AVG Blogs | Nick FitzGerald

Beware Haiti earthquake donation scammers

As I write this it has been a week and a few hours since the terrible earthquake in Haiti on Tuesday 12 January 2010.

Initially, many expressed concerns that spammers and other online scum would be out in force with donation scams and the like. For example, on 13 January the FBI issued this pre-emptive scam warning.

As has happened with many natural disasters and other high-profile news stories (such as celebrity deaths) in recent years, domain names clearly related to the incident were quickly registered. Joel Esler, working with others, reports that over 1100 Haiti-themed domains had been registered 13-15 January inclusive. What proportion of those were registered with ill-intent will never be entirely clear, but human nature being what it is, it is a good bet that not all of them were registered by folk with decent or humanitarian motives.

Within a day or two, several actual scams, asking for donations, were being reported. Perhaps the earliest, or at least the one that got the earliest media coverage I saw, was Email spam purporting to be from the UK Red Cross. I found a variant of this, dated a day or so after initial media reports, at 419eater.com:

(As an aside, it is interesting to compare this sample to other reports of this spam. There are some obviously deliberate changes, but also several subtle differences. Most of the latter appear to be of a kind that may be considered a "typo": Capitalization differences; occasional spelling mistakes either corrected or introduced; single spaces rather than multiple; other differences in the placement of spurious spaces; and so on. This suggests that the spamming behind these scams is at least partly manual with the spammers re-entering the copy, much as in the early days of multiple typewritten, carbon-paper copies of snail-mailed, paper-based, 419 scams. Perhaps these changes were introduced into this sample when the group behind this specific spam copied the Email above from earlier security company or media reports that included a screenshot of the original? Which raises the question - might this blog similarly be aiding the next gang to pick this up?)

Anyway, I subsequently received Haiti donation spam to one of my personal Email addresses (more on that in a moment) which indirectly led me to another spam also asking for Haiti donations. I did not receive that second spam as an Email message, but merely found an archived copy of the message body on a website. Received as Email, the message body would have looked something like this:

This spam requests donations for the reputed US charity Haiti Helping Hand through the website at www.haitihelpinghand.com (I don't advise you go there, just in case). Oddly, a charity with a Haiti-specific name "responded to Hurricane Katrina, New York post 9/11, Greensburg, Kansas after the tornado" and for extra effect "worldwide as well" (it was spammed after all, so presumably some non-US residents would also receive it) . At the time of receipt, until sometime late yesterday or early today, the website linked from this spam looked like this:

It is also odd that a charity that reputedly responded to 9/11 (recall that was 2001!) has a domain that was only registered two days after the 12 January 2010 Haiti earthquake. This is clearly seen in this extract from the domain's registration and whois data:

Domain Name: HAITIHELPINGHAND.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS2233.HOSTGATOR.COM
Name Server: NS2234.HOSTGATOR.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 14-jan-2010
Creation Date: 14-jan-2010
Expiration Date: 14-jan-2011

Further, and especially odd for a US charity, this "charity" does not want you to know who they are or where they are located. As well as having neither "contact us" nor "about us" style pages on their website, they used Domains by Proxy to register their domain. Services providing such "anonymizing" functionality to domain registrants are particularly popular with the obviously criminal elements we see increasingly abusing the internet:

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

The webpage linked from the spam only has three components. There is rather scant information (unsubstantiable claims about the reputed charity's earlier work) and only two links, one to the site's privacy policy and one to a PayPal donation page. To the skeptical, the purpose of including only those two links is to boost the page's apparent authenticity. As many people are comfortable using PayPal, the unwary may even associate the good name and reputation of PayPal with this donation-seeking site. As a result, some people may be even more likely to donate than if the site had asked for donations via wire transfer, Western Union and so on.

Finally, both the Email spam and the web page claim that donations to Haiti Helping Hand are tax deductible. I discovered an Inland Revenue Service web page for checking the status of US tax deductible charities. This service can be a bit fiddly to use, as you may have to check each of the main, recently revoked and recent additions lists to find exactly what you need to know, but it is worth the effort.

Surprise, surprise - there is no current entry with a name anything like "Haiti Helping Hand"!

As I write this, the website no longer looks like the screenshot above. Apparently its hosting company has removed the site, but the domain is still registered and the folk behind the site can easily move it to another hosting service. Should it be reborn, avoid!

Above I mentioned another Haiti earthquake donation spam Email that I received. As this entry is already so long, I'll post the intriguing story behind that scam separately.

Share | |

Posted at 10:08 AM | Permalink | Comments (0)

Technorati Tags: FBI, Haiti earthquake, Haiti scam, Haiti scam warning

01/28/2010

The French connection

Last week I wrote about the appearance of Haiti earthquake-themed scams in the first week following the quake. I also promised to write about one specific such scam I saw - it started with this Email:

At first glance, it seems to be a heartfelt plea for help from a relative of likely victims of the earthquake. It has good, but not perfect, English, but it's not apparently from a professional organization; more a plea for help from a concerned individual. So the minor phrasing issues are perhaps understandable from a distraught relative, doubly so given the writer almost certainly is not a native English speaker. The author of this message certainly wants you to think s/he is in France, and probably a Haitian living there at that. The official languages of Haiti are Haitian Creole and French.

And there's the rub - who is the sender?

The only kind of "from" information in the entire message is in these two message header lines:

Return-Path: <Claire@mailing-shoppingday.com>
From: "AIEDA ASSOCIATION" <Claire@mailing-shoppingday.com>

Internet searches for "Claire@mailing-shoppingday.com" turned up a few reported cases of spam and nothing else. Searches for just the domain name added "spamming domain" blocklists to the previous search results.

Internet searches for "AIEDA ASSOCIATION" turned up nothing illuminating.

There was one meaningful result on that phrase that turned out to be a page mis-referencing A.P.I.E.D.A. - Association pour Intégration des Enfants Déficients Auditifs (unsurprisingly the "Association for Integration of Hearing Impaired Children" according to Google Translate). A.P.I.E.D.A. is based in Strasbourg, France, about 450km (280 miles) from Bailly Romainvilliers. Surely if it was this organization, they would have used their own address and bank account, or at least those of a staff member or supporter, and thus probably in, or much closer to, Strasbourg?

Of more interest though, there is also l'Association Internationale des Etincelles D'Amour, which goes by AIED'A (note the apostrophe). The name translates to International Association of Spark of Love. From the few items mentioning AIED'A on the web, it clearly has links to, or interests in promoting, Haitian causes. However, as far as I could tell, AIED'A does not seem to have a publicly accessible web presence, nor could I find contact information, beyond that a certain Edwin D'Haiti seems to be the moving force behind AIED'A. He lives in Paris and has quite different landline, cell and FAX numbers from those given in the donation request Email.

It seemed too great a coincidence that a Haitian-oriented group called AIED'A exists and "AIEDA ASSOCIATION" was used in this message's from address. However, at least thus far, there was insufficient evidence to suggest that AIED'A sent or commissioned the message, or was otherwise involved.

I had drawn a blank. Not speaking French, I didn't expect to get much further on my own, so I enlisted the assistance of a French colleague - Francois Paget from McAfee AVERT Labs.

Francois called the (cell) phone number from the message - "I am not available...".

Francois called the town hall of Bailly Romainvilliers (the location of the address in the spam) and nearby Bussy Saint Georges (about 10km - 6.2 miles - away and the location of a second possible address for Capital Distribution, included at the very end of the Email message, as shown above). The local officials knew nothing of the company or local efforts to raise donations for Haiti.

Searching French company registration data for "Capital Distribution", Francois found a company registered with that name on 24 September 2009 by one Ennery Belance at the Bussy Saint Georges address from the end of the message.

So, a person's name matched to the company name and address in the message - progress.

Then, in searching for that name, two things quickly became apparent. First, Ennery Belance is not a common name, at least as seen by internet search engines.

Second, most of the hits for this name are in relation to a news story from 30 April 2009. It seems that a Monsieur Ennery Belance ran afoul of the Insurance Regulatory Authority (L'Autorité de contrôle des assurances et des mutuelles) in France. According to the ruling, an insurance company manager of that name supplied false statements of professional liability insurance and finanacial security guarantees, amongst other things. (Should you be interested in the minutiae and not speak French, here is Google Translate's rendition of the ruling into English.)

So, is this the same Ennery Belance as the one apparently related to the surce of the Haiti donation spam?

Yes!

Why am I so sure?

Some of the news coverage of that ruling identifies three websites related to the infringing insurance businesses of Monsieur Belance - www.amexassurances.com, www.express-sante.com and www.assurancesvoyageurs.com. The whois data for these three domains all contain the following identical (save some capitalization differences) contact data:

BELANCE ENNERY (amex.assurances@wanadoo.FR)
+33.660486030

And the second two have whois contact addresses just down the street from the second Capital Distribution address in the Email:

1 BLD PIERRE MENDES FRANCE
BUSSY SAINT GEORGES, BUSSY SAINT GEORGES 77600
FR

Further, despite the contact address in its domain registration being different, Google Maps' Street View clearly shows the business of Amex Assurances is also at 1 Boulevard Pierre Mendès France (at its intersection with Avenue du Général de Gaulle). You can see that in this excerpted detail from Google Maps, or click the image to be taken to the location in Street View to look around for yourself:

Further still, searching for some distinctive text from the websites at the three domains named above, turned up a fourth French "insurance company" domain. The domain capital-assurances.com is also registered by Monsieur Belance, with the 1 Boulevard Pierre Mendès France address. Finally, the contact phone number in all four of these domain registrations is "+33.660486030" - the same as the one in the spam.

So, we have matching phone numbers and addresses that very strongly tie this Email to Ennery Belance of Bussy Saint Georges and/or Bailly Romainvilliers, who appears to be a businessman in the French insurance industry.

...a businessman who has been before the French insurance industry's professional organization overseeing the good standing of it members, and censured by that organization for making untrue or fraudulent statements.

...a businessman who may be continuing to operate his insurance business(es) despite this censure.

So what do we have? Spam sent by a French insurance agent who has been censured for making false or fraudulent statements. Spam implying some form of allegiance with Haitian-aligned AIED'A.

If AIED'A is a legitimate organization - and I must stress I have found no reason whatsoever to suggest otherwise - one would hope both that it would not resort to spam to raise funds for any of its good works in Haiti (even in such an extreme event), and that it would not engage a person such as Ennery Belance appears to be, to act on its behalf.

All of which leaves us with one more question - would you buy a used car from this man?

Thanks to Francois for sharing this link, which he found through a search on the phone number from the spam, expressed in local (within France) calling format. Also, thanks to the French CERTs for also investigating this and their involvement of the French police.

Posted at 01:16 PM | Permalink | Comments (0) | TrackBack (0)

11/23/2009

New Facebook worm - don't click da' button baby!

Thanks to a tip-off from colleague Gadi Evron, I've just spent some time looking into the latest Facebook worm after he alerted Facebook about it.

Like so many past worms, this one uses a suggestive come-on to lure the unsuspecting into clicking a link, and after some behind-the-scenes shenanigans, it posts a link to the same lure page on the victim's Facebook wall, if the click-happy victim is currently logged into Facebook.

I'm not much of a Facebooker (in fact, only using it for investigating things like this!) but I've heard reports that this is working, as more and more folk's walls start to look something like this:

For those unfamiliar with Facebook (is there anyone other than me in that set?) the thumbnail of the worm's infective page is a link to the page. The worm's objective, of course, is that others viewing the victim's wall will click the link, and as they are logged into Facebook, the worm will propagate its link to that victim's wall, and so on...

How does this all work? Rather simple really and something Facebook needs to fix.

This worm uses what is technically known as a CSRF (Cross-site Request Forgery, also called XSRF) attack. A sequence of iframes on the exploit page call a sequence of other pages and scripts, eventually resulting in a form submission to Facebook "as if" the victim had submitted a URL for a wall post and clicked on the "Share" button to confirm the post.

So, at least until Facebook fixes its side of the problem here, be especially careful in which buttons you decide to click, baby!

Share | |

Posted at 02:07 AM | Permalink | Comments (8) | TrackBack (0)

Technorati Tags: Facebook, Facebook hacked, Facebook worm, hacking Facebook, new Facebook worm, new worm on Facebook

06/03/2009

Ph#%&ed by the phickle phinger of phate?

It seems that a Russian bank – KS Bank – has been fingered by the phishers for their evil. I first noticed this about a day ago in an Abbey phishing scam Email.

Note the link in the Email to http://www.ks-bank.ru/bitrix/admin/2/myonlineaccounts2.abbeynational.co.uk/Logon.htm. The phishing site has now been removed, but I'd recommend you only visit that URL if you really know what you're doing. Before it was taken down, the phishing page looked like this:

As Abbey phishing pages go, it was standard fare, but the ks-bank.ru domain seemed unusual. Had the phishers registered a domain that would seem like a real bank? Would that not be odd though, to have a phished bank's pages under that domain? What would the domain registration information tell us?

At first blush the initial registration date of 2003.04.03 was suggestive of a domain that had been around for much longer than your typical phishing scam site lead time.

Other domain registration details also seemed to ring true, and online language translators suggested the base site was legitimate, or at least a very thorough copy of a legitimate site. Whilst a few very assiduously copied (or simulated) and carefully modified pages are stock-in-trade for phishing site constructors, copying complete sites seems to be beyond their patience, and is well beyond their needs. A phishing scam victim is almost certainly going to fall for a scam site at first glance, or not at all, so having reams of properly linked pages of relevant-seeming material is not what we see in phishing sites.

Hosting your phish pages on a real bank site might buy you some time. For example, reputation-based anti-spam, anti-phishing and other content filtering and management products and services may initially grant a "free pass" to an established, legitimate banking site.

So, how did the real KS Bank site fall foul of the phishers?

Likely through a rather archaic version of their site management software, Bitrix Site Manager. If you back-up from the Abbey phishing URL to http://www.ks-bank.ru/bitrix/admin/ you will see that they are running version 3.3.6 of this software with a copyright date of 2002-2004.

A later version of Bitrix Site Manager, 4.0.6, was reported in mid-2006 as having a remote file inclusion vulnerabilty. It is quite likely that vulnerability, or a similar one, is also present in the even older version still running on the KS Bank system. Such a vulnerability would allow a person with malicious intent to install a remote shell, or a phishing kit, or pretty much anything else that took their fancy, on the KS Bank server.

As I said above, that Abbey phish has been removed or disabled at the moment, as have the Wells Fargo, three Scotiabank, a Wachovia and a Lloyds phish a colleague reported, and I confirmed, active on the same KS Bank server yesterday. Sadly, the KS Bank Bitrix Site Manager “admin” page still claims to be v3.3.6, so the phish may be removed but the route to their installation might not have been.

Of course, the point of entry may have been some other vulnerability in some other server application and without access to the server to perform more thorough checks we can never be sure. However, this same server has previously been reported as hosting a phishing site. On 1 May 2006 it was reported that the Hudson Valley Federal Credit Union (HVFCU) was targeted by a phish also hosted on this KS Bank server.

One can only hope that the access methods used then are not those used in this latest breach leading to at least five other bank phish being hosted on the same server.

Posted at 03:41 PM | Permalink | Comments (6) | TrackBack (0)