An anonymous hacker has released code that allowed anyone to automatically submit junk data to Ohio’s controversial COVID-19 Fraud website, which prompts employers to report workers who refuse to work during the deadly pandemic so they won’t receive unemployment benefits.
The script, which began circulating on social media earlier this week, automatically fills out a “fraud reporting” form on the state of Ohio’s unemployment insurance website. State officials created the form to encourage companies to snitch on workers who are refusing to work under unsafe conditions, drawing outrage from workers and labor rights advocates. The script’s creator says the goal is to overwhelm the site with a flood of fake submissions, making it harder to process claims and thus deny people their benefits.
“It’s easy enough to go to the page and fill it out, but that wouldn’t amount to enough data to make these particular gears of the state grind to a halt,” the anonymous hacker told Motherboard. “It needs to be so much data that their ability to investigate these ‘fraud’ cases is hampered.”
The script works by automatically generating fake information and entering it into the form. For example, the companies are taken from a list of the top 100 employers in the state of Ohio—including Wendy’s, Macy’s, and Kroger—and names and addresses are randomly created using freely-available generators found online. Once all the data is entered, the script has to defeat a CAPTCHA-like anti-spam measure at the end of the form. Unlike regular CAPTCHAs, which display a grid of pictures and words that the user must identify, the security tool used by the form is merely a question-and-answer field. By storing a list of common questions and their respective answers, the script can easily defeat the security measure by simply hitting the “switch questions” button until it finds a question it can answer.
To make the code more accessible, software engineer David Ankin repackaged the script into a simple command line tool which allows users to run the script in the background of their computer, continuously submitting fake data to the Ohio website.
“If you get several hundred people to do this, it’s pretty hard to keep your data clean unless you have data scientists on staff,” Ankin told Motherboard.
Unemployment benefits have been a critical lifeline to millions of Americans who have been laid off or furloughed during the COVID-19 pandemic. 33.5 million people have filed for unemployment since March, and many of those whose jobs have been deemed “essential” face unsanitary and dangerous working conditions which put them at elevated risk of contracting the virus.
Despite these risks, many large companies have continued business as usual while failing to provide employees with masks, gloves, and other personal protective equipment. Meanwhile, several states including Georgia have begun prematurely reopening business against the advice of health experts, forcing more people to return to work or face termination. According to the Washington Post, about 600 companies have already reported around 1,200 employees in Ohio since the state's "fraud" website opened earlier this week.
The junk data script appears to have gained the attention of state officials since being released earlier this week. On Friday, the Ohio website swapped out its weak authentication method for a Google-provided CAPTCHA, which is harder to bypass than the system the state was previously using. But the hacker who wrote the script says they are working on updating it to defeat the improved security measures.
The anonymous hacker told Motherboard they created the script as a form of direct action against the exploitation of working people during the COVID-19 crisis.
“I put it out because a friend encouraged it. I didn’t know if people would really spread it and use it,” the hacker said. “What I’m hoping is that, whether people use this exact code or not, they see it’s possible for people to take direct action against these sort of snitch programs, and that making and spreading small tools like this amongst ourselves can help.”