As disasters spread, so do online scammers

Jan bultmann By Jan Bultmann

The outpouring of generosity from people all over the world following the earthquake in Japan has been accompanied by a profusion of donation scams.

These scams no longer prey on the simply gullible but have moved to less obvious ruses such as malicious websites that use clickjacking and drive-by attacks.

Natural disasters bring out extremes of human behavior. Workers at the devastated Japanese nuclear power plants place themselves in harm’s way trying to protect other people from explosions and radiation poisoning. Military and social services staffers work days without sleep under horrifying conditions.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

And in response, strangers around the world ask how they can help, what they can do, what they can send. Unfortunately, predators also respond, seeking to exploit the suffering and generosity of others for personal gain.

Online donation scams are not new, but they became really evident in 2005 in the aftermath of Hurricane Katrina. Most of those scams were e-mail–based phishing, also known as 419 scams. The least sophisticated claimed to be from victims; they explained complicated and peculiar circumstances leading them to write e-mails asking individuals for money. More advanced phishing scams imitated the look and feel of reputable charities’ Web presences.

Thanks to the increasing efficiency of spam filters, e-mails such as these reach fewer users today — and most Web users have learned to recognize and discard them quickly.

Since 2005, online scams have grown in sophistication. So it should be no surprise that, in the wake of Japan’s crisis, donation scams are harder to spot. Clickjacking and drive-by threats don’t depend on our charitable impulses — they target our interest in the unfolding events, using such common sources as news photographs, links to YouTube videos, and information updates.

Since March 11, 2011, scores of domain names have been registered — names containing terms such as Japan help, tsunami, or nuclear disaster, according to a Forbes report.

Often, these URLs are similar to the Web addresses of popular sites or are based on common misspellings. These malicious sites are also heavily seeded with now-familiar search terms (Japan, tsunami, nuclear disaster, radiation, Japan help, and so on) to draw the clicks of (or clickjack) people searching for information. This practice is known as search engine optimization poisoning.

A TrendMicro blog shows a search return list that reportedly includes fake sites.

Sometimes the scams are relatively innocuous; scammers register these bogus Web addresses as a way to earn money through advertising or delivering traffic to online survey sites. But others are far more dangerous. Clicking malicious drive-by sites, for example, can easily result in an infected PC.

Search-engine companies watch for these sites and eliminate the dangerous ones as quickly as possible. But so many have appeared in the aftermath of Japan’s disaster that even Google is having difficulty keeping up with them, reports Bojan Zdrnja at Internet Storm Center.

PC users can also be directed to drive-by sites through links circulated on Twitter, Facebook, and other social-networking sites as well as in discussion forums. Wall posts, IMs, and messages represent themselves as containing links to newly uncovered disaster videos that might be tsunami simulations, doctored images, and worse.

As Graham Cluley, senior technology consultant at Sophos, wrote on the Sophos blog:
“Facebook users are being tricked into clicking on links which claim to be raw CNN footage of the Japanese tsunami by cold-hearted scammers — as part of a plot to earn money by driving Web traffic to take online surveys. The videos, which in the examples seen by Sophos exist on a website called spinavideo, purport to be footage of the horrifying tsunami which hit parts of Japan on Friday.”
Clicking the link takes users to a spoof website that looks like YouTube. Users are tricked into agreeing to ‘Like’ the page on Facebook, which spreads the scam even further on Facebook.

But misdirection to online surveys and likejacking, as Cluley describes above, can be the least of a deceived user’s problems. A user who activates a clickjacking link is taken to a drive-by website that might (or might not) look legitimate but that automatically downloads malware onto the user’s machines. The most frequently downloaded type of malware is rogue security software, often also called rogue antivirus software (or rogue AV).

Rogue security software masquerades as legitimate security software. Sometimes it even imitates legitimate security software interfaces, such as Microsoft Update. After it’s installed on your machine, antivirus malware might simply pretend to detect viruses and then entice you into paying for a subscription to have your machine cleaned.

Or it might install more malicious software — keyloggers, password recorders, or rootkits — that can go undetected while stealing your data. This software might lie dormant until it detects a specific event, such as when you enter a bank account number. Then it comes to life and starts collecting your keystrokes: recording your passwords, social security number, date of birth, and other personal data.

The scammers resell your credit card numbers or passwords to other criminals. Then they change their company name, change the credit agency they’re using to bill you for your “malware subscription,” and vanish before they can be identified. Rogue security software costs the banking industry billions of dollars a year, a cost borne by consumers.

Figure 1 shows an example of rogue security software that’s disguised as a Microsoft alert.

Fake microsoft alert
Figure 1. Fake security alert

How can you avoid clickjacking scams and drive-by websites? It’s simple, but in the heat of a disaster, it can be harder than it sounds. Sophos’s Cluley wrote, “Remember to always get your news from legitimate news websites, and if you’re hunting for a video, make sure that you go to the real YouTube website rather than a replica set up by scammers.”

Meanwhile, old-fashioned donation fraud, featuring spoofed charity sites and phishing e-mails, has not gone away. ScamWarners has reported detecting a fake Salvation Army site. FBI spokeswoman Jenny Shearer told that a fraudulent e-mail, purportedly from the British Red Cross, is soliciting wired donations.

How to keep yourself safe in disastrous times

Here are tips to help you protect yourself from donation fraud:
  • Make informed choices about where to donate. Before turning over the personal information needed to process your donation, visit an online watchdog site such as to evaluate the receiving organization’s legitimacy.

  • Don’t click links in online forums, e-mails, or IMs that say they are from charity organizations — even well-known ones such as the Red Cross or Red Crescent, Mercy Corps, World Vision, or others. These e-mails could easily be spoofs that will direct you to a website that looks like the real thing but steals your data.

  • Do not respond to unsolicited requests for donations, particularly from people who claim to be victims. “Symantec has observed a classic 419 message targeting the Japanese disaster,” said researcher Samir Patil in a post to the company’s security blog. “The message is a bogus ‘next of kin’ story that purports to settle millions of dollars owing to an earthquake and tsunami victim.”

  • To get to the website of a charitable organization you want to support, type its web address into your browser’s address bar yourself — don’t rely on links, however professionally designed they may look, to take you there.

  • When you are on a charitable site, take a moment to check the spelling of the organization’s website in the address bar. Scammers often use common typos or misspellings to create URLs that fool an unwary eye.

  • Make sure the page where you enter your credit card or other personal information is encrypted. The beginning of the address should read https:// instead of http://.

  • Make sure any site that you donate through has a written privacy policy.

  • Get your news about events in Japan from reputable news sites.
If you believe you have been a victim of a charity-related scam, contact the National Center for Disaster Fraud by telephone at (866) 720-5721, by fax at (225) 334-4707, or by e-mail at

You can also keep an eye on samples of fraudulent e-mails and messages by watching the forums at ScamWarners, a reputable Internet Fraud Center that will also examine and evaluate material you submit and post samples to help other people avoid being scammed.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

Jan Bultmann writes about Windows and Office security. She spent six years writing and editing for Microsoft’s Security at Home website and now works freelance. She’s on Twitter as EyeOnUptown, where she follows security experts, Nathan Fillion, WikiLeaks, and ioerror.
= Paid content

All Windows Secrets articles posted on 2011-03-24: