A group of business email compromise (BEC) Nigerian scammers has been targeting U.S. unemployment systems and COVID-19 relief funds provided through the CARES Act.
The threat actor, which researchers call Scattered Canary, used the IRS and state unemployment websites to file hundreds of fraudulent claims on behalf of U.S. citizens, and receive benefit payments.
Exploiting Gmail feature
Scattered Canary used social security numbers and personally identifiable information from identity theft victims to create fake accounts on websites for processing CARES Act payments.
By taking advantage of a feature in Gmail, they were able to use for the fraudulent claims variations of the same email address. Replies to any of those addresses would be delivered to a single Gmail account, though.
This works because Google does not read the dots in usernames and treats addresses that are visually different as belonging to the same user. Using Google’s example, sending messages to the addresses below will reach the same account:
The Agari Cyber Intelligence Division (ACID), a company that offers protection against advanced email attacks, identified 259 different variations of a single address that was used by Scattered Canary for this large-scale fraudulent activity.