24
Sep 18

Beware of Hurricane Florence Relief Scams

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.

For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

The landing page for hurricaneflorencerelieffund-dot-com also is the landing page for at least 4 other Hurricane Florence donation sites that use the same anonymous PayPal address.

Among the earliest of these is hurricaneflorencerelieffund-dot-com, registered anonymously via GoDaddy on Sept. 13, 2018. Donations sent through the site’s PayPal page go to an email address tied to the PayPal account on the site (info@hurricaneflorencerelieffund-dot-com); emails to that address did not elicit a response.

Sometime in the past few days, several other Florence-related domains that were previous parked at GoDaddy now redirect to this domain, including hurricanflorence-dot-org (note the missing “e”); florencedisaster-dot-org; florencefunds-dot-com; and hurricaneflorencedonation-dot-com. All of these domains include the phone number 833-FLO-FUND, which rings to an automated system that ultimately asks the caller to leave a message. There is no information provided about the organization or individual running the sites.

The domain hurricaneflorencedisasterfund-dot-com has a slightly different look and feel, invokes the name of the Red Cross and also includes the 833-FLO-FUND number. Likewise, it accepts PayPal donations tied to the same email address mentioned above. It claims “80% of all donations go directly to FIRST RESPONDERS in North & South Carolina!” although it provides no clear way to verify that claim.

Hurricaneflorencedisasterfund-dot-com is one of several domains anonymously accepting PayPal donations, purportedly on behalf of Hurricane Florence victims.

The domain hurricaneflorencerelief-dot-fund, registered on Sept. 11, also accepts PayPal donations with minimal information about who might benefit from monies given. The site links to Facebook, Twitter and other social network accounts set up with the same name, although none of them appear to have any meaningful content. The email address tied to that PayPal account — hurricaneflorencerelief@gmail.com — did not respond to requests for comment.

The domain theflorencefund-dot-com until recently also accepted PayPal donations and had an associated Twitter account (now deleted), but that domain recently changed its homepage to include the message, “Due to the change in Florence’s path, we’re suspending our efforts.”

Here is a Google spreadsheet that tracks some of the domains I’ve been monitoring, including notations about whether the domains are active and if they point to sites that ask for donations. I’ll update this sheet as the days go by; if anyone has any updates to add, please drop a comment below. All of the domains mentioned above have been reported to the Justice Department’s National Center for Disaster Fraud, which accepts tips at disaster@leo.gov.

Let me be clear: Just because a site is listed here doesn’t mean it’s a scam (or that it will be). Some of these sites may have been set up by well-intentioned people; others appear to have been established by legitimate aid groups who are pooling their resources to assist local victims.

For example, several of these domains redirect to Freedomhouse.cc, a legitimate nonprofit religious group based in North Carolina that accepts donations through several domains that use an inline donation service from churchcommunitybuilder.com — a maker of “church management software.”

Another domain in this spreadsheet — florencereliefeffort.org — accepts donations on its site via a third party fundraising network Qgiv.com. The site belongs to a legitimate 501(c)(3) Muslim faith-based nonprofit in Raleigh, N.C, that is collecting money for Hurricane Florence victims.

If you’re familiar with these charities, great. Otherwise, it’s a good idea to research the charitable group before giving them money to help victims.

As The New York Times noted on Sept. 15, one way to do that is through Charity Navigator, which grades established charities on transparency and financial health, and has compiled a list of those active in the recovery from Florence. Other sites like GuideStar, the Better Business Bureau’s Wise Giving Alliance and Charity Watch perform similar reviews. You can find more details about how those sites work here.

Finally, remember that phishers and malware purveyors love to seize on the latest disasters to further their schemes. Never click on links or attachments in emails or social media messages that you weren’t expecting.

Tags: , ,

32 comments

  1. The Sunshine State

    You would think that a company like Godaddy would shut down the domains when they are first being registered. You would think they would first verify that it’s a legitimate charitable entity behind the domain name. Why isn’t Godaddy doing this?

    • They are being paid for the access others get to the charitable funding siphon.

    • Short of taking Kreb’s word for it, how do you suggest to prove the page isn’t legitimate? I’m sure we both suspect it is a scam (rightfully so), but we can’t easily prove it. How would you show that the private paypal isn’t somehow related to a real charity? How would GoDaddy verify that information?

      Unless it is used for cybercrime (spam, malware, phishing landing pages, e.t.c) it’s hard to get a registrar to shutdown a domain on suspicion alone. Maybe Brian could try contacting GoDaddy himself with the information and they might take action. What do you think?

      • The Sunshine State

        Trust me, If I got those scam domain names in a spam email, I would be able to get them terminated within 24 hours of notification of abuse . I’ve reported many phishing domain names over the years.

        My opinion , now and days and due to 9/11 , people should have to verify who they are by a legitimate means to register a domain name on the internet . Facebook is doing it now when you want to put political advertisements on that website

        • There are many hosting companies in the United States that are not ethically run. They get warnings about scams run from their servers and don’t care. They just want the money to keep coming in.
          I found an identity theft scam being run on DreamHost in Brea California with multiple domains claiming to be a staffing company. Their abuse team responded that they did not care when I warned them (even though its specifically is called out as a violation of the ‘Terms of Service.)
          I saw that the scammer was also using other hosting companies which I also warned. Those hosting companies took the scammer down nearly immediately.

          • Not reported to law enforcement, rhetorical?

            Covered by ICANN, paragraph 3.18.2 of “2013 Registrar Accreditation Agreement”.

            • I did report to law enforcement. Both the shared FBI/FCC site and the Brea cops. Since I was not successfully victimized I was told I had no standing.

              • The old-legal till it’s illegal. Though, it may be considered a compromised IP address/host; and shutdown as an administrative, non-criminal matter.

      • Brian stated that all of the mentioned domains have already been reported to the Justice Department. I’m sure they’ll contact GoDaddy if there’s reason to.

        • There are hosting companies that brag in their marketing that they fight takedown requests issued by Justice Department. The same hosting companies brag that they fight court orders demanding the ownership of domains.

      • Moving these cases to the law enforcement realm, Department of Justice–not only the registrar– entails potential legal, criminal action against the owners. Putting the owners themselves out of business, not only the domain names.

        • All someone has to do is buy with cash a ‘pre-paid debt card’ from Walmart or local store. Use that card to buy a domain and hosting service online and never use a real name.

          • Pre-paid debit cards are basically new bank accounts without the branches; to actually use the money stored on the card (if bought in the USA at least), you need to go through the same sort of AML/KYC verification as when getting an ordinary bank account.

            This means that the authorities *can* get your name and information if you pay for shady services with a pre-paid debit card.

          • Accepting a store card only isn’t a best practice used at all registrars. Registrars may verify customer identity in additionaly ways. ~ Spamhaus: “How hosting providers can battle fraudulent sign-ups”

      • “Short of taking Kreb’s word for it, how do you suggest to prove the page isn’t legitimate?”

        If you’re setting up a disaster relief fund, I think the burden of proof in this matter is on you.

    • IIRC GoDaddy is also quite infamous for complying with law enforcement requests for user data, even without any kind of court order, they just comply and in full without any effort to protect the privacy of their users. So, if these sites are reported to law enforcement, the users better be prepared to have all their data given up by GoDaddy without GoDaddy even questioning the request.

  2. Excellent journalism Mr. Krebs.

  3. The difference between legitimate charities and out and out scams can often be hard to tell

    • I have been using Charity Navigator to find all charities I donate to, they are the ones to go to. I go for four stars only.

  4. the one that goes to facebook page for Sabrina McCline… .

    she has a link to a gofundme page from their for donations. not sure if she’s a scammer or not but it don’t look good.

  5. For interesting USA non-profit research: IRS Publication 78.

    irs.gov/charities-non-profits/tax-exempt-organization-search-bulk-data-downloads

    One thing that offers is a large pipe-delimited text file of all the nonprofits in IRS records.

    Then, Amazon AWS has XML data of the Form 990 nonprofit filings. Those record humongous amounts of info about the organizations that file them.

    registry.opendata.aws/irs990/

    Easier interface:

    irs-990-explorer.chrisgherbert.com

    • There are plenty of faith organizations that use their affiliation with religious dogma as cover for financial enrichment of their chief officers through receiving donations and tax exemptions. Almost all operate as non-profits.

      Other faith organizations use donations to repair their own facilities and buy real estate, before helping their communities. Real estate purchases steal from their communities by reducing available taxable land. Don’t fall for the trick of donating to them, thinking your money will be used for disaster relief.

      Many other non-profits — especially “foundations” associated with major philanthropists and work unions, funnel money into side projects run by their employees, including political advocacy and consultancies. These costs are usually not disclosed to donors and can be buried deeply in tax statements.

      Avoid donations to organizations who have management with higher salaries than your own. A certain “cross” and “purse” and “army” for instance, have CEOs making far more salary than the average American.

      Who can you trust to help out disaster recovery? Have a look through here…
      https://www.ready.gov/voluntary-organizations-active-disaster

  6. Be wary of GoFundMe and similar crowdfunding websites, where there are a ton of fraud.

    Also: They’re for-profit, so nothing you give can be counted as charity for tax purposes.

    Even when a cause sounds real, your payements get confiscated by the websites for “processing,” further reducing funds available to anyone in need. GoFundMe takes a huge chunk for processing payments.

    Finally, you could follow the link here for a list of legitimate aid organizations
    https://www.ready.gov/voluntary-organizations-active-disaster

  7. Scammers fraudsters swindlers are very educated and clever people many of them are with secret service education.
    Its so sad that they must make living with bad ways.
    Why we dont give good salaries with good jobs to smart and educated people? Why they commit scams and frauds ?
    It will be a lot more cheaper for goverment and other people just to pay good money if someone is clearly better then many other people.

  8. Good work Brian, hopefully they haven’t defrauded too many victims. I would love to see the real identities of the criminals behind these scams to be revealed. I know that you’re capable of doing that, it’s just a question of whether it’s worth your time, which only you can answer!

  9. Is there a filter on this comments board? Can’t see my last comment posted…

  10. hurricaneflorencerelieffund org shows as available. Domaintools: “Never Registered Before”. Site: Doesn’t resolve.

  11. Not only is the first scam example still available, it stole its title image off a stock photo site.

    http://img1.wsimg.com/isteam/stock/5503

    • Stock photos are offered and sold to be used by … wait for it… website designers. Using textures and photos from Shutterstock and other such image warehouses is the norm, not the exception, with website design. Yes, even in big name organizations. It doesn’t even mean the image was “stolen” in the traditional sense (copyright infringement legally isn’t theft in the US). Some image warehouses have been caught claiming images from others as their own so be careful when making claims a website ‘stole’ an image. The original copyright of most images is difficult or even impossible to know. You can’t just take an image warehouse’s word for it that they own the copyright. Image warehouse Getty Images is currently being sued by Zuma Press in New York over copyright infringement of 47,000+ photos, for example.

      What should clue you in, isn’t necessarily the website design, but digging in what’s behind the website would be shallow and incomplete or inconsistent. For example, asking for monetary donations and only giving an anonymous Paypal wallet would be a good clue of a potential scam. Legit organizations usually accept multiple means of donations. The better ones also accept hard goods and volunteer service, too, because those go directly to those affected by the disaster rather than being eaten by some national organizations’ bureaucracy in administrative costs.