January 14th, 2010
Haiti earthquake themed blackhat SEO campaigns serving scareware
Cybercriminals quickly mobilized following the news of a massive earthquake that hit Haiti on Tuesday, by introducing several hundred compromised domains embedded with bogus blackhat seo (search engine optimization) content related to Red Cross donations and general Haiti earthquake relief information.
The sites are already appearing within the first 10 search results on Google, and upon clicking on them the user is redirected to one of the most profitable monetization tactic (FBI: Scareware distributors stole $150M) that scammers use these days - scareware also known as rogueware.
Naturally, the blackhat SEO campaigns are only the tip of the iceberg. Here’s what else to look for, and how to make sure you’re donating money to the right organization.
What’s particularly interesting about the blackhat SEO campaign serving scareware (Setup_2022.exe; install.exe), is that a huge percentage of the sites are hosted within the network of Heart Shared hosting (heartinternet.co.uk), indicating some some of automatic exploitation of its customers.
The same practice of relying on compromised legitimate domains within a particular ISP was also evident in blackhat SEO campaigns that were analyzed over the last couple of months.
For 
instance, not only was the same practice used to affect over a million web sites (Thousands of web sites compromised, redirect to scareware) in November, 2009, but also the campaign itself was traced back to the Koobface gang, which is clearly involved in fraudulent activities going beyond the Koobface botnet.
Different fraudulent groups either multitask, or cover a specific fraud segment exclusively. According to Symantec, spam campaigns impersonating the British Red Cross are already in circulation, requesting Western Union payments to support the victims of the earthquake. Anticipating the upcoming flood of earthquake relief scams, the FBI has released the following tips in order to raise more awareness:
- Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
- Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
- Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
- Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
- Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
- Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.
If you want to donate money to the real organizations, consider going through Google’s Support Disaster Relief in Haiti campaign page.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
