doesn’t need malware, ransomware or sophisticated hacking tools to run the complete life cycle of the attack.”
That numbers game clearly delivers. “If you submit at a state that will give you say $700,” Maor explains, “submit 1,000 claims out of which only 10% will work—you still make $70,000. And those numbers are very conservative.” He’s not wrong. Washington State reportedly suffered a $576 million fraud, while Colorado’s system is now swamped with fraudulent claims. It’s a nationwide problem.
Clearly, the ultimate victims here are the states who are paying out—not the people being impersonated. That said, no-one wants their identity stolen and used in a crime.
As regards advice for anyone who may want to check if their identities have been compromised, Maor says “they should get a mail asking them to validate a claim—some states have added additional authentication measures as well as notifications when you go online to their portals—indicating a claim is being processed.”
Meanwhile, the usual advice on protecting your identity remains the same. Don’t respond to unexpected emails or click on any links unless you’re sure of the source. Keep an eye on your bank statements for questionable transactions—however small. Don’t reuse passwords. And if you’re filing for benefits, make sure you understand the process in your state well enough to recognise what’s real.