Unemployment Fraud in the Criminal Underground

Unemployment Fraud in the Criminal Underground [Report]

Primary Logo - Insikt - Digital (RGB).png
Click here to download the complete analysis as a PDF.

This report reviews the current threat landscape of unemployment fraud in the United States within closed sources and underground reporting. It contains information gathered using the Recorded Future® Platform, as well as additional open source intelligence (OSINT), dark web sources, and underground forum research. It will be of interest to organizations seeking to better understand unemployment fraud within the criminal underground, as well as investigators of threat actors performing such attacks.

Executive Summary

The COVID-19 pandemic has led to the commoditization of a variety of criminal services themed around unemployment relief originally meant to be distributed to those whose lives have been disrupted by the virus. Unemployment fraud has become increasingly accessible to threat actors lately and presents a low barrier of entry for fledgling cybercriminals. The success of fraud campaigns this year themed around relief efforts to combat the COVID-19 pandemic is likely the result of a combination of factors, including successful social engineering campaigns, the use of money mules operating throughout the U.S., and threat actors’ use of login information or personally identifiable information (PII) exposed during data breaches, dumps, or leaks. Some fraudsters targeting unemployment benefit systems are more likely to rely on traditional forms of social engineering such as targeted phishing emails directed at a company’s executive leadership. Other tactics, such as the suspected use of money mules in connection with this fraudulent activity, overlap with the tactics of other cybercriminal groups that specialize in various types of fraud, particularly crews that specialize in business email compromise (BEC) schemes.

Given the volume of underground references to the sale of unemployment fraud tutorials and the number of views these methods generate, many fraudsters are likely still new at conducting this form of fraud. Recorded Future has seen no evidence to suspect that actors are exploiting vulnerabilities within government systems, relying instead on their ability to opportunistically target as many victims around the country as possible by harvesting previously exposed information. The general increase in unemployment fraud throughout 2020 was also likely compounded by gaps in the security hygiene of multiple government organizations responsible for safeguarding unemployment applicant data both virtually and physically. This is evidenced by actors in some states believed to be attempting to intercept physical mail that contained personal information tied to unemployment claims. The general flood of fraudulent unemployment requests that has overwhelmed government workers in many states is also enabled by the low barrier to entry for cybercriminals who can purchase stolen accounts or cheap tutorials and methods on how they can conduct similar fraud.

Key Judgements and Findings

Background

Since the onset of the COVID-19 pandemic, rampant unemployment fraud has been reported throughout the U.S., with every state being impacted to varying degrees. This has manifested in various forms, from threat actors filing unemployment claims using stolen PII to state officials contending with reports of money mules funneling stolen funds to fraudulent threat actors operating overseas.

Les signalements de fraudes généralisées à l'assurance chômage persistent dans plusieurs États. Recorded Future n'a constaté aucun cas de fraude à l'assurance chômage résultant d'une vulnérabilité inhérente aux systèmes gouvernementaux. Les rapports ont plutôt détaillé diverses techniques utilisées par des fraudeurs individuels d'un État à l'autre, ce qui rend peu probable que tous les cas de fraude à l'assurance chômage signalés cette année soient le fait d'une seule entité malveillante. L'augmentation générale de la fraude à l'assurance chômage tout au long de l'année 2020 a probablement été aggravée par des lacunes en matière de sécurité informatique au sein de plusieurs organismes gouvernementaux chargés de protéger les données des demandeurs d'emploi. Les experts en sécurité estiment que plusieurs États étaient déjà confrontés à des problèmes liés à leur capacité à lutter contre cette forme spécifique de fraude avant même la pandémie de COVID-19, notamment :

It is very likely that emerging cybercriminals have become emboldened by open source reports detailing how easy it is to conduct this form of fraudulent activity with no prior knowledge of unemployment systems, combined with the relatively low price of purchasing a tutorial or method to facilitate their activities.

Threat Analysis

The promotion of fraudulent unemployment services within closed source reporting over the past six months can be divided into two broad categories:

En mars 2020, les législateurs américains ont adopté la loi CARES (Coronavirus Aid, Relief, and Economic Security), qui a mis en place le programme d'aide au chômage en cas de pandémie (PUA). Ce programme étend l'admissibilité à l'assurance-chômage aux travailleurs indépendants, aux pigistes, aux entrepreneurs indépendants et aux travailleurs à temps partiel touchés par le coronavirus. Bien que le programme PUA ne soit qu'un élément parmi d'autres des mesures d'aide au chômage mises en place par les autorités américaines en réponse à la pandémie, il continue de figurer en bonne place dans les annonces clandestines liées à la fraude à l'allocation chômage, dont le nombre ne cesse d'augmenter.

unemployment-fraud-in-criminal-underground-1-2.png
Figure 1: Mentions du programme PUA dans des sources du dark web (Source : Recorded Future)

The visual below shows the results of a survey provided to members of one Telegram channel devoted to multiple forms of fraudulent activity. Though the sale of PUA information came in last place in the survey, its very inclusion on the survey demonstrates that this element of fraudulent activity has generated enough demand among cybercriminals to warrant its own sales category within closed sources. Recorded Future has knowledge of at least one Telegram channel implementing an “operation” as a result of expectations that provisions surrounding unemployment relief were set to expire at the end of 2020, making fraudulent PUA claims a priority for admins of the channel attempting to generate as much revenue as possible in the event that the PUA program or other unemployment relief offerings were suddenly to cease.

unemployment-fraud-in-criminal-underground-2-1.png
Figure 2Enquête menée en novembre 2020 sur une chaîne Telegram dédiée aux activités frauduleuses (Source : Telegram)

Over the past six months, cybercriminals have demonstrated a preference for advertising unemployment fraud tutorials or account information via messaging platforms over criminal forums, shops, or marketplaces. However, the demand within traditional marketplaces remains high enough for administrators to continue to support various offerings related to unemployment fraud.

Another appealing aspect of this form of fraud is the relatively low price of tutorials or account information. Recorded Future observed tutorials and methods related to conducting unemployment fraud selling for anywhere between $5 to $100, depending on the state being targeted. The price of PUA information or access to a state government platform containing a pre-existing balance of relief funds was typically higher (as denoted in Figure 3 below, where some threat actors were asking for between $80 to $100 for PUA information associated with New York and Wisconsin unemployment claims).

Threat actors selling this information demonstrated a willingness to forgo accounts with relief balances valued in the thousands of dollars to ensure the long-term success of their underground business model. Additionally, the higher price for direct access to accounts with pre-existing balances as opposed to the tutorials is likely a result of buyers being in the position to more easily access the funds that another veteran actor likely already procured. This is in contrast with tutorials where the buyer is still ultimately responsible for obtaining victim accounts to achieve profit while avoiding attention from law enforcement.

unemployment-fraud-in-criminal-underground-3-2.png
Figure 3: Vente d'accès à des informations « aléatoires » sur les comptes PUA.

Other fraud methods related to unemployment scams contained what cybercriminals considered to be useful tips to increase the likelihood of achieving success when submitting a fraudulent claim. Tips recommended by fraudsters across multiple tutorials included the following:

Underground sources selling fraudulent unemployment relief tutorials or account information typically specialize in other forms of fraud, including credit card and tax fraud. Additionally, sellers of these types of fraud do not appear to devote all resources to targeting unemployment systems in one state at a time. Instead, they offer services to access information from a variety of states simultaneously, based on client demand and the level of difficulty in obtaining access to unemployment relief accounts within a particular state.

unemployment-fraud-in-criminal-underground-4-1.png
Figure 4Capture d'écran des offres PUA d'un seul acteur clandestin (Source : Telegram)

Criminal shops such as Genesis Store and Russian Market that specialize in the sale of an end user’s browsing history or “digital footprint” have also regularly contained login information for state government domains associated with unemployment relief throughout 2020. Recorded Future saw no indication or comments among cybercriminals that these “bots” containing state government login information were being specifically purchased to commit acts of unemployment fraud, though the lack of a discussion functionality within these shops make it difficult to determine the specific motivation behind purchases from these sources.

Alert to Changes in Government Monitoring

En raison de l'augmentation constante du nombre de signalements de fraudes à l'assurance chômage aux États-Unis, les États ont tenté, à des degrés divers, d'atténuer la menace que représente cette forme d'activité frauduleuse. En novembre 2020, l'USSS a signalé 700 enquêtes en cours liées à des fraudes visant le programme de protection des salaires et le programme d'assurance chômage. Alors que les États continuent de renforcer leurs mesures de sécurité pour lutter contre cette fraude généralisée, les cybercriminels qui font la promotion de méthodes de fraude à l'assurance chômage ou qui divulguent des informations sur des comptes continuent également de surveiller ces changements et de s'y adapter.

unemployment-fraud-in-criminal-underground-5-1.png
Figure 5: Un acteur malveillant conseille aux membres du canal d'éviter de cibler certains États (Source : Telegram)
unemployment-fraud-in-criminal-underground-6-1.png
Figure 6Avertissement de l'administrateur concernant les efforts du gouvernement visant à surveiller les canaux Telegram (Source : Telegram)

We are not aware of any security vulnerabilities within government or corporate systems that have assisted in the spread of this fraudulent activity. It is more likely that threat actors will continue to opportunistically target unemployment relief platforms by harvesting exposed login information or purchasing bundles of PII for sale within underground sources.

Assisting Other Fraudsters

Generally, administrators maintaining channels within messaging platforms devoted to unemployment fraud were receptive to the idea of mentoring newer users, likely in an attempt to develop a long-term relationship with partners capable of generating demand for their channels and increasing revenue. This willingness among cybercriminals to partner with one another on unemployment fraud carried over to cybercriminal forums as well, where we observed recurring requests from users seeking “serious” partners for long term-fraud activity. Given that these threads encouraged interested parties to contact the vendor via private channels, the visibility Recorded Future has had into the potential success of these partnerships has been limited.

unemployment-fraud-in-criminal-underground-7-1.png

_Figure 7: Request for unemployment benefit partner _

Vendors of employment scams or PUA fraud methods are often involved in several different scams simultaneously, including disaster relief fraud, Social Security fraud, tax fraud, and credit card fraud. This is the norm for cybercriminal organizations able to operate multiple services capable of providing different streams of revenue.

Recorded Future reviewed several tutorials and methods circulating within the criminal underground regarding a combination of PUA or general unemployment fraud techniques. For the majority of the methods advertised, cybercriminals were expected to already be in possession of stolen PII or “fullz” to take advantage of the guides and be in a position to turn a profit. Fullz is a slang term for "full information" that criminals who steal PII use to refer to a set of information on a prospective fraud victim, generally including an individual’s name, address, date of birth, Social Security and driver’s license numbers, as well as the PII of family members and any other miscellaneous information available (such as criminal or employment records).

The same sellers of PUA fraud methods were very often willing to sell this information separately at additional cost. This demonstrates that financial success remains the underlying motivation, despite any attempts by the vendors to portray themselves as good Samaritans willing to assist fledgling criminals who may be new to this type of fraudulent activity.

unemployment-fraud-in-criminal-underground-8-1.png
Figure 8: Membre d'un forum clandestin discutant de la manière de déposer des demandes frauduleuses à Washington et dans le Massachusetts.
unemployment-fraud-in-criminal-underground-9-1.png
Figure 9: Membre clandestin demandant une fausse carte d'identité pour commettre une fraude à l'assurance chômage dans le Massachusetts.

Unemployment Fraud Targeting and Attribution

En mai 2020, des chercheurs de la société de sécurité Agari ont publié leurs conclusions concernant un groupe cybercriminel nigérian suivi sous le nom de « Scattered Canary », qui commettait des fraudes à l'assurance chômage et au titre de la loi CARES à travers les États-Unis. Le groupe cybercriminel Scattered Canary agit comme une entreprise proposant des services complets de compromission d'e-mails professionnels (BEC) qui utilise des escroqueries, telles que l'usurpation d'identité par e-mail et le phishing, pour manipuler les entreprises afin qu'elles paient de faux contrats et autres factures frauduleuses. D'après les données télémétriques d'Agari, la plupart des cibles étaient situées dans sept États américains : Floride, Massachusetts, Caroline du Nord, Oklahoma, Rhode Island, Washington et Wyoming. Les auteurs des menaces associés à Scattered Canary auraient utilisé une combinaison de cartes prépayées pour recevoir des paiements et créer en masse des comptes de messagerie électronique :

The targeting of state unemployment benefits was reported by Agari to be of interest to the group, which had specifically targeted Texas unemployment systems under nine identities as of May 2020. At this time, Recorded Future does not have further insight into how many of the fraudulent claims linked to Scattered Canary are being paid out by the individual states. However, a review of videos uploaded to messaging platforms selling state unemployment relief information did reveal a likely nexus to operators based in West Africa.

Les rapports des victimes obtenus par Recorded Future indiquent que les demandeurs connaissaient généralement le nom, le numéro de sécurité sociale et le lieu de travail de la cible, mais que toutes les autres données étaient statiques. Dans certains cas signalés à Recorded Future, les demandeurs connaissent le nom, le numéro de sécurité sociale et le lieu de travail de la cible, et tentent probablement de cibler des cadres ou des personnes fortunées. Il s'agit d'une technique couramment utilisée dans les campagnes de BEC orchestrées par des entités malveillantes telles que Scattered Canary, qui a été identifiée pour la première fois par Agari après que cette entité malveillante se soit fait passer pour un cadre supérieur d'Agari dans un e-mail destiné à son directeur financier.

Fraudulent unemployment claims within the U.S. are widespread enough that they are unlikely coming from a single threat entity. Threat actors have likely become emboldened by open source reports of the monetary impact that fraudulent unemployment claims continue to have.

Though this reporting focuses specifically on unemployment fraud circulating within closed source reporting, some opportunistic actors with little regard to maintaining operational security have also been observed advertising on traditional social media platforms. The large volume of open source reporting on the subject of unemployment fraud activity and losses estimated to be in the millions has very likely contributed to the growing level of interest and motivation among underground threat actors.

unemployment-fraud-in-criminal-underground-10-1.jpg
Figure 10: Publicité sur les réseaux sociaux pour des méthodes/tutoriels sur le chômage

This level of interest has been reflected in multiple statistics reported across both the state and local levels of government since the start of December 2020.

unemployment-fraud-in-criminal-underground-11-1.png
Figure 11États mentionnés dans les annonces frauduleuses relatives au chômage diffusées clandestinement depuis novembre 2020 (Source : Recorded Future)

Reliance on Money Mules

Les passeurs d'argent restent probablement un maillon essentiel de la chaîne de fraude à l'assurance chômage, comme en témoignent les images publiées par des vendeurs clandestins de méthodes frauduleuses et les rapports open source concernant l'arrestation de passeurs présumés tout au long de l'année 2020. La pandémie de COVID-19 a contraint les opérateurs de mules de réexpédition à modifier leurs stratégies commerciales cette année. Un avis de l'USSS a indiqué que le réseau frauduleux suspect derrière ces demandes disposait déjà d'une importante base de données contenant des informations personnelles identifiables, ce qui lui a permis de soumettre le volume de demandes observé plus tôt cette année. En outre, l'USSS a déclaré que le réseau frauduleux serait composé de centaines de passeurs d'argent.

Mules are essential for fraudsters who require a commodity to be physically moved from one place to another, or when fraudulent funds need to be moved between accounts. In money mule schemes, the scammers will also often recruit individuals to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators, keeping a percentage as payment for their efforts. The increased number of arrests around the country with a nexus to fraudulent unemployment relief claims has also provided clarity that multiple strings of fraudsters are likely operating independently with no direct nexus to any overseas operations.

unemployment-fraud-in-criminal-underground-12-1.png
Figure 12: Chronologie des arrestations pour fraude au chômage en 2020 (sources d’information grand public) (Source : Recorded Future)

Mitigations

Un enquêteur fédéral spécialisé dans la fraude, qui s'est entretenu avec KrebsOnSecurity en mai 2020 sous couvert d'anonymat, a déclaré que de nombreux États américains ne disposaient pas de contrôles suffisants pour détecter les schémas susceptibles de mieux filtrer les demandes frauduleuses d'allocations chômage, comme la recherche de demandes multiples impliquant les mêmes adresses IP ou les mêmes comptes bancaires. L'enquêteur a ensuite précisé que dans certains États américains, les fraudeurs n'ont qu'à fournir le nom, le numéro de sécurité sociale et d'autres informations de base d'une personne pour que leur demande soit traitée. L'enquêteur aurait laissé entendre que la liste de questions relatives à l'ancien employeur du demandeur, destinées à des fins d'authentification, avait été réduite ou supprimée dans certaines agences en raison de la pandémie.

Les États ont commencé à adopter leurs propres mesures pour faire face au risque que représente cette forme d'activité frauduleuse. Des représentants d'États tels que le Massachusetts ont précédemment déclaré avoir commencé à mettre en œuvre des mesures supplémentaires de vérification d'identité qui retarderont temporairement le délai de paiement de nombreuses demandes d'allocations chômage. À la suite de ces mesures, certains demandeurs d'allocations chômage pourraient être invités à fournir des informations supplémentaires relatives à leur identité afin de vérifier la validité de leur demande.

Organizations that suspect their employees have fallen prey to unemployment fraud scams can do the following:

Outlook

In a number of cases, the most important component for unemployment or insurance claim fraud is access to victim PII. This type of information can be accessed and purchased on a number of dark web marketplaces, shops, and forums for fairly low prices by anyone with enough knowledge to set up an account on underground sources. It is difficult for us to determine which of these fraud types are being carried out with the greatest frequency based on available data. However, scam activities that depend on PII will likely continue to spike following the release of some larger data dumps, especially any that are widely publicized and easily accessible.