Nigerian Cybercriminal Gang Targets Texas Unemployment System
DALLAS (CBSDFW.COM) – A Nigerian cybercriminal gang is targeting the Texas unemployment system, according to evidence shared with the CBS 11 I-Team.
A 13-page step-by-step tutorial on how to commit unemployment identity fraud through the Texas Workforce Commission website was discovered in an online closed group chat between members of the cybercriminal organization known as Scattered Canary.
Former FBI agent Crane Hassold said with the help of an insider his private cybersecurity firm obtained the tutorial for free from WhatsApp group chat.
"For these cybercriminals it's all about information flow," explained Hassold, the director of threat research for Agari. "The tutorial shows how to apply for unemployment benefits and even introduces some of the red flags if you enter things a certain way."
Since the start of the pandemic, Texas has paid out more than $893 million in unemployment benefits to suspected fraudsters.
The Texas Workforce Commission said while IP masking often makes it difficult to pinpoint where perpetrators are operating from, the state said scam attempts have come from all over the world.
On the dark web, Hassold said a stolen identities is known as a "Fullz" - name, address, social security number, date of birth, driver's license, phone number, and email.
Online, "Fullz" are sold by the hundreds for a little as a dollar each.
Organized cybercriminal gangs, such as the Scattered Canary, work in volume and often share tips among each other on how to be more efficient.
One way Hassold said the Scattered Canary will do that is by exploiting a feature in the Gmail system to help them work faster.
Google ignores periods in gmail addresses so, for example, john.doe@gmail.com, j.ohndoe@gmail.com," and "j.o.h.n.d.o.e@gmail.com" are all attached to the same email account.
However, many state unemployment systems view them as unique emails and thus each of them can be used to file a claim without raising suspicion.
"Essentially it allows their communication flow to be much more efficient," Hassold said. "Instead of having to go to dozens of different email accounts to look at what's going on, it's all coming to one centralized location."
The final step of unemployment identity theft is funneling the money offshore before the claims are flagged.
The M.O. of the Scattered Canary for the past year has been to use prepaid Green Dot cards when stealing unemployment funds.
The criminals will register the cards using same stolen identity as the unemployment claims to avoid red flags. Before the cards arrives in the mail, the fraudsters go online to pull the money from the account.
The Texas Workforce Commission said in the past year it has implemented several new fraud protections within its computer system and has prevented more than $9 billion in fraudulent identity theft claims.
But even in cases where the money has been stopped, the threat for identity theft victims is often far from over.
"My main concern is my social security is out there," said Eric Mendoza who received noticed that someone filed an unemployment claim under her name.
While quickly reporting notices from the Texas Workforce Commission of claims filed can stop payments from going out, there is often little one can do to prevent a stolen identity being used to file a claim.
"I know what measures to take not become a victim of a scam," said Mendoza, who is the investigations manager for the Better Business Bureau of North Central Texas. "But in this instance, I don't think there was anything that I could have done to prevent this from happening."
If you have been a victim of unemployment identity theft, you can report the fraud on the Texas Workforce Commission's website, with links to the fraud submission portal in both English and Spanish, in the center of the home page here.
You can also call 1-800-252-3642.
The fraud hotline and website are both available 24 hours a day, 7 days a week.
Additionally, since most unemployment fraud claims start with a stolen identity, experts advise victims to closely monitor or freeze your credit.
Originally Posted 5/24/2021