with Tonya Riley
A fraud campaign that has wrested millions of dollars from state unemployment agencies shows how states' poor information security protections have left them highly vulnerable during the coronavirus pandemic.
The scammers took advantage of weak systems states use to verify the identities of people applying for unemployment benefits to file thousands of fraudulent claims, as the New York Times’s Mike Baker reports.
Those systems are even more vulnerable now because states are rushing to get funds out to millions of newly unemployed people and, in some cases, foregoing lengthy reviews that weed out phony claims.
“There’s a dire need to get money out quickly. This makes us an attractive target for fraudsters,” Suzi LeVine, commissioner of Washington State’s Employment Security Department, which has been hit hard by the scammers, told the Times.
The crimes are going to cost states whose resources are already stretched to the breaking point by the pandemic. “This is a gut punch,” LeVine said.
The phony unemployment claims could cost states hundreds of millions of dollars, the U.S. Secret Service warns.
The Secret Service has spotted claims that are likely fraudulent in Washington state, Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island and Wyoming, according to a memo reviewed by the Times. But the fraud could be far broader and the Secret Service is still investigating.
The scammers appear to be part of a well-organized Nigerian fraud ring, the memo states.
The unemployment systems mostly rely on easy-to-find information to verify people are who they say they are.
This makes them especially vulnerable. In some cases, applicants don’t need to provide anything more than their name, Social Security number and some other basic information, cybersecurity blogger Brian Krebs notes. That information has all likely been exposed by numerous past data breaches, and scammers can easily find it for sale on dark corners of the Internet.
The scammers in this case appear to have run a particularly professional operation, gathering large troves of data, known as personally identifiable information, or PII. And they avoided misspellings and other common errors that alert officials to fraud.
“It is assumed the fraud ring behind this possess a substantial P.I.I. database to submit the volume of applications observed thus far,” the Secret Service memo said.
The surge of fraud during the pandemic makes state and local governments' cyberdefense jobs even harder.
Criminal groups have locked up computer systems and held them for ransom in dozens of cities in recent years, including Atlanta and Baltimore.
Since the virus hit, hackers locked up medical files at an Illinois public health agency and the state's unemployment office inadvertently exposed citizens' personal information. The Texas state government has also been hit with multiple digital attacks in recent weeks.
And hackers have created phony coronavirus-related sites that appear to belong to state and local governments to harvest people’s personal data.
The federal government hasn’t been much help. Democrats on the House Homeland Security Committee urged Speaker Nancy Pelosi (D-Calif.) to include $400 million to help state and local governments improve their cybersecurity in the next round of coronavirus stimulus funding, but the money didn’t make it into the final bill, which passed the House Friday.
Washington state, which is among the states hit worst by the pandemic, is a major target for the unemployment fraud.
The state shut down its entire unemployment system over the weekend after discovering $1.6 million in erroneous payouts, slowing the processing for a surge in legitimate unemployment claims, the Seattle Times reports.
About one in three workers in Washington state has applied for unemployment, and the state paid out about $1.8 billion in claims in April, the paper reported.
The scammers have also focused on filing phony claims for people employed by school districts, universities and municipal governments. One of the organizations hit hardest was Western Washington University, which told the Seattle Times that 410 members of its 2,463-person staff were targeted by fraudulent claims.
The operation also relies on a large number of “money mules” inside the United States, the Secret Service said.
Those are people who accept digital transfers of the fraudulent money and then transfer it abroad to scammers so it’s harder for law enforcement to track.
They’re a critical component of other Nigeria-based scamming operations, which attempt to dupe victims into sending money abroad to collect a prize or inheritance or because they believe it’s going to a phony romantic interest living abroad.
Mules are sometimes victims of such online romance scams and don’t realize they’re committing fraud.
Officials in U.S. states, the United Kingdom and Canada are clashing with Apple and Google about restrictions on the companies’ contact tracing technology.
The companies have set strict limits on apps that use their Bluetooth-based system for tracking contacts of people infected by coronavirus, including blocking them from also tracking people's locations or sharing data directly with public health agencies. But those restrictions threaten to make the apps nearly useless for public health officials, Reed Albergotti and Drew Harwell report.
Apple and Google, meanwhile, say the restrictions are vital to protect privacy. “The companies are also concerned that easing the restrictions around apps’ Bluetooth use would drain phone battery life, which could irritate customers,” Reed and Drew report.
The companies’ explanation has irked public health officials who note big tech firms have long profited from collecting large amounts of people’s personal information.
“If it’s between Google and Apple having the data, I would far prefer my physician and the public health authorities to have the data about my health status,” Helen Nissenbaum, a professor of information science and director of the Digital Life Initiative at Cornell University said.
European countries, on the other hand, are increasingly embracing Apple and Google's system, Sam Schechner and Jenny Strasburg at the Wall Street Journal report.
Germany, Italy and Ireland have switched to a system compatible with the companies’ technology in recent weeks. Even the European Union's top tech watchdog, Margrethe Vestager, has encouraged members to embrace the companies' model so that the region can have a common approach that will allow for tracing contacts between citizens as they cross borders.
Top counterintelligence official William Evanina will take over briefing political campaigns about cybersecurity threats.
The briefings used to be run by the FBI and Department of Homeland Security, CNN's Alex Marquardt and Zachary Cohen report. Both agencies will still be involved in coordinating and sharing threat information, but with the intelligence community in the lead on briefings now.
The shake-up follows mounting reports that Russia is attempting to interfere in the 2020 election and growing concern among Democrats that the White House is politicizing intelligence about the threats. Top election security official Shelby Pierson told lawmakers in February that the Kremlin wanted to see the president reelected — only for the agency to say that Pierson overstated Russia's preference in a follow-up briefing.
Evanina was confirmed by the Senate as director of the National Counterintelligence and Security Center earlier this month but has been the center’s acting director since 2014.
Hackers targeted supercomputers used for coronavirus research in Switzerland, Germany and the United Kingdom.
It's unclear whether the attacks were connected or who was behind them, but the nature of the attack indicates hackers may have been trying to steal research, William Turton at Bloomberg news reports. The malware affected login systems for the computers, which are capable of vastly more complex calculations and at far faster speeds than consumer devices, but not the computer's internal machinery or data.
Affected systems in Switzerland and the United Kingdom were still down this weekend for repairs.
The attacks occurred the same week the U.S. government warned about China-based hackers targeting coronavirus research at U.S. labs.
Senate Intel's final report for its three-year Russia investigation is headed for a declassification review.
Burr (R-N.C.) submitted it on Friday to the intelligence community shortly before temporarily stepping down from the committee's chairmanship while officials investigate questionable financial sales he made in the early days of the pandemic.
Among other topics, the report digs into contacts between Russian operatives and the Trump campaign, the Associated Press reports.
More government cybersecurity news:
Hackers want $42 million to not release documents related to President Trump. But there’s no proof they have what they claim.
The group did release other documents stolen from the law firm Grubman Shire Meiselas & Sacks that appear to be legitimate, Kevin Collier and Diana Dasrath at NBC News report.
Trump has never been a client of the firm, however. The law firm confirmed that it had been breached and said it was working with law enforcement.
The law firm boasts high-profile clients including Bruce Springsteen and Lady Gaga. Hackers released documents they claim involved the firm's work with Lady Gaga last week after it refused to pay the ransom, Rolling Stone reports.
China's Commerce Ministry warned it will retaliate against the United States' recent ban on Huawei if necessary.
The ministry urged the United States to halt a ban the Trump administration announced Friday on global computer chip suppliers selling to Huawei and other companies that the United States deems national security risks, Reuters reports. Possible countermeasures could include new restrictions on U.S. companies including Apple and Qualcomm, Beijing warned.
More global cybersecurity news:
Online scammers routinely pretend to be someone they're not. But it takes a lot of chutzpah to pretend to be U.S. Cyber Command Chief Gen. Paul Nakasone and start flirting with people on Facebook Messenger. CyberScoop's Jeff Stone has the story:
Someone ran a Facebook page as Stephen Lyons, a US Army general, to introduce women to other “generals,” including NSA’s Paul Nakasone.— Jeff Stone (@jeffstone500) May 15, 2020
“I’m single and my eyes are always open,” a teacher stuck at home told me. “If I see a good looking guy in uniform, I’m going to click.” pic.twitter.com/8Vy17xAd9x
“I Googled this guy and I’m like, ‘Are you kidding me?’ ” Susan, who asked to be identified by only her first name, told CyberScoop. “And it was very flirtatious, but I’m a married woman." But Susan and her friend Cindy kept digging:
That’s around the time one of Nakasone’s pen pals became suspicious, and contacted us. We urged her to trick him by asking wonky legal questions that the real Nakasone discusses. (This scammer then copy & pasted descriptions from military journals.)— Jeff Stone (@jeffstone500) May 15, 2020
The scammers wouldn't cop to it, though.
the best part of this ridiciulous story is these sources found me by Googling “Nakasone,” which turned up this old gem.— Jeff Stone (@jeffstone500) May 15, 2020
- The Center for Strategic and International Studies will host an online event “Who Makes Cyberspace Safe for Democracy?” on Tuesday at 12:30 pm.
- The Senate Commerce Committee will mark up the CYBER LEAP Act on Wednesday at 10 a.m.
Secure log off
In case you've run out of virtual commencement speeches to watch, here's one more from Saturday Night Live: