Cybercriminals have been abusing private company and government websites to fraudulently apply for CARES Act benefits and reimbursements. ZeroFox Threat Research has recorded hundreds of thousands of CARES Act fraud advertisements from cybercriminals on the deep, dark web and covert communication channels, especially Telegram. These advertisements include the buying and selling of services and goods to circumvent Know Your Customer (KYC) technology on these websites. A new method of circumvention involves using 3D Modeling software to defeat driver’s license and a “selfie” check on these sites.
- There is a high chance that actors performing CARES fraud will continue to improve methods to defeat KYC
- There is a high chance that victims will not know about fraudulent claims in their name until subsequent tax years, giving fraudsters a significant lead to process and launder the stolen money
- Actors will continue targeting investigative and background checking services, as they provide enough information to build a “full profile” of people and businesses, and they will likely use a combination of phishing and insider threat recruitment to maintain access
- Due to the success of these methods for CARES fraud, there is a moderate chance that actors will begin to apply these methods to defeat KYC in other platforms, such as financial platforms or cryptocurrency exchanges
CARES Act Fraud Details
On March 29, 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was signed into law. The goal of the Act was to provide economic relief to Americans affected by the COVID-19 pandemic. The Act helped fund numerous government relief programs, such as Paycheck Protection Program (PPP), Pandemic Unemployment Assistance (PUA), Economic Injury Disaster Loan (EIDL), and Small Business Authority (SBA) programs.
On March 26, 2021, nearly a year later, the FBI issued a public announcement detailing their actions to combat cybercriminals who submit fraudulent claims to steal the appropriated money from the CARES Act. ZeroFox Threat Research has monitored cybercriminal activity related to CARES Act fraud, including how to defeat Know Your Customer (KYC) methods used by cybercriminals. In addition, ZeroFox has tracked tens of thousands of advertisements related to CARES Act fraud on covert communication channels and the dark web.
Know Your Customer (KYC) Methods
Defeating KYC methods allows cybercriminals to circumvent the authentication processes while fraudulently applying for these loans. In general, these actors steal an identity “pro” (profile) of a legitimate business or person. This is typically done through open source research, phishing and insider threat methods, or stolen accounts that can access investigative and background checking databases.
To help combat CARES Act fraud claims, many companies and government organizations employ methods that will prevent filings of these claims based on the “pro” alone. Many of these services require an image, or “selfie”, of the applicant, which can match the driver’s license of the applicant. Stealing a driver’s license is a well known method used by phishing kits, and many of the background investigation services these actors gain malicious access to also contain driver’s license numbers. For example, one investigative service advertises a report that provides PII (personally identifiable information) of a person of interest, business accounts, and driver’s license information, all which are required by most KYC vendors.
Impact of CARES Act Fraud
In order to measure the impact of CARES-related fraud, ZeroFox Threat Research aggregated advertisements, channels, and actor handles that openly advertise their services and inventory. From May 2020 to May 2021, ZeroFox Threat Research has recorded the following number of advertisements for CARES-related fraud on Telegram:
- 270,828 profile or method advertisements for SBA, PPP and CARES fraud
- 269,381 background investigation service lookup advertisements (Phish or Insider)
- 48,271 Driver’s License Lookup advertisements (Method or Service)
Many of these messages contain advertisements for methods used to conduct CARES Act fraud. Typically, actors keep methods secret in order to reduce the chance of it being discovered, as well as to create exclusivity around the method. One recent technique that has been circulating on these actor channels involves defeating the selfie and picture check for KYC.
3D Modeling Software
ZeroFox Threat Research obtained a number of video advertisements defeating the “selfie check” for some of these KYC videos. Actors will use 3D modeling software to create a picture of the victim, and then present the 3D model to the selfie identification check to pass the selfie check.
In Figure 4, the actor presents a 3D Model of the victim. The screenshot also has a reflection of the actor’s phone, which is using WithPersona, an identity and KYC provider, Selfie Check feature. Throughout the 29 second video, the actor pans back and forth between the camera and the phone. At the end of the video, the phone screen changes to what looks like a confirmation screen.
In Figure 5, a separate actor performs the driver’s license and selfie check for WithPersona. They navigate between a piece of software that contains the 3D image and the verification software. A “congratulations, you are done!” screen emerges for both the driver’s license and selfie check.
Recommendations for Protecting Against CARES Act Fraud
Individuals that are looking for information on these government benefits should be aware of potential fraudulent activity related to the CARES Act. Organizations should be mindful of the tactics used by CARES Act fraud actors because those same TTPs could be used against them in future attacks.
ZeroFox recommends that organizations:
- Deploy effective KYC measures and technologies to sufficiently review client signup data
- Continuously monitor cybercriminal activity for new tactics and techniques that attempt to defeat the KYC technology your organization uses
- Consider deploying anti-fraud techniques to combat automated signups, such as identifying discrepancies in user sign-up data, which includes geolocation, device, IP address and attempts to sign up
- Have a process to thoroughly review your KYC datasets for fake or fraudulent records, especially selfies and driver’s licenses