A tsunami is also a crime wave

March 30, 2011
No prizes were offered for predicting that criminals would exploit the recent Japanese disasters. Just as well, as there were plenty of warning blogs and articles, from SANS to US-CERT, by way of almost every security vendor you can think of. In fact, I set up a vendor-independent resources page at AVIEN in anticipation of such a crimefest.

Fake links, fake AV

You might be a little more surprised, though, at the sheer range of malicious activity displayed this time round. Noone in the security business is surprised when a dramatic event or other media sensation generates a flood of BHSEO (black hat search engine optimization) even if the event is a figment of the scammer's imagination, driving the curious googler to perilous shores. And sure enough, a shed-load of poisoned links appeared: These were allegedly pointing to tsunami or earthquake footage, information on nuclear issues, new tsunami alerts, and so on, but were in reality simply a haven for fake anti-virus pop-ups.

Like it or not

We routinely see plenty of the OMG school of Facebook application scam. You know the sort of thing: “OMG, I can't believe [sensational story about someone doing something improbable].”

In such scams, a link to such amazing footage generally turns out to lead to a survey scam, so I wasn't too surprised at a range of similar Japan-related fake footage. (If I see one more story about whales smashing into buildings, I will be...well, still not surprised.) These stories also use clickjacking so that when you think you're clicking something to take you nearer to seeing the video object of your desires, you've just been tricked into telling all your Facebook friends that you Like the application. Or worse...

Gimme, gimme, gimme

Donation scams? Well, those were bound to happen, and they were. And the problems don't only arise with phishing sites set up to look like some branch of the Red Cross, or a brand new “charity.” In the United States, fortunately, there is a reasonable range of sites like Charity Navigator that can be used to validate a charity. However, I was mildly depressed to find that validating organizations based in Europe and elsewhere was more difficult. Even worse, I came across a number of sites that aren't themselves relief organizations, but that offer a mechanism for donating to a number of relief organizations and other charities. No doubt many of these are genuine, but establishing which are valid is not an easy task.

Then there were the usual messages soliciting donations that clearly came from internet cafes in Nigeria. Not, of course, that these were the only types of 419 to appear. Almost before the water had receded, I came across Advance Fee Fraud (AFF) messages offering the recipient a share of the estate of some luckless, family-less individual who had died in the tsunami and happened to have the same surname. Of course, these messages required instant action before the money reverted to crooked bankers or corrupt government officials. I never cease to be amazed at the facility with which 419-ers can find a “moral justification” for a blatant fraud.

Mighty hoax from small acorns

I was slightly surprised in one respect, though it's an aspect of anti-social behavior that isn't necessarily criminal*. Disasters like 9/11, earthquakes, etc., almost invariably attract a torrent of incidental chain letters, hoaxes and semi-hoaxes with no apparent motive except for mischief-making. Indeed, at the time of the 2004 tsunami I was (among other things) malware management scapegoat for an organization with more than 1.25 million employees, and for many months afterwards I was spending more time trying to persuade those same employees not to clog the mail systems with hoaxes and semi-hoaxes relating to orphaned children, 100 meter waves, and exotic deepwater ichthyofauna washed onto beaches.

While many of the social engineering hooks used in the commission of the scams described above use very similar fictions (the airborne whale, for example), it seems that as hobbyist virus writing has largely given way to malware written strictly for profit, so the techniques of hoax proliferation have also suffered a sea-change into something [en]rich[ing] and strange. In fact, most of the hoax material I've seen relating to the Japanese disaster has been linked to radiation scares, such as a hoax about incoming radiation that circulated in the Philippines and Hong Kong, and a highly misleading map describing the “likely” path of fallout across the United States in the event of a meltdown at Fukushima. (Australian Radiation Services Pty Ltd, whose logo is attached to the map, have stressed that it has nothing to do with them.)

However, lists a hoax email currently in circulation showing, allegedly, a mosque that survived the Honshu tsunami and a slightly proselytizing tone. In fact, it's a recirculation of a photograph of Teunom, Indonesia, following the 2004 tsunami.

*By the way, while “scaremongering” may not be a criminal offense in the same sense that “murder” is, chain letters and identity theft certainly can be criminal activities. However, the circumstances depend on context and jurisdiction, as well as mens rea. That's a complicated issue that I may come back to another time.

prestitial ad