Scattered Canary is a full-service "business email compromise" operation that uses scams like email impersonation and phishing to manipulate businesses into paying out phony contracts and other fake invoices. Then Scattered Canary uses a network of money mules within the US and around the world to route the money. BEC fraudsters participate in a wide variety of hustles—from Craigslist rental scams to payroll data theft and snagging people's tax refunds—to make money and build out a sort of scam toolkit.
"Scattered Canary has committed unemployment fraud along with a number of other government services-focused frauds like disaster relief fraud, Social Security fraud, and student aid fraud," Agari's Hassold says. "Many West African scam groups have also been heavily involved in other incidents, like W-2 BEC attacks, where they can harvest a significant amount of personal information, so it's not surprising they have the information needed to carry out these attacks on unemployment services."
In Scattered Canary's recent rash of unemployment and Cares payment fraud, the researchers say that the group is using a technique it has leaned on in the past to keep track of all its fraudulent unemployment submissions. The scammers will set up one generic-looking Gmail address and then make accounts to submit fraudulent claims adding periods into different parts of the address. Most web platforms will interpret all of these as different email accounts, while Gmail doesn't recognize periods as changing its own addresses. As a result, the scammers can file dozens of individual submissions under as many people's names, using their specific personal information, while managing it all from one centralized email account. One campaign the Agari researchers analyzed used 259 variations of the same address.
Once scammers get the government to pay out, a Secret Service spokesperson said that they "use social engineering techniques to recruit unsuspecting individuals to launder illicitly obtained funds in order to conceal the identity, source and destination." Agari researchers specifically see Scattered Canary funneling unemployment and Cares payments through prepaid debit cards that let you buy a prepaid card, set it up as a personalized bank account with your name, and then accept your direct deposits, like those issued by unemployment departments and the IRS.
All sorts of hackers are on the prowl amidst the Covid-19 pandemic, deploying ransomware, conducting espionage operations, or scrambling to maintain an edge on public health and treatment measures for the virus. But as millions of people around the world face economic ruin, now is an especially cruel moment to target government programs designed to help them.