Security Experts Warn of Disaster Relief Scams
Sep 9, 2005 8:28 AM PT
Phishing scams seeking to steal donations earmarked for Hurricane Katrina victims may have started a week ago, but security experts said to expect a spike in this fraudulent activity in the weeks to come.
Scam artists often prey upon the sympathy for tragedy victims by sending out millions of spam messages requesting aid be sent to a particular bank account or donated to an organization's Web site linked from an e-mail.
Such scams circulated widely after the devastating December 2004 tsunami in Asia and the 9/11 attacks in New York. As such, expert phishers have had plenty of practice to design legitimate looking requests, said experts, and consumers should be cautious when making donations online.
"It's unfortunate how criminals are so quick to take advantage of the suffering of the victims of tragedies and exploit genuine goodwill for their own gain," said Andrew Lee, CTO of security software firm ESET. "Though it's easy to be moved by the tragedy, we can't let down our guard. People should use their heads as much as their hearts when looking to make a donation."
Pulse of a PhisherRami Habal, a phishing expert for the Proofpoint Anti-Spam Lab, told the E-Commerce Times he is seeing widely spammed solicitations for donations to the Hurricane Katrina relief effort.
These spam e-mails use a common phishing tactic, he said: showing what look like legitimate URLs of reputable organizations, but which link potential donors to bogus sites.
"A specific example that I'm looking at has the subject line 'Do something, Now,'" Habal said. "The standard advice against phishing applies here -- don't follow links inside of an e-mail that purport to take you to a site where you can enter financial information."
Habal cites a second, more insidious type of attack he has seen that downloads malware Trojans. The spam message contains a phony news article about the devastating effects of the hurricane with subject lines like "Eighty People Killed" and "I bet you didn't know."
"The e-mail shows a few lines of a bogus news story with a clickable link to 'read more,'" Habal said. "Clicking the link takes readers to a site called nextermest.com that refreshes and tries to download malware to the computer."
Taking Down the Net
For its part, VeriSign has volunteered technical staff to scour the Web in search of sites that are spoofing The Red Cross. VeriSign Fraud Manager Steve Booth told the E-Commerce Times that his team has already taken down two phishing sites for the humanitarian agency in the past week.
"The scams are going to get much worse," Booth said. "The tsunami scams didn't really kick in full force until a week or so later. The Katrina scams started earlier. That's because once you've got the spoofed Web site made it's easy to change them up and park them on different URLs."
Fred Rica, security expert and partner at PricewaterhouseCoopers, told the E-Commerce Times that one of the most important things for donors to remember is, "Never provide account information, a PIN, a Social Security number, any kind of identifiable information like that even if you think its from a legitimate company. That's not the way that reputable companies do business!"
ESET offers some additional points of protection for consumer seeking to make donations online and some tips on how to spot a scam.
If you didn't opt-in: Legitimate charities only send appeals to individuals who have explicitly chosen to receive e-mails from the organization. Unsolicited, such e-mails are almost always fraudulent.
Don't be fooled by appearance: E-mails can appear legitimate by copying the graphics and language of a legitimate organization. Many include tragic stories of victims of the disaster.
Don't click through to links: Links in e-mails can lead to "spoofed" Web sites that mirror the look and feel of a genuine organization.
While some e-mails may be genuine, it is too difficult to confirm or track that donations reached the intended recipient. ESET suggests typing the URL of a legitimate aid group directly into your Internet browser.
Follow the Web site's instructions on how to send donations. This will ensure that the funds actually reach the intended recipient and that these charities will be able to do the greatest good.
ESET encourages consumers to make their donations directly to recognized charities and aid organizations to ensure that they are used for the intended purpose.
Finally, security experts warn in the coming weeks consumers should be cautious of any e-mails with photos of the disaster-stricken areas included as attached files. The attachments most likely will contain a virus.
You can find a list of reputable Web sites to make donations on ECT News Network's Katrina Relief Information page.