Japanese Disaster Scams Kicked Off at Record Speed
Criminals have jumped on Japan's twin earthquake and tsunami disasters at record speed, security experts said today.
Scams range from links to fake anti-virus downloads and phony donation sites to classic online swindles that rely on greed.
"What's surprising this time is how quickly they picked up on the news," said Chet Wisniewski, a security researcher with U.K.-based Sophos. "We knew [scams] were coming, but they started appearing in record-breaking time, less than three hours after the earthquake."
Facebook has been used by cyber-crooks to collect information when users click on a link posing as CNN video footage of the tsunami that struck the eastern cost of Japan Friday, said Sophos in a blog post Sunday.
A record 8.9 magnitude earthquake hit Japan mid-afternoon Friday, and a powerful tsunami struck its northeastern coast minutes later. The death toll may reach in the tens of thousands, according to recent reports.
Scammers are also flooding e-mail inboxes with messages asking recipients to donate money to relief efforts, said Eric Park, a Symantec researcher with the company's anti-spam team.
"This is very typical, especially with disasters, because they can ask for donations or pose as a legitimate charitable organization," said Park today.
Another Symantec researcher noted that other scams have appeared taking advantage of news of the earthquake and tsunami. "Symantec has observed a classic 419 message targeting the Japanese disaster," said researcher Samir Patil in a post to the company's security blog today. "The message is a bogus 'next of kin' story that purports to settle millions of dollars owing to an earthquake and tsunami victim."
A "419" scam is a long-used con -- named for a section in the Nigerian criminal code -- that tries to convince victims to advance funds in the hope of realizing a much larger return.
Crooks have also registered a large number of domains with URLs that may fool users into thinking that they're legitimate donation or relief sites, said Patil, a tactic that can also push those sites higher on search results.
Patil said that Symantec spotted more than 50 such domains within hours of last week's earthquake and ensuing tsunami, all with the words "Japan tsunami" or "Japan earthquake" in their URLs.
Other security companies have seen the same thing. Last Friday, for instance, Trend Micro spotted numerous parked domains -- URLs that have been registered but had zero content -- with words like "help," "earthquake," "japan," "tsunami," "relief," and "donations" included in their titles.
Monday, Trend Micro reported on one phishing site that included "japan" in its URL, saying that the site was harvesting e-mail addresses and other personal information from unsuspecting users.
The Internet Crime Complaint Center (IC3) -- a joint effort by the FBI and the National White Collar Crime Center -- issued an alert last Friday that warned consumers to be wary of responding to donation requests following a disaster like Japan's.
Fake anti-virus vendors have also gotten in on the action, according to the SAN Institute's Internet Storm Center (ISC). Makers of the bogus security software -- often called "rogueware" to denote that the essentially worthless programs nag users with multiple pop-ups and fake alerts to pay for the software -- stay atop breaking news by automatically poisoning search engine results with links to their wares.
The ISC came up with a tally of 1.7 million poisoned pages that tout the earthquake and tsunami, a number beyond even Google's ability to rapidly delete.
Users should donate only to legitimate organizations, and only through those groups' Web sites, experts said today. The American Red Cross, for example, is taking donations on its site.
"And remember, many communities have set up their own charity programs, so if you're not sure about a solicitation, go to your local charity, like your local branch of the Red Cross," said Wisniewski.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.