Riding the State Unemployment Fraud ‘Wave’ as a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims! Krebs on Security https://krebsonsecurity.com/2020/05/riding-the-state-unemployment-fraud-wave/

Last week, the U.S. Secret Service warned of “massive fraud” against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.

A federal fraud investigator who’s helping to trace the source of these crimes & who spoke with KrebsOnSecurity on condition of anonymity said many states have few controls in place to spot patterns in fraudulent filings, such as multiple payments going to the same bank accounts,

or filings made for different people from the same Internet address.

In too many cases, he said, the deposits are going into accounts where the beneficiary name does not match the name on the bank account. Worse still, the source said, many states have dramatically pared back

the amount of information required to successfully request an unemployment filing.

“The ones we’re seeing worst hit are states that aren’t aren’t asking where you worked,” the investigator said. “It used to be they’d have a whole list of questions about your previous employer,

& you had to show you were trying to find work. But w pandemic, there’s no such requirement. They’ve eliminated any controls they had at all, & now they’re just shoveling money out the door based on Social Security number, name, & a few other details that aren’t hard to find.”

Earlier this week, email security firm Agari detailed a fraud operation tied to a seasoned Nigerian cybercrime group it dubbed “Scattered Canary,” which has been busy of late bilking states and the federal government out of economic stimulus and unemployment payments.

Agari said this group has been filing hundreds of successful claims, all effectively using the same email address.

“Scattered Canary uses Gmail ‘dot accounts’ to mass-create accounts on each target website,” Agari’s Patrick Peterson wrote. “Because Google ignores periods

when interpreting Gmail addresses, Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers ( http://freefilefillableforms.com ).”

Indeed, the very day the IRS unveiled its site for distributing CARES Act payments last month, KrebsOnSecurity warned that it was VERY LIKELY to be abused by fraudsters to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a

claim was name, date of birth, address & Social Security number.

Agari notes that since April 29, Scattered Canary has filed at least 174 fraudulent claims for unemployment with the state of Washington.

“Based on communications sent to Scattered Canary, these claims were

eligible to receive $790 a week for a total of $20,540 over a maximum of 26 weeks. Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a potential loss to these fraudulent claims of $4.7 million.”

A number of states have suffered security issues w PUA websites that exposed personal details of citizens filing unemployment insurance claims. Perhaps most galling example comes from Arkansas, whose site exposed SSNs, bank account & routing numbers for some 30,000 applicants.

In that instance, The Arkansas Times alerted the state after hearing from a computer programmer who was filing for unemployment on the site & found he could see other applicants’ data simply by changing the site’s URL slightly. State officials reportedly ignored the programmer’s

repeated attempts to get them to fix the issue, and when it was covered by the newspaper the state governor accused the person who found it of breaking the law.

Other states have discovered similar issues with their PUA application sites, including Colorado, Illinois, and Ohio.