Want more friends and followers? Emerging enterprises will create them for you — for a price. An abundance of low-cost, freelance labor online is posing huge challenges for Internet companies trying to combat the growing abuse of their services, and has created a virtual testbed for emerging industries built to assist a range of cybercrime activities, new research shows.

Free services like Craigslist, Facebook, Gmail and Twitter have long sought to deter scammers and spammers by deploying technical countermeasures designed to prevent automated activity, such as the use of botnets to create new accounts en masse. These defenses typically require users to perform tasks that are difficult to automate, at least in theory, such as requiring that new accounts be verified by phone before activation.

But researchers from the University of California, San Diego found that these fraud controls increasingly are being defeated by freelance work arrangements: buyers “crowdsource” work by posting jobs they need done, and globally distributed workers bid on projects that they are willing to take on.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.

Adding to the available services, there is now steep competition among services that outfox phone- verified accounts (PVAs). Web services like Craigslist, Gmail and financial institutions sometimes will place an automated call to a new account creator, and read a numeric code to them over the phone, and require the new user to enter that number into a website.

The UCSD team noticed that demand for phone-verified Craigslist accounts increased rapidly in early 2008, when Craigslist introduced phone verification for the erotic services section of the site. The researchers observed that the price the freelance market will support for creating PVAs can tell you a lot about the value of phone verification as a security mechanism. “For Craigslist, PVAs have made account abuse extremely expensive. In contrast, retail services sell Gmail PVAs for around 25 cents, a 10-20 fold  price difference compared to Craigslist,” they wrote.

This same dynamic is now driving competition among services that offer the ability to generate large numbers of fake Twitter “followers” and Facebook “friends;” such services are popular among spammers and scammers who use them to make their pages appear more legitimate and trustworthy.

As demand for these new human services continues to increase, entrepreneurs have stepped in to aggregate the workforce. Savage said overall demand for social networking links has skyrocketed since the early part of 2010, suggesting that spammers have only recently realized the potential for monetizing social links.

“Whether it’s to buy friends for a social network or to do phone verification of new accounts, over time if a particular business new business model makes sense, it gets moved out of the freelancer market and into its own stand-alone service,” Savage said.

Need a whole mess of Twitter followers a.s.a.p? Places like the twitterfollowershop.com and buytwitterfollowers.com charge between $17 and $24.95 per 1,000 followers. I called the phone number found in the WHOIS registration records for twitterfollowershop.com, and a guy named “Pat” answered. He told me that the service is powered by manual labor in Asia.

“We have people overseas who are manually following users,” he said.

Want phone verified accounts at Facebook, Craigslist, YouTube and Twitter? Buypvanow.com, verifiedaccountmonster.com and plenty of others will sell verified accounts by the hundreds.

The UCSD paper describing the research in more detail is available here (PDF).

The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild.

Zero-day threats are attacks which exploit security vulnerabilities that a software vendor learns about at the same time as the general public  does;   The vendor has “zero days” to fix the flaw before it gets exploited. RSA and others have labeled recent zero-day attacks as the epitome of the so-called “advanced persistent threat” (APT), a controversial term describing the daily onslaught of digital assaults launched by attackers who are considered highly-skilled, determined and possessed of a long-term perspective on their mission. Because these attacks often result in the theft of sensitive and proprietary information from the government and private industry, the details usually are shrouded in secrecy when law enforcement and national security investigators swoop in.

Open source information available about the tools used in recent attacks labeled APT indicates that some of the actors involved are doing little to cover their tracks: Not only are they potentially identifiable, they don’t seem particularly concerned about suffering any consequences from their actions.

Bragging rights may play a part in the attackers’  lack of duplicity. On Apr. 11, 2011, security experts began publishing information about a new zero-day attack that exploited a previously unknown vulnerability in Adobe‘s Flash Player software, a browser plug-in installed in 96 percent of the world’s Microsoft Windows PCs .  The exploit code was hidden inside a Microsoft Word document titled “Disentangling Industrial Policy and Competition Policy.doc,” and reportedly was emailed to an unknown number of U.S. government employees and contractors.

Four days earlier, on Apr. 7, an individual on Twitter calling himself “Yuange” and adopting the humble motto “No. 1 hacker in China top hacker in the world,” tweeted a small snippet of exploit code, apparently to signal that he had advance knowledge of the attack:

“call [0x1111110+0x08].”

It wasn’t long before malware researchers were extracting that exact string from the innards of a Flash exploit that was landing in email inboxes around the globe.

Tweeting a key snippet of code hidden in a zero-day exploit in advance of its public release may seem like the hacker equivalent of Babe Ruth pointing to the cheap seats right before nailing a home run. But investigators say the Chinese Internet address used to download the malicious files in the early hours of the April Flash zero-day attacks — 123.123.123.123 — was in some ways bolder than most because that address  would appear highly unusual and memorable to any reasonably vigilant network administrator.

This wasn’t the first time Yuange had bragged about advance knowledge of impending zero-day attacks. On Oct. 27, 2010, he boasted of authoring a zero-day exploit targeting a previously unknown vulnerability in Mozilla’s Firefox Web browser:

“Wrote the firefox 0day. You may see “for(inx=0′inx<0×8964;inx++). You should know why 0×8964 here.”

That same day, experts discovered that the Web site for the Nobel Peace Prize was serving up malicious software that exploited a new vulnerability in Firefox. An analysis of the attack code published by a member of Mozilla’s security team revealed the exact code snippet Yuange had tweeted.

On February 28, 2011, Yuange taunted on Twitter that new zero-day traps were being set:

“ready? new flash 0day is on the way.”

On Mar. 14, Adobe acknowledged that a new Flash flaw was being exploited via a booby-trapped Flash component tucked inside of Microsoft Excel files. Three days after that, EMC’s security division RSA dropped a bombshell: Secret files related to its widely used SecurID authentication tokens had been stolen in “an extremely sophisticated cyber attack.” A follow-up blog post from RSA’s Uri River two weeks later stated that the break-in was precipitated by the zero-day Adobe had warned about on Mar. 14, and that the lure used in the attack on RSA was an Excel file named “2011 Recruitment Plan.”

Source: FireEye

On Mar. 16, just one day before RSA disclosed the breach, researchers at Milpitas, Calif. based security firm FireEye released their analysis of an exploit that used the same zero-day Flash flaw. The specific attack FireEye analyzed included a different lure than the one used against RSA: An Excel file titled “Environmental Scan Matrix of Risk and Security Organizations.” When FireEye investigators dug deeper into the Excel file, they found metadata indicating the file had last been saved  by a user named “Linxder.”

“Who is this linxder?” FireEye’s Atif Mushtaq asked in a Mar. 16 posting to the company’s blog. “My colleague Darien pointed me to few links on google that tells us that a guy named ‘linxder’ is a known chinese threat actor. This guy is an old-school hacker that has a fairly expansive social network. If one searches linxder’s baidu profile, we can see that he talks a ton about weaponizing flash containers in other file formats, which is exactly what happens in this attack.”

The Linxder profile linked in FireEye’s write-up has since been wiped clean of more than two years worth of blog posts, but Google’s cache still contains some of his older blog entries from 2009, including one that indicates Linxder and Yuange were acquaintances.

WILL THE REAL YUANGE PLEASE COME FORWARD?

The Yuange1975 character on Twitter may be very well be a composite of several different individuals, said Andre M. DiMino, a cybersecurity expert and former director of Shadowserver.org, a group that tracks cybercrime activity.

“At first, there were a lot of people really intrigued by this guy,” DiMino said. “But it looks pretty likely that there are a group of folks who are tweeting to this account.”

Yuange’s Twitter profile lists a blog account on Chinese Internet provider Baidu.com by the same name, but the Yuange at that blog appears to be an old school hacker from Chinese Internet security firm NSFocus who claims to have had nothing to do with the RSA exploit. He  also complains that the “Yuange1975″ on Twitter is impersonating him.

Neither the Twitter Yuange nor the Baidu Yuange responded to requests for interviews. Frank Ip, vice president of North America operations for NSFocus, said the Baidu Yuange is a man named Yuan Renguang, one of 12 co-founders of NSFocus, and that Renguang left the company in 2005 to start his own data loss prevention firm. Ip said Renguang was being impersonated, and that he is quite widely respected in China.

“Not only is this [Twitter] impersonator using his name, but he stole [Renguang's] picture,” Ip said, adding that the real Yuange doesn’t speak English and has never published anything in English, wheres the Twitter Yuange tweets only in English.

Earlier this month, Reuters ran a story based on secret U.S. State Department diplomatic cables released by Wikileaks. The piece chronicled the theft of terabytes of data from U.S. firms and the government over the past several years, and attributed the attacks to specialized electronic espionage units within the Chinese People’s Liberation Army (PLA). But that piece didn’t address the legions of civilian hackers who conduct the same classes of attacks for patriotic reasons, for bragging rights, or simply to earn money.

Image: thedarkvisitor.com

Scott Henderson, a military analyst at the U.S. Army’s Foreign Military Studies Office in Ft. Leavenworth, Kans., wrote extensively about this phenomenon in his eBook titled “The Dark Visitor” (Henderson co-authors a blog on this subject). Henderson said it may be that the RSA attack was launched by members of what’s known as the Red Hacker Alliance, a Chinese nationalist hacker network made up of many independent Web sites directly linked to one another, in which individual sites educate their members on computer attack and intrusion techniques. Henderson said the Red Hacker Alliance is characterized by its members launching coordinated attacks against foreign governments and entities to protect actual and perceived injustices done to their nation, but that monetary motivations increasingly are becoming as important as patriotic passion.

“It’s interesting because so many of these guys are doing this stuff out in the open, and you have to ask why, and what’s the risk-to-reward ratio for these guys, and does [the Chinese government] use them as a political hammer or as a quasi-intelligence gathering network that is tacitly approved by Beijing, and I think you’d have to say ‘yes’ to all of those,” Henderson said in a phone interview. “I don’t think there has been enough pressure on Beijing to change that, because these guys are very much out in the open and talking about what they’re doing, and in some cases almost crowd-sourcing their work.”

Henderson said the most damaging common aspect of all the attacks is that the assailants never seem to quit. “We hear about these really sophisticated attacks these guys are doing, but really it always boils down to social engineering,” Henderson said. “They send out enough emails to enough recipients at Company X that someone eventually clicks on these things and suddenly the attacker gets  access to the target’s system. There are so many of these groups and this activity is going on so continuously that the challenge is trying get a handle on what exactly we should be looking at. I always wonder, if this is the stuff we’re seeing, where are the really good guys, the ones you don’t see? If the successful attacks are so blatant and open, and these guys probably aren’t the crème de la crème, where are the really good guys?”

This is the first in a series of planned stories on the RSA attack and the menace from advanced persistent threats.

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”

In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”

It appears, however, that this add-on will only capture cookies from other users on a wireless network in cases where the attacker has already compromised the security of the entire network itself. Still, a number of free, open source tools are available to accomplish this task and could be used in combination with Firesheep to collect a ton of user logins on a busy wireless network. For example, Ettercap is an extremely useful program that lets you trick other computers on the local network into thinking that your computer is the wired or wireless router, effectively routing all of the incoming and outgoing traffic on the local network through your computer. Ettercap is a standard component of many Live CD installations of Linux that allow users to boot into a fully usable Linux distribution from a CD or USB device.

I pinged Butler for an interview about his add-on, but have yet to hear back from him. If that changes, I’ll update this post.

I tested Firesheep on a regular wireless network without running Ettercap and, sure enough, the only time Firesheep recorded any logins was when I logged in from the same computer that was running Firesheep: It did not capture cookies when I logged in to the same accounts from other machines on my wireless network. I tested this using two separate, commonly-sold wireless routers — with and without WEP/WPA encryption enabled — with the same results.

Combine Firesheep with something like Ettercap, however, and you have a very powerful, point-and-click method for hijacking social networking and e-mail accounts belonging to other users on the local network. This is exactly what McAfee director of research Dave Marcus found and explained quite well in his take on this tool earlier this week. Marcus also found that the add-on doesn’t collect cookies from other computers on a local network with the help of tools like Ettercap.

“What I like about Firesheep is that it is a very graphical way of showing people a problem,” Marcus said. “That said, it doesn’t do anything new.  People have been talking about session and cookie hijacking since at least 2003. [Butler] has just come out with a nifty extension for you to show the extent of this threat graphically and uniquely.”

The EFF's "https-everywhere" add-on

In any case, Firesheep was meant to raise awareness about this problem, and it appears to have succeeded in doing that. So what can you do to protect yourself? There are at least two Firefox add-ons that can dramatically increase the security and privacy of your Web browsing while on public networks, and that directly address the weakness exploited by Firesheep. These add-ons force any Web site you specify to encrypt all traffic (that is, always use an https:// connection), not just logins.

The Electronic Frontier Foundation‘s add-on, Https-Everywhere, is nice because it comes with about 20 sites pre-selected, including Facebook and Twitter. But some users may find its instructions for adding other sites to be a bit complex.

The ForceTLS add-on

Another plug-in that makes it easier to add new sites is Force-TLS, although it does not include any sites by default.

One final note: The truly scary aspect of these types of network-level attacks is that they work against all computer users, regardless of operating system type. As for the helper add-on, Firesheep is available for Windows and OS X systems, and the authors say they are working on a version for Linux.

Update, 4:06 p.m. ET: A couple of readers have pointed out a blog post from Robert Graham at ErrataSec, which notes that the ForceTLS add-on may not succeed in forcing https on all sites. He also offers some reasons why I may not have seen the Firesheep add-on working to capture cookies over the network. Graham writes: “FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).”

Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

hxxp://qurl.com/zv9j7

….when clicked reverts to:

hxxp://www.irs.gov.vrddr.ru/fraud_application/directory/statement.php?tid=00000143073750US

….which takes the user to one of dozens of identical Web pages that spoof the IRS and encourage visitors to download and review their tax statement, which is of course a powerful and stealthy password-stealing program.

Warner said anti-virus detection for this malware is extremely low: Only three out of 40 different anti-virus products detected the file as malicious, yet none of those currently identify it for what it is: Another new version of the ZeuS Trojan.

These broad attacks usually are quite successful, and in the past they have been used to great effect by the same criminal gangs that have been stealing tens of millions of dollars from small to mid-sized businesses. In September 2009, I wrote about a landfill service company in New York that had $150,000 stolen from its online bank account after an employee opened one of these ZeuS-laden bogus IRS e-mails.

A word to the wise: Do not click on attachments included in unsolicited e-mails, especially those that encourage you to act quickly or else suffer some scary fate. These are almost universally scams or attempts to plant malicious software on your computer. Also, note that the IRS has stated emphatically that it does not communicate with citizens via e-mail.

A faulty update  is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.

BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that  caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5″.

The Romanian software firm  said the glitchy update has been removed and that the company is working on a fix for the problem.  BitDefender’s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.

“We are creating a patch that will restore all quarantined files,” the company said in a statement on its site. “The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.”

BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company’s Twitter feed indicated they were still unable to boot after following the instructions.

Meanwhile, Bitdefender representatives on Twitter are warning users that malware writers already are taking advantage of the situation, and urging users to download the fix — whenever it is made available — only from BitDefender’s Web site.

Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

This is a fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.

It’s hard to know whether this was a homemade skimmer, or one that was purchased from online criminal forums. Some of the skimmers sold on these forums are extremely sophisticated, incorporating features such the ability to send an SMS text message to the thieves’ mobile phone whenever a new card is swiped.

This type of fraud is actually far more common that you might think: A quick query on Twitter for “ATM skimmer” usually brings up plenty of local news reports about these devices being found on ATMs.

Practice basic ATM street smarts and you should have little to fear from these skimmers: If you see something that doesn’t look right — such as a odd protrusion or off-color component on an ATM — consider going to another machine. Also, stay away from ATMs that are not located in publicly visible and well-lit areas.

Update, 12:10 p.m: Mikko Hypponen from F-Secure sent in a few fascinating Twitter pics of other ATM skimmers that include ingenious ways to send the stolen credentials to the scammers.

If you liked this post, please check out my follow-up posts on ATM skimmers:,

ATM Skimmers Part II, includes an entire gallery of ATM skimmer images.

Would You Have Spotted This ATM Fraud? Delves into some of the rent-to-own skimmer models.

Fun With ATM Skimmers, Part III Examining the skimmer problem in Europe (+ more skimmer photos!).

ATM Skimmers: Separating Cruft from Craft Skimmer scammers are everywhere! Only buy your skimmer devices from real thieves!

Sophisticated ATM Skimmer Transmits Stolen Data Via Text Message Skimmers with embedded cell phones allow thieves to continue stealing credentials without ever returning to the scene of the crime.

Skimmers Siphoning Card Data at the Pump Skimmers aren’t just for ATMs.

The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.

In an alert published today, the FBI urged people not to respond to spam messages asking for donations, and to be skeptical of people pretending to be surviving victims or officials asking for donations via e-mail or social networking sites.

Currently, there are a large number of Tweets coursing through Twitter urging users to donate to relief efforts using various text message short codes. While most of these may be promoting campaigns tied to legitimate charities and relief organizations, it’s probably safest to ignore incoming suggestions to donate this way. If you’d like to donate to the Red Cross International Relief Fund, you may send a $10 donation using your mobile phone by sending a text message with the words HAITI to the number 90999. The charge will be added to your monthly phone bill. Social media news site Mashable says the text-donation campaign, which is backed by the U.S. State Department, has already raised more than $1 million.

The FBI also warns against opening e-mails that claim to show pictures or videos of the disaster areas in attached files, as such ploys have been used extensively to distribute viruses and worms in the wake of previous disasters.

If past disasters are any indication, we also are likely to see thieves using search engine manipulation tactics to jack up the ranking of malicious Web sites, so that consumers searching for news about the current situation in Haiti stumble upon a site foisting malware. UPDATE, 2:25 p.m. Web security monitoring firm Websense reports that criminals already are gaming the search engines for Haiti-related terms to point Web searchers to domains pushing rogue anti-virus products.

The SANS Internet Storm Center says it is keeping a close eye on new domain name registrations to watch for bogus relief Web sites and other scams.

“While we, at the ISC, do not assume that the domains being registered are malicious in nature in any way, we always take note of domains being registered near a disaster,” writes SANS incident handler Joe Esler. “However, inevitably, some of these domains wind up being malicious in nature, and while we don’t assume that all of them will be, it does happen, and it’s unfortunate that spammers and phishers prey on people attempting to provide relief for those in need.  Especially during such a devastating disaster as this was.”

UPDATE, 12:56 P.M. ET: McAfee’s Chris Barton just shared with me a list of nearly 200 new Haitian-related domains that have been registered in the past few days. It’s important to note that their inclusion on this list  doesn’t mean these domains are fraudulent. But it would be nice if a few eagle-eyed readers took it upon themselves to keep tabs on these domains. If you find something suspicious, drop a line in the comments. The list is available at this link here.

Original post:

Hurricane Katrina brought scammers out of the woodwork; dozens of domains were set up overnight asking for Paypal donations on behalf of the victims or different relief organizations, but there was no way to verify that the money would go to the promised destination.  After the 2004 tsunami in South Asia, a survey by MasterCard International and security firm NameProtect Inc. found more than 170 tsunami-related scam sites being used to misdirect donations to relief efforts.