The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.
In an alert published today, the FBI urged people not to respond to spam messages asking for donations, and to be skeptical of people pretending to be surviving victims or officials asking for donations via e-mail or social networking sites.
Currently, there are a large number of Tweets coursing through Twitter urging users to donate to relief efforts using various text message short codes. While most of these may be promoting campaigns tied to legitimate charities and relief organizations, it’s probably safest to ignore incoming suggestions to donate this way. If you’d like to donate to the Red Cross International Relief Fund, you may send a $10 donation using your mobile phone by sending a text message with the words HAITI to the number 90999. The charge will be added to your monthly phone bill. Social media news site Mashable says the text-donation campaign, which is backed by the U.S. State Department, has already raised more than $1 million.
The FBI also warns against opening e-mails that claim to show pictures or videos of the disaster areas in attached files, as such ploys have been used extensively to distribute viruses and worms in the wake of previous disasters.
If past disasters are any indication, we also are likely to see thieves using search engine manipulation tactics to jack up the ranking of malicious Web sites, so that consumers searching for news about the current situation in Haiti stumble upon a site foisting malware. UPDATE, 2:25 p.m. Web security monitoring firm Websense reports that criminals already are gaming the search engines for Haiti-related terms to point Web searchers to domains pushing rogue anti-virus products.
The SANS Internet Storm Center says it is keeping a close eye on new domain name registrations to watch for bogus relief Web sites and other scams.
“While we, at the ISC, do not assume that the domains being registered are malicious in nature in any way, we always take note of domains being registered near a disaster,” writes SANS incident handler Joe Esler. “However, inevitably, some of these domains wind up being malicious in nature, and while we don’t assume that all of them will be, it does happen, and it’s unfortunate that spammers and phishers prey on people attempting to provide relief for those in need. Especially during such a devastating disaster as this was.”
UPDATE, 12:56 P.M. ET: McAfee’s Chris Barton just shared with me a list of nearly 200 new Haitian-related domains that have been registered in the past few days. It’s important to note that their inclusion on this list doesn’t mean these domains are fraudulent. But it would be nice if a few eagle-eyed readers took it upon themselves to keep tabs on these domains. If you find something suspicious, drop a line in the comments. The list is available at this link here.
Hurricane Katrina brought scammers out of the woodwork; dozens of domains were set up overnight asking for Paypal donations on behalf of the victims or different relief organizations, but there was no way to verify that the money would go to the promised destination. After the 2004 tsunami in South Asia, a survey by MasterCard International and security firm NameProtect Inc. found more than 170 tsunami-related scam sites being used to misdirect donations to relief efforts.