, SecurityFocus 2005-09-02
As chaos and looting continue in New Orleans in the wake of Hurricane Katrina, online carpetbaggers and fraudsters are taking the opportunity to flood the Internet with fake charity Web sites and malicious code tied to the natural disaster.
On Thursday, security experts came across the first e-mail message posing as a reference to a news story about Katrina but which carried a link to a Web site that attempted to infect the visitor's computer with spyware. Fraudulent charity sites have also begun to pop up on domain names linked to the natural disaster, according to the Internet Storm Center, a group of volunteers that monitor network threats for the SANS Institute, a network administration training organization.
Some sites feature links to a fake Paypal site that appears to collect donations, but in reality collects victim's financial details, said Johannes Ullrich, chief research officer for the SANS Institute and a handler at the Internet Storm Center. Demonstrating that groups focused on disasters maintain the sites, Ullrich pointed to the fact that at least one e-mail address, to which financial details are sent, still referenced the tsunami that hit southeast Asia.
"These are groups of people that move from disaster to disaster, trying to cash in," Ullrich said. "This time we expected it, so we were looking out for it."
By Friday, more than 250 domain names using the words "hurricane" and "katrina" had been registered by various people, according to a list compiled by the Internet Storm Center. While some registrants have legitimate reasons for the purchases, others have sought to profit from the disaster through questionable schemes, Ullrich said. Many domain names are put back on the auction block for thousands of dollars, with the seller marking them as a charity sale, even though only a small fraction of the money will actually go to a legitimate charity, he said.
Hurricane Katrina is the latest major news event to fuel such online fraud. The tsunami that struck countries in the Indian Ocean on December 26 generated similar schemes, as did the terrorist attacks of 9-11 and the war in Iraq. Each event offered opportunities for spammers, fraudsters and online attackers to target victims that might not otherwise fall for the tricks, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure..
"I think the attackers believe that more people will fall for such techniques after a natural disaster, but I would question whether the success rate really increases," he said.
The trend in targeting major news events with virus-laden spam had started many years ago, but really took off after 9-11, Hyppönen said.
"If the news is big enough, if it reaches the state that people start mass-registering domains, I think the Trojan spammers are not far behind," he said.
The latest Trojan horse program used in such a scheme is about a week old and originally had been attached to spam e-mail messages citing new developments in the war in Iraq. A computer that is not updated regularly could be compromised, essentially allowing the attackers to control the machine.
Few should be affected by the attack, said the SANS Institutes' Ullrich. Microsoft has patched the Internet Explorer flaw that the malicious Web site used to infect victims. Moreover, abuse complaints have apparently succeeded in convincing the site's Internet service provider to pull the pages down.
Ullrich warned that such sites have a habit of coming back, however.
"The Web site is currently down, but it keeps moving around and pops up every now and again," he said.
While such malicious activity in the wake of a disaster is inevitable, the majority of Web sites and charity work are genuine, said Ebay spokesman Chris Donlay.
"We typically see mostly the good come out in these situations," he said. "People want to sell things to benefit charity. People are happy to buy those things when they come up for auction."
Ebay requires that charity auctions either use a service that automatically debits the correct amount of the sale to the selected charity or mandates that sellers need to provide proof that they work for an authorized fundraiser, Donlay said.
While the number of fraudulent online auctions and fake Paypal sites may increase after a disaster, Donlay said that Ebay's current anti-fraud initiatives work to shut down such schemes.
"We are pretty vigilant year round," he said. "The hurricane may be the latest hook, but fraudsters are always trying to do something."