This report reviews the current threat landscape of unemployment fraud in the United States within closed sources and underground reporting. It contains information gathered using the Recorded Future® Platform, as well as additional open source intelligence (OSINT), dark web sources, and underground forum research. It will be of interest to organizations seeking to better understand unemployment fraud within the criminal underground, as well as investigators of threat actors performing such attacks.

Executive Summary

The COVID-19 pandemic has led to the commoditization of a variety of criminal services themed around unemployment relief originally meant to be distributed to those whose lives have been disrupted by the virus. Unemployment fraud has become increasingly accessible to threat actors lately and presents a low barrier of entry for fledgling cybercriminals. The success of fraud campaigns this year themed around relief efforts to combat the COVID-19 pandemic is likely the result of a combination of factors, including successful social engineering campaigns, the use of money mules operating throughout the U.S., and threat actors’ use of login information or personally identifiable information (PII) exposed during data breaches, dumps, or leaks. Some fraudsters targeting unemployment benefit systems are more likely to rely on traditional forms of social engineering such as targeted phishing emails directed at a company’s executive leadership. Other tactics, such as the suspected use of money mules in connection with this fraudulent activity, overlap with the tactics of other cybercriminal groups that specialize in various types of fraud, particularly crews that specialize in business email compromise (BEC) schemes.

Given the volume of underground references to the sale of unemployment fraud tutorials and the number of views these methods generate, many fraudsters are likely still new at conducting this form of fraud. Recorded Future has seen no evidence to suspect that actors are exploiting vulnerabilities within government systems, relying instead on their ability to opportunistically target as many victims around the country as possible by harvesting previously exposed information. The general increase in unemployment fraud throughout 2020 was also likely compounded by gaps in the security hygiene of multiple government organizations responsible for safeguarding unemployment applicant data both virtually and physically. This is evidenced by actors in some states believed to be attempting to intercept physical mail that contained personal information tied to unemployment claims. The general flood of fraudulent unemployment requests that has overwhelmed government workers in many states is also enabled by the low barrier to entry for cybercriminals who can purchase stolen accounts or cheap tutorials and methods on how they can conduct similar fraud.

Key Judgements and Findings

• The promotion of fraudulent unemployment services within closed-source reporting over the past six months can be divided into two broad categories:
• The sale of tutorials or methods to file fraudulent claims
• The sale of direct access to unemployment relief accounts that often contain a pre-existing balance of funds
• Over the past six months, cybercriminals have demonstrated a preference to advertise unemployment fraud tutorials or services via messaging platforms over criminal forums, shops, or marketplaces, specifically Telegram.
• Underground sources promoting unemployment fraud services typically specialize in a variety of other forms of fraud simultaneously, including credit card fraud and tax fraud.
• The scale of fraudulent unemployment claims within the U.S. has become widespread enough in recent months to unlikely be attributed to a single threat entity.
• Open source reporting on the reported losses stemming from unemployment fraud activity assessed to be in the millions of dollars has very likely contributed to the growing level of interest among underground threat actors.
• Money mules likely remain a critical component of the unemployment fraud supply chain as evidenced by images uploaded by underground sellers of fraudulent unemployment methods and open source reports surrounding the arrests of suspected mules throughout 2020.

Background

Since the onset of the COVID-19 pandemic, rampant unemployment fraud has been reported throughout the U.S., with every state being impacted to varying degrees. This has manifested in various forms, from threat actors filing unemployment claims using stolen PII to state officials contending with reports of money mules funneling stolen funds to fraudulent threat actors operating overseas.

• En janvier 2020, le Federal Bureau of Investigation (FBI) a détaillé la manière dont les cybercriminels utilisent des sites Web usurpés pour collecter des informations personnelles identifiables et voler de l'argent afin de mener des escroqueries à l'embauche de plus en plus complexes, en publiant des annonces aux côtés d'employeurs légitimes et d'agences de placement afin de cibler des victimes de tous niveaux de compétences et de revenus. Les criminels à la recherche d'informations personnelles identifiables pour commettre des fraudes à l'assurance chômage sont susceptibles de continuer à collecter des informations provenant de fuites ou de violations de données signalées précédemment, ou sur d'autres marchés criminels, souvent automatisés, qui vendent ces informations à bas prix.
• Quatre mois plus tard, les services secrets américains (USSS) ont établi un lien entre l'augmentation des signalements de fraudes visant les programmes d'assurance chômage des États et un réseau nigérian « bien organisé ». Les chercheurs d'Agari ont publié des informations attribuant une partie de cette fraude nigériane à un groupe de cybercriminels surnommé Scattered Canary. Les pertes potentielles résultant des activités du groupe au cours des dernières années sont estimées à plusieurs centaines de millions de dollars. L'USSS a déclaré que le réseau frauduleux comprendrait des centaines de passeurs d'argent, un terme utilisé pour décrire des personnes volontaires ou involontaires recrutées pour aider à blanchir les produits de transactions financières frauduleuses.

Les signalements de fraudes généralisées à l'assurance chômage persistent dans plusieurs États. Recorded Future n'a constaté aucun cas de fraude à l'assurance chômage résultant d'une vulnérabilité inhérente aux systèmes gouvernementaux. Les rapports ont plutôt détaillé diverses techniques utilisées par des fraudeurs individuels d'un État à l'autre, ce qui rend peu probable que tous les cas de fraude à l'assurance chômage signalés cette année soient le fait d'une seule entité malveillante. L'augmentation générale de la fraude à l'assurance chômage tout au long de l'année 2020 a probablement été aggravée par des lacunes en matière de sécurité informatique au sein de plusieurs organismes gouvernementaux chargés de protéger les données des demandeurs d'emploi. Les experts en sécurité estiment que plusieurs États étaient déjà confrontés à des problèmes liés à leur capacité à lutter contre cette forme spécifique de fraude avant même la pandémie de COVID-19, notamment :

• Implement or renew identity verification software to review claims before they are disseminated
• Vérifier les demandes de prestations par rapport aux données personnelles d'autres personnes, telles que les détenus, les personnes décédées ou les résidentshors de l'État.
• Ensure that applicant PII such as Social Security numbers (SSN) are not included in mail correspondence susceptible to physical theft

It is very likely that emerging cybercriminals have become emboldened by open source reports detailing how easy it is to conduct this form of fraudulent activity with no prior knowledge of unemployment systems, combined with the relatively low price of purchasing a tutorial or method to facilitate their activities.

Threat Analysis

The promotion of fraudulent unemployment services within closed source reporting over the past six months can be divided into two broad categories:

• The sale of tutorials or methods to file fraudulent claims with government systems or platforms that assist with unemployment relief
• The sale of direct access to unemployment relief accounts that often contain a pre-existing balance of funds

En mars 2020, les législateurs américains ont adopté la loi CARES (Coronavirus Aid, Relief, and Economic Security), qui a mis en place le programme d'aide au chômage en cas de pandémie (PUA). Ce programme étend l'admissibilité à l'assurance-chômage aux travailleurs indépendants, aux pigistes, aux entrepreneurs indépendants et aux travailleurs à temps partiel touchés par le coronavirus. Bien que le programme PUA ne soit qu'un élément parmi d'autres des mesures d'aide au chômage mises en place par les autorités américaines en réponse à la pandémie, il continue de figurer en bonne place dans les annonces clandestines liées à la fraude à l'allocation chômage, dont le nombre ne cesse d'augmenter.

The visual below shows the results of a survey provided to members of one Telegram channel devoted to multiple forms of fraudulent activity. Though the sale of PUA information came in last place in the survey, its very inclusion on the survey demonstrates that this element of fraudulent activity has generated enough demand among cybercriminals to warrant its own sales category within closed sources. Recorded Future has knowledge of at least one Telegram channel implementing an “operation” as a result of expectations that provisions surrounding unemployment relief were set to expire at the end of 2020, making fraudulent PUA claims a priority for admins of the channel attempting to generate as much revenue as possible in the event that the PUA program or other unemployment relief offerings were suddenly to cease.

Over the past six months, cybercriminals have demonstrated a preference for advertising unemployment fraud tutorials or account information via messaging platforms over criminal forums, shops, or marketplaces. However, the demand within traditional marketplaces remains high enough for administrators to continue to support various offerings related to unemployment fraud.

Another appealing aspect of this form of fraud is the relatively low price of tutorials or account information. Recorded Future observed tutorials and methods related to conducting unemployment fraud selling for anywhere between $5 to $100, depending on the state being targeted. The price of PUA information or access to a state government platform containing a pre-existing balance of relief funds was typically higher (as denoted in Figure 3 below, where some threat actors were asking for between $80 to $100 for PUA information associated with New York and Wisconsin unemployment claims).

Threat actors selling this information demonstrated a willingness to forgo accounts with relief balances valued in the thousands of dollars to ensure the long-term success of their underground business model. Additionally, the higher price for direct access to accounts with pre-existing balances as opposed to the tutorials is likely a result of buyers being in the position to more easily access the funds that another veteran actor likely already procured. This is in contrast with tutorials where the buyer is still ultimately responsible for obtaining victim accounts to achieve profit while avoiding attention from law enforcement.

Other fraud methods related to unemployment scams contained what cybercriminals considered to be useful tips to increase the likelihood of achieving success when submitting a fraudulent claim. Tips recommended by fraudsters across multiple tutorials included the following:

• If asked on an application as to when the COVID-19 pandemic affected your employment activities, put March 25, 2020, just two days prior to when the CARES Act was implemented by Congress.
• Filing a claim as “Self-Employed” when possible will net applicants more money than those who filed that they work for another company.
• This same guide later advised other fraudsters which job they had success with when filing claims. In this tutorial’s case, the author recommended pretending to be a “professional photographer” or another job that would be more difficult to fulfill within a remote environment.
• If asked about how much you earned annually in 2019, when filing a fraudulent claim, list an amount between $16,850 and $42,100. The author in this case likely believed that providing a salary above a particular threshold would increase the likelihood of it being flagged by law enforcement investigators or state officials reviewing individual claims.
• Social engineering techniques were also encouraged within multiple tutorials. In one guide, the authors reported that calling a PUA “claim line” and entering a Social Security number (SSN) obtained from another source would verify whether that individual already had an open unemployment relief claim. If no claim had been filed yet, public record aggregation websites such as Verified and Truthfinder were recommended as sources of additional PII on a target. The actors specifically advised using “good” SSN and date of birth (DOB) information on a target to conduct further research on these public record aggregation sites, likely in an attempt to harvest additional PII. However, the actors also showed a level of bias within this guide, with their final recommendation being to visit a specific underground marketplace they are affiliated with to purchase additional information.

Underground sources selling fraudulent unemployment relief tutorials or account information typically specialize in other forms of fraud, including credit card and tax fraud. Additionally, sellers of these types of fraud do not appear to devote all resources to targeting unemployment systems in one state at a time. Instead, they offer services to access information from a variety of states simultaneously, based on client demand and the level of difficulty in obtaining access to unemployment relief accounts within a particular state.

Criminal shops such as Genesis Store and Russian Market that specialize in the sale of an end user’s browsing history or “digital footprint” have also regularly contained login information for state government domains associated with unemployment relief throughout 2020. Recorded Future saw no indication or comments among cybercriminals that these “bots” containing state government login information were being specifically purchased to commit acts of unemployment fraud, though the lack of a discussion functionality within these shops make it difficult to determine the specific motivation behind purchases from these sources.

Alert to Changes in Government Monitoring

En raison de l'augmentation constante du nombre de signalements de fraudes à l'assurance chômage aux États-Unis, les États ont tenté, à des degrés divers, d'atténuer la menace que représente cette forme d'activité frauduleuse. En novembre 2020, l'USSS a signalé 700 enquêtes en cours liées à des fraudes visant le programme de protection des salaires et le programme d'assurance chômage. Alors que les États continuent de renforcer leurs mesures de sécurité pour lutter contre cette fraude généralisée, les cybercriminels qui font la promotion de méthodes de fraude à l'assurance chômage ou qui divulguent des informations sur des comptes continuent également de surveiller ces changements et de s'y adapter.

• Figure 5 below shows an administrator of a Telegram channel devoted to fraud activity advising members to avoid purchasing or attempting to access unemployment platforms linked to seven specific U.S. states they no longer believed to be distributing financial relief.
• Individual Telegram channels appear to have varying recommendations as to which state is or is not an ideal target at any given time. For example, within two weeks of the Telegram post in Figure 5, originally uploaded in November 2020, threat actors resumed selling methods or account information associated with state systems in Ohio within the same channel, despite these prior warnings by channel administrators.
• Threat actors within these messaging platform channels have also expressed concern that some states are more capable of identifying their location than others. In one scenario, Recorded Future observed a comment from a user advising users to stay away from four specific U.S. states they believed to be likely using tracking applications to monitor for fraudulent claims. The use of proxy IP addresses were highly encouraged within closed sources to prevent this form of tracking and ensuring that a user is not locked out of any unemployment platforms, were government entities to flag their originating IP address as suspicious.

We are not aware of any security vulnerabilities within government or corporate systems that have assisted in the spread of this fraudulent activity. It is more likely that threat actors will continue to opportunistically target unemployment relief platforms by harvesting exposed login information or purchasing bundles of PII for sale within underground sources.

Assisting Other Fraudsters

Generally, administrators maintaining channels within messaging platforms devoted to unemployment fraud were receptive to the idea of mentoring newer users, likely in an attempt to develop a long-term relationship with partners capable of generating demand for their channels and increasing revenue. This willingness among cybercriminals to partner with one another on unemployment fraud carried over to cybercriminal forums as well, where we observed recurring requests from users seeking “serious” partners for long term-fraud activity. Given that these threads encouraged interested parties to contact the vendor via private channels, the visibility Recorded Future has had into the potential success of these partnerships has been limited.

_Figure 7: Request for unemployment benefit partner _

Vendors of employment scams or PUA fraud methods are often involved in several different scams simultaneously, including disaster relief fraud, Social Security fraud, tax fraud, and credit card fraud. This is the norm for cybercriminal organizations able to operate multiple services capable of providing different streams of revenue.

Recorded Future reviewed several tutorials and methods circulating within the criminal underground regarding a combination of PUA or general unemployment fraud techniques. For the majority of the methods advertised, cybercriminals were expected to already be in possession of stolen PII or “fullz” to take advantage of the guides and be in a position to turn a profit. Fullz is a slang term for "full information" that criminals who steal PII use to refer to a set of information on a prospective fraud victim, generally including an individual’s name, address, date of birth, Social Security and driver’s license numbers, as well as the PII of family members and any other miscellaneous information available (such as criminal or employment records).

The same sellers of PUA fraud methods were very often willing to sell this information separately at additional cost. This demonstrates that financial success remains the underlying motivation, despite any attempts by the vendors to portray themselves as good Samaritans willing to assist fledgling criminals who may be new to this type of fraudulent activity.

Unemployment Fraud Targeting and Attribution

En mai 2020, des chercheurs de la société de sécurité Agari ont publié leurs conclusions concernant un groupe cybercriminel nigérian suivi sous le nom de « Scattered Canary », qui commettait des fraudes à l'assurance chômage et au titre de la loi CARES à travers les États-Unis. Le groupe cybercriminel Scattered Canary agit comme une entreprise proposant des services complets de compromission d'e-mails professionnels (BEC) qui utilise des escroqueries, telles que l'usurpation d'identité par e-mail et le phishing, pour manipuler les entreprises afin qu'elles paient de faux contrats et autres factures frauduleuses. D'après les données télémétriques d'Agari, la plupart des cibles étaient situées dans sept États américains : Floride, Massachusetts, Caroline du Nord, Oklahoma, Rhode Island, Washington et Wyoming. Les auteurs des menaces associés à Scattered Canary auraient utilisé une combinaison de cartes prépayées pour recevoir des paiements et créer en masse des comptes de messagerie électronique :

• Au total, Scattered Canary a utilisé au moins 47 comptes de cartes prépayées Green Dot pour recevoir les paiements frauduleux.
• Scattered Canary a utilisé des comptes Gmail pour créer en masse des comptes sur chaque site Web ciblé. Étant donné que Google ignore les points lors de l'interprétation des adresses Gmail, Scattered Canary aurait pu créer des dizaines de comptes sur les sites web des services publics de l'emploi et sur le site web de l'IRS dédié au traitement des paiements au titre de la loi CARES pour les personnes non assujetties à l'impôt (freefilefillableforms[.]com).
• Examples of the Gmail dot formatting structure used by Scattered Canary to send unemployment assistance phishing emails:
• badactor2021@gmail[.]com
• badactor202.1@gmail[.]com
• badactor202.21@gmail[.]com
• By using this tactic, Scattered Canary was able to scale their operations more efficiently by directing all communications to a single Gmail account. According to Agari, this removes the need to create and monitor a new email account for every account they create on a website, ultimately making transactions faster and more efficient.

The targeting of state unemployment benefits was reported by Agari to be of interest to the group, which had specifically targeted Texas unemployment systems under nine identities as of May 2020. At this time, Recorded Future does not have further insight into how many of the fraudulent claims linked to Scattered Canary are being paid out by the individual states. However, a review of videos uploaded to messaging platforms selling state unemployment relief information did reveal a likely nexus to operators based in West Africa.

• One video uploaded to a fraud messaging platform revealed a likely member of the channel receiving a package from Samamiah (Shipping) Enterprise Limited, a shipping and delivery company that accepts goods for carriage (door-to-door) from the U.K. to Ghana. According to Agari, 10 percent of BEC fraud originated from Ghana between May 2019 and July 2020.

Les rapports des victimes obtenus par Recorded Future indiquent que les demandeurs connaissaient généralement le nom, le numéro de sécurité sociale et le lieu de travail de la cible, mais que toutes les autres données étaient statiques. Dans certains cas signalés à Recorded Future, les demandeurs connaissent le nom, le numéro de sécurité sociale et le lieu de travail de la cible, et tentent probablement de cibler des cadres ou des personnes fortunées. Il s'agit d'une technique couramment utilisée dans les campagnes de BEC orchestrées par des entités malveillantes telles que Scattered Canary, qui a été identifiée pour la première fois par Agari après que cette entité malveillante se soit fait passer pour un cadre supérieur d'Agari dans un e-mail destiné à son directeur financier.

Fraudulent unemployment claims within the U.S. are widespread enough that they are unlikely coming from a single threat entity. Threat actors have likely become emboldened by open source reports of the monetary impact that fraudulent unemployment claims continue to have.

Though this reporting focuses specifically on unemployment fraud circulating within closed source reporting, some opportunistic actors with little regard to maintaining operational security have also been observed advertising on traditional social media platforms. The large volume of open source reporting on the subject of unemployment fraud activity and losses estimated to be in the millions has very likely contributed to the growing level of interest and motivation among underground threat actors.

This level of interest has been reflected in multiple statistics reported across both the state and local levels of government since the start of December 2020.

• Une enquête complémentaire menée par KrebsOnSecurity en août 2020 a confirmé qu'un groupe de fraudeurs partageait probablement des informations personnelles et financières très détaillées sur des citoyens américains via un service de messagerie électronique gratuit. Une autre source anonyme a informé KrebsOnSecurity qu'elle surveillait les communications du groupe depuis plusieurs semaines et partageait ces informations avec les autorités fédérales et étatiques américaines afin de mettre fin à leurs activités frauduleuses. À l'instar des rapports précédents sur l'ampleur de ces campagnes de fraude à l'assurance chômage, la source a indiqué que le groupe malveillant semblait être composé de plusieurs centaines d'individus qui auraient collectivement dérobé des dizaines de millions de dollars aux trésors publics fédéraux et étatiques américains via de fausses demandes de prêt auprès de la Small Business Administration (SBA) et des demandes frauduleuses d'allocations chômage auprès de plusieurs États américains.
• This nexus to phony loan applications filed with the U.S. SBA is noteworthy given that it overlaps with the techniques of Scattered Canary operations detailed by Agari in May 2020.
• Dans un avertissement adressé aux législateurs de l'État en décembre 2020, la Bank of America a estimé que la fraude au système d'allocations chômage de Californie pourrait désormais représenter à elle seule 2 milliards de dollars de pertes. La Bank of America a déclaré avoir identifié 640 000 comptes présentant des activités suspectes qui doivent faire l'objet d'une enquête afin de déterminer s'ils sont frauduleux et doivent être fermés.
• The total number of members registered within underground channels devoted to unemployment fraud have been on the rise. One channel monitored by Recorded Future analysts had approximately 7,500 members at the beginning of November 2020. A month later, the total membership exceeded 18,000 members, with new messages uploaded by an administrator of the channel on a regular basis garnering several thousand views on average.

Reliance on Money Mules

Les passeurs d'argent restent probablement un maillon essentiel de la chaîne de fraude à l'assurance chômage, comme en témoignent les images publiées par des vendeurs clandestins de méthodes frauduleuses et les rapports open source concernant l'arrestation de passeurs présumés tout au long de l'année 2020. La pandémie de COVID-19 a contraint les opérateurs de mules de réexpédition à modifier leurs stratégies commerciales cette année. Un avis de l'USSS a indiqué que le réseau frauduleux suspect derrière ces demandes disposait déjà d'une importante base de données contenant des informations personnelles identifiables, ce qui lui a permis de soumettre le volume de demandes observé plus tôt cette année. En outre, l'USSS a déclaré que le réseau frauduleux serait composé de centaines de passeurs d'argent.

Mules are essential for fraudsters who require a commodity to be physically moved from one place to another, or when fraudulent funds need to be moved between accounts. In money mule schemes, the scammers will also often recruit individuals to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators, keeping a percentage as payment for their efforts. The increased number of arrests around the country with a nexus to fraudulent unemployment relief claims has also provided clarity that multiple strings of fraudsters are likely operating independently with no direct nexus to any overseas operations.

• En septembre 2020, le procureur général (AG) Josh Shapiro de Pennsylvanie (PA) a annoncé des poursuites contre 20 détenus et leurs complices, accusés d'avoir commis des fraudes à l'assurance chômage dans trois prisons d'État du centre et de l'est de la Pennsylvanie. Le bureau du procureur général a déclaré que six détenus n'ayant aucun lien connu avec un réseau avaient également été arrêtés.
• Posts from underground marketplace vendors observed as recently as October 2020 reveal that money mules likely play an integral part in assisting operations advertised on dark web sources.
• On October 25, 2020, a member of the forum Omerta began advertising cash-out services for fraudulent unemployment claims in the U.S. The threat actor stated that their money mules (“bank drops”) can cash-out unemployment funds for a separately negotiated percentage of the bank transfer.

Mitigations

Un enquêteur fédéral spécialisé dans la fraude, qui s'est entretenu avec KrebsOnSecurity en mai 2020 sous couvert d'anonymat, a déclaré que de nombreux États américains ne disposaient pas de contrôles suffisants pour détecter les schémas susceptibles de mieux filtrer les demandes frauduleuses d'allocations chômage, comme la recherche de demandes multiples impliquant les mêmes adresses IP ou les mêmes comptes bancaires. L'enquêteur a ensuite précisé que dans certains États américains, les fraudeurs n'ont qu'à fournir le nom, le numéro de sécurité sociale et d'autres informations de base d'une personne pour que leur demande soit traitée. L'enquêteur aurait laissé entendre que la liste de questions relatives à l'ancien employeur du demandeur, destinées à des fins d'authentification, avait été réduite ou supprimée dans certaines agences en raison de la pandémie.

Les États ont commencé à adopter leurs propres mesures pour faire face au risque que représente cette forme d'activité frauduleuse. Des représentants d'États tels que le Massachusetts ont précédemment déclaré avoir commencé à mettre en œuvre des mesures supplémentaires de vérification d'identité qui retarderont temporairement le délai de paiement de nombreuses demandes d'allocations chômage. À la suite de ces mesures, certains demandeurs d'allocations chômage pourraient être invités à fournir des informations supplémentaires relatives à leur identité afin de vérifier la validité de leur demande.

Organizations that suspect their employees have fallen prey to unemployment fraud scams can do the following:

• Relay the information regarding this fraud to the appropriate office at your local state level and USSS field office. The USSS has also encouraged victims to continue to liaison with local financial institutions to identify mules and potential seizures.
• Use features in monitoring software or applications that are capable of flagging potential spam or scams for payments in the app and sends text messages to users when it detects suspected fraud. Flagging potential criminal activity using tools and data sets to verify the identity of a claimant can help stop fraudulent activity before it begins.

Outlook

In a number of cases, the most important component for unemployment or insurance claim fraud is access to victim PII. This type of information can be accessed and purchased on a number of dark web marketplaces, shops, and forums for fairly low prices by anyone with enough knowledge to set up an account on underground sources. It is difficult for us to determine which of these fraud types are being carried out with the greatest frequency based on available data. However, scam activities that depend on PII will likely continue to spike following the release of some larger data dumps, especially any that are widely publicized and easily accessible.