Where there’s smoke: A look at CARES Act fraud on the dark web

If a fraudster starts buying personally identifiable information just as a massive government program began depositing $1,200 in the bank accounts of Americans, is that just a coincidence?

Dark web denizens can be a boisterous bunch - they are known for their tendency to “kiss and tell” But even before a successful crime, threat actors leave a trail of clues, pointing to new targets.

If there’s one thing that is certain on the dark web, it’s that these threat actors sensed an opportunity last month when the U.S. government announced its Coronavirus Aid, Relief, and Economic Security relief package AKA CARES Act, through which it would deposit checks into the accounts of millions of Americans. And multiple news sources have noted that the stimulus checks and the forgivable loans made under the Paycheck Protection Program (PPP) were attractive targets for a myriad of fraud schemes.

So we set about looking for indirect evidence of smoking fraud schemes.

Here’s what we found:

Multiple examples of threat actors seeking to buy or sell stolen identity packages (fullz) with the explicit purpose of impersonating victims to take their stimulus money.

Mentions of ID terms (tax ID, paystub, Social Security Numbers, and Form 1040) averaged at 925 per day in March. Between April 5 and April 18, mentions of these terms increased by nearly 90%, peaking at 1,765 mentions on April 11, two days before the initial payments were first disbursed.

Several examples of accounts with major banks, including Wells Fargo, SunTrust, and Chase, that were compromised after the CARES Act was passed.

While we could not find any indications of actors impersonating businesses to defraud them of government loans (yet!), the volume of indirect evidence points to an uptick in fraud attempts. There’s little doubt that threat actors are exploiting the stimulus for their own ends. Companies, and their customers, should take heed of these warning signals.

Indirect evidence is the lifeblood of intelligence gathering and security investigations. Armies don’t know exactly where the enemy will attack. But smart leaders watch troop movements, shifts in supply lines, the rate of chatter as well as the tempo of communications on the other side - to inform their judgements. Similarly, security teams use various (sometimes incomplete) sources to build an intelligence picture.

For a more detailed look at our latest findings on the risk of stimulus fraud, download our most recent cyberthreat intelligence report, Overstimulating: CARES Act Fraud on the Dark Web.