Hawaii unemployment insurance fraud scams increase via SMS phishing attacks

Sophisticated threat actors are leveraging phishing kits, back-end source code packages used by scammers to launch phishing attacks, to defraud both citizens and government agencies out of unemployment payments. WMC Global has specifically seen an increase in unemployment phishing targeting citizens of Hawaii. Exploiting pandemic-related stress and financial concern, remote work, and government “brand” trust, threat actors are preying on the vulnerabilities of millions of Hawaiians.

WMC global is beginning to see the unemployment fraud phishing attacks morph once the original attack has become less successful and, therefore, the attack continues to be effective long after the original scam has been taken down. Some of the attributes of these campaigns are:

Methods / Tools: Threat actors are utilizing JOTforms and Google forms / Gmail to get past blocklist filters. Most consumers and organizations have google.com safe listed. It becomes harder to block a site when threat actors are using something well-known site to execute a campaign.
Delivery Mechanism: varied
Consistency of Tactics, Techniques, and Procedures (TTPs): These attackers always use Gmail, static lure texts, and common hosting companies. Each phishing kit is basically the same except for the Gmail address.
Small Number of Actors: Many of these attacks are likely perpetrated by one threat actor gang because of the consistency of TTPs.
Tools’ Ease of Use: Gmail accounts can have zero ties to the threat actor.
Speed: The functionality of the attack allows for speed which makes it easier to be successful.
Switching Identifiers Frequently: Threat actors often change their email accounts to avoid becoming compromised.
Playing on Emotions: The scams are generic and play on the vulnerability of people during the pandemic and the impaired judgment that comes under stressful situations.

If organizations were to switch to a no password / text-message-code style of security, the kits would morph again to puppeteer-style kits, and dynamic kits that can bypass multi-factor authentication. Often these threat operations are solely for laundering money.

Threat analysts deal with customer credential phishing as a daily occurrence; however, in the past, they have lacked actionable intelligence solutions that allow for attribution of these attacks. Phishing kits are an untapped resource. The hidden code elements and vital clues they contain offer the opportunity to attribute mass campaigns back to the responsible threat actor(s). The ultimate solution for stopping unemployment fraud phishing is investing in phishing kit intelligence research at scale so that law enforcement has the direct intelligence needed to find and arrest threat actors, stopping phishing at the source.

Jake Sloane is a senior threat hunter at WMC Global. He specializes in tracking, hunting, and exposing credential phishing threat actors, attributing campaigns back to their sources, and delivering actionable intelligence to clients. Previously he was a Cyber Threat Analyst at American Express. Sloane has a first-class honors degree in forensic computing and a background in threat hunting, computer programming, project innovating, project development, and public speaking. He has written technical blogs that have been featured on BBC News and Bleeping Computer and is an active member of the open-source community, contributing to the public effort to take down phishing sites and enrich threat tracking. Notably, his work has supported law enforcement in arresting and convicting criminals involved in credential phishing campaigns.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.