At least eight US states and the federal government have lost millions of dollars due to cybercrime scams targeting unemployment benefits and funding from the CARES Act proceeds, according to the Secret Service and the cybersecurity company Agari. In a report that has been grabbing headlines all week, Agari CEO and founder Patrick Peterson said Scattered Canary, a cybercrime group the company traced to Nigeria, has been able to fool the IRS and state governments into sending out more than $4 million to fraudulent accounts.

Due to the economic crisis caused by the coronavirus pandemic, states have been overburdened trying to get money to the more than 34 million Americans who are now unemployed. Most states have received an extraordinary amount of applications for funding, making it nearly impossible for their short-staffed agencies to thoroughly vet each request. More than $48 billion in unemployment insurance payments was sent out by states through the month of April.

Cybercriminals with Scattered Canary have taken advantage of the situation according to Peterson, who wrote that the group filed more than 80 fraudulent claims for CARES Act Economic Impact Payments and even more claims for unemployment insurance in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, Wyoming and most recently Hawaii.

Unfortunately, the IRS and some states have already sent the money out before being notified that the applications came from people who had their personal information stolen or misused by hackers within Scattered Canary.

“Between April 15 and April 29, Scattered Canary filed at least 82 fraudulent claims for CARES Act Economic Impact Payments, which are meant to provide relief to families as a result of the COVID-19 pandemic. The only information needed by Scattered Canary to file these claims was an individual’s name, address, date of birth, and Social Security number. Of the 82 claims Scattered Canary filed, at least 30 of them were accepted by the IRS and presumably paid out,” Peterson wrote.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)

Agari researchers have been looking into Scattered Canary’s activities for years after the company’s CFO was targeted in 2018. The company traced the origins of the head of Scattered Canary back to Ibadan, Nigeria and discovered that the leader initially started out as a low-level Craigslist scammer in the early 2000s before moving into lucrative “romance scams.”

After success with that, he shifted again to Business Email Compromise attacks and attempts to fraudulently siphon money from government agencies in the US through “unemployment fraud, Social Security fraud, disaster relief fraud, and student aid fraud,” Peterson added.

The group is now making millions in a number of different ways due to the spread of COVID-19.

Peterson said since April 29, the group has filed almost 180 unemployment claims in Washington state and adding in the money made through CARES Act scams, they have raked in about $4.7 million. The situation got so bad that the state shut down all unemployment payments last week because they received so many fraudulent claims.

“The payout system appears automated, as there does not appear to be a balance or check process with the information provided to the state government systems when it comes to the false email addresses,” said James McQuiggan, security awareness advocate at KnowBe4.

“Similar to events occurring during tax season, criminal groups will continue to work around the system to steal money without getting caught.”

Massachusetts reported at least 17 fraudulent unemployment claims on May 15 and May 16, causing a potential loss of about $500,000. Other states are seeing a number of fake claims as well.

The situation has made headlines in recent weeks and the US Secret Service has had to jump in, sending out an alert to field offices about scammers using stolen Social Security numbers and other personally identifiable information.

The Seattle Times spoke with multiple people who only realized their Social Security numbers were being used for fake unemployment claims. Local news outlets in Rhode Island reported the same thing after the state called in the FBI for help with widespread fraud as well.

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far. The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida,” the Secret Service warned in a memo obtained by KrebsonSecurity and The New York Times.

According to research from Agari, Hawaii is the next state to be hit. On Tuesday, Scattered Canary filed two unemployment claims on Hawaii’s Department of Labor and Industrial Relations website and more states are sure to be hit in the coming days and weeks.

In their research of Scattered Canary’s tactics, Agari analysts discovered that one of the main ways they have been able to perform their scams on government agencies is through the “Gmail dot trick.” The Gmail quirk allows people to make one email account look like hundreds by moving periods around a username.

Gmail automatically leaves out the dots in an email address, so scattered.canary@gmail.com can still receive emails sent to sca.tteredcanary@gmail.com, scatteredcanar.y@gmail.com or s.catteredcanary@gmail.com. The feature was built into Gmail as a way to help people who did not get emails where periods were misplaced, but it has quickly been leveraged by cybercriminals as a way to fill out dozens of applications with different email addresses that all send notifications back to one single account.

Peterson wrote that in one instance, Agari researchers found 259 variations of the same address that were used to create accounts on state and federal websites to carry out these fraudulent activities.

“Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms.com),” Peterson wrote.

“By using this tactic, Scattered Canary is able to scale their operations more efficiently by directing all communications to a single Gmail account. This removes the need to create and monitor a new email account for every account they create on a website, ultimately making crimes faster and more efficient.”

Once their application was approved, Peterson noted that cybercriminals with Scattered Canary used Green Dot prepaid cards and at least 47 Green Dot accounts to get the money. Krebs On Security also noted that the memo from the Secret Service said not everyone involved in the scam is unaware.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” KrebsOnSecurity reported the notice saying, adding that “mules” helped Scattered Canary launder the money.

Some of the “mules” most likely are out of work and agree to take a cut of the money as long as they forward most of it on, Brian Krebs wrote.

Since the Agari research came out on Tuesday, dozens of news outlets have covered how their state is dealing with fraudulent claims, revealing the alarming state of most unemployment insurance systems nationwide.

Security researchers said the attacks used by Scattered Canary to steal personal information and spam unemployment departments meant it was imperative for organizations to finally take cybersecurity more seriously.

Chris Rothe, co-founder and chief product officer at Red Canary, said attackers have now realized how lucrative these relatively low-tech attacks on enterprises are and are ramping up usage.

“Typically the attacker impersonates a high-level executive in a company and instructs individuals in the company to wire money to a random place. Falling victim to this kind of attack can be mentally very difficult because you feel incredibly dumb for not realizing it was a scam,” Rothe said.

“Unfortunately, the attackers are very good at their job and low tech works just as well as high tech for them. Attacks are often sensationalized to make them sound like the attacker moved mountains to break into a highly secured fortress while in reality, most compromises are through much simpler means. It’s just that no one wants to admit it.”