Over the past several months, a hacker group allegedly stole millions of dollars from Washington state’s unemployment system using fraudulent claims. It attempted similar fraud scams in Florida, Wyoming, Rhode Island, North Carolina, Massachusetts and Oklahoma, among others.
The apparent culprit is a Nigerian hacking team dubbed “Scattered Canary,” a group that has been involved in similar criminal activities for the better part of 10 years, according to cyber-security firm Agari, which published a report on Canary last year.
Using information “likely stolen in past consumer data breaches,” the group successfully bilked Washington state out of millions of dollars, according to the Seattle Times. The state has since recovered as much as $300 million in stolen funds, but it is unclear how much was taken in total.
Over the last several weeks, Agari has been working alongside law enforcement to share information on the threat group and its methods, said Crane Hassold, Agari’s senior director of threat research.
“This is essentially a perfect storm for these groups [to take advantage of],” said Hassold. “You have billions and billions of dollars that is being handed out by the federal government [for emergency purposes], and you have states that need to pay out legitimate claims very quickly. Usually, there is a validation period and a waiting period for most unemployment claims, but because of the current circumstances of COVID-19, these claims need to be paid out immediately.”
It wasn’t until relatively recently that “Canary” began targeting governments, said Hassold, explaining that the threat actor has grown — in size and hacking proficiency — over a fairly short period of time.
Jumping from a single person when it was founded in 2000 to more than 30 people as of last year, “the group started out doing super basic, individual targeted scams — a lot of Craigslist scams is where groups like this cut their teeth,” he said. These attacks evolved into more sophisticated fraud schemes aimed at corporations, said Hassold. Until recently, most of Canary’s money was made through business email compromise attacks aimed at companies across the globe.
Once “Canary” began targeting governments, however, it quickly diversified its attack portfolio. In addition to unemployment schemes, Agari has observed them engaged in a diverse array of other scams, including student aid fraud, tax return fraud and disaster relief scams.
At this point, the group is one of the larger, more prolific groups of its kind.
“They are certainly one of the larger groups that my team tracks,” said Hassold. “They also are more diversified in terms of the attacks they’re involved in … Scattered Canary is involved in pretty much every kind of scam you could possibly think of,” he said. “This is a job — this is what they do for a living. They commonly run half a dozen or a dozen different scams concurrently. They’re making money many, many different ways.”