Application security

Virginia Tech massacre may spawn phishing scams

Information security experts warned users today to be on the lookout for legitimate-looking websites exploiting Monday's massacre at Virginia Tech.

The SANS Internet Storm Center reported late Tuesday that at least 28 domain names have been registered that relate to the shootings, including and

SANS handler George Bakos said many of the sites have yet to contain content, and they may be used for a positive purpose, such as fund-raising. Still, users should be wary of receiving emails that direct them to these newly created sites.

"While some of these are undoubtedly well-intentioned organizations joining in the outpouring of support for the friends and family of the victims, others are likely to be opportunists who want to cash in on the suffering of others," Bakos said. "Be on the lookout for a rash of spam and phishing coming from these leeches."

Cho Seung-Hui, a Virginia Tech student, shot and killed more than 30 of his classmates Monday morning in what is believed to be the most deadly peacetime shooting in U.S. history. He killed himself before police could get to him.

Ben Butler, director of the abuse department at leading domain registrar Go Daddy, told today that the company is actively monitoring domain names that are using terms and phrases related to the massacre.

If Go Daddy, which has registered nearly 20 million domains since its inception, decides a site is being used for a fraudulent or morally wrong purpose, such as glorifying the shootings, it will be shut down — either by Go Daddy or another hosting provider, he said.

He added that he encourages users to tip the company off on illegitimate sites.

So far, Butler said, Go Daddy is monitoring quite a few sites with URLs related to the shootings.

"It's constantly growing at this point," he said. "In the post-Hurricane Katrina situation, we had several hundred. This one isn't quite that bad yet, but you never know. We try to maintain our objectivity. We have to see the actual malicious intent [before taking them down."

Many of the these types of sites remain parked, and content is never added to them, Butler said. In some cases, the site names are purchased - usually for under $10 - in hopes that someone will pay the owner much for the name. Other times, people register the domains, add some advertising and search links, and hope they will be heavily trafficked so they can make money for each click, Butler said.

"It's actually a small minority who ever put up any content related to the domain name," he said.

Todd Beardsley, lead counter-fraud engineer at Austin, Texas-based TippingPoint, told today that people often try to capitalize on heavily reported stories.

"This does happen basically any time anything interesting happens, good or bad," he said. "We saw it first on a large-scale basis with the Asian tsunami. A lot of people will think, 'Oh, they've gone to register their domain. They must be legitimate.'"

Bakos said users should vet organizations asking for cash donations and other personal information.

"With any luck, these have been scooped up by cybersquatters who will be left holding the bag when nobody is heartless enough to use the domains for unscrupulous purposes," he said.

Earlier this week, US-CERT said scammers may spam users with phishing emails that contain links to a site "that appears to be a legitimate charity."

Users are encouraged to only follow trusted links, contact their bank whenever they think their information may have been compromised and call questionable organizations directly to verify their legitimacy.

US-CERT said this is not the first time criminals have taken advantage of national tragedies to line their wallets.

The latest example occurred in late August when Tropical Storm Ernesto threatened Florida.

Beardsley said events such as the tsunami and Katrina are more likely to be successful for fund-raising scammers than the Virginia Tech rampage because they are inavoidable natural disasters that affect many poor people.

Click here to email reporter Dan Kaplan.



Looking for a new job? has the latest IT security employment opportunities. Click here for our jobs page.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.