Someone came to me last week worried that their computer was infected with viruses. It wasn't, but they had almost been victimized by a scam that piggybacked on the disaster in Haiti. As they say, no good deed goes unpunished.
Having heard that donations to Haitian relief could be made with a simple text message, this person did a Google search for "Haiti texting". The first results page included a link, shown below, that looked promising.
The actual link was
http://sciencefirst.com / ? q = texting-haiti-to-90999
Spaces have been added to the link above so that this page isn't considered malware.
At this point, a skeptical person would ask, who or what is sciencefirst.com and what do they have to do with Haitian relief?
Nothing, it appears. The website seems to have been hacked.
And they are not alone.
Note in the search results (larger image) that below the link to sciencefirst.com is one to sevencycles.com a company that sells custom built bicycle frames. They too, appear to have been hacked.
Both URLs end with the same query string, "texting-haiti-to-90999", and, interestingly, the web page was updated 15 hours ago (the screen shot was taken Thursday January 14th around 10PM ET) exactly the same time that the sciencefirst page was last updated.
When the good Samaritan clicked on the link to sciencefirst.com, a warning appeared on their computer that it was infected with viruses. At this point, I was called and suggested they shut down the computer immediately. No surprise, the warning turned out not to be true.
In a recent posting I argued that skepticism was the most important thing anyone needed for Defensive Computing. This was certainly true in this case as a number of website evaluations gave sciencefirst.com a clean bill of health. Only skepticism prevented a malware infection.
You may notice the green circles in the Google search results. These are from Web of Trust and indicate its opinion on the safety of the website. The hacking of sciencefirst.com was too recent for anyone to have reported it to WOT.
Norton Safe Web also gave the website a clean bill of health, as shown below.
So too, Google's Safe Browsing failed to find anything bad at sciencefirst.com
Unmask Parasites found nothing to unmask.
OpenDNS Domain Tagging had no information on sciencefirst.com at all.
In a safe environment, I followed the Google link. Below is the HTML from the resulting web page.
The important point is that rather than seeing a page from sciencefirst, the end user actually sees a web page from thewarefree.com.
And, this is a bad website.
Google says the site "is listed as suspicious - visiting this web site may harm your computer" and "..this site has hosted malicious software over the past 90 days. It infected 2 domain(s), including jacques-tremblay.com/, probutik.com/."
Web of Trust reports that "This site has a poor reputation".
Norton Safe Web reports that it found three 'threats' on the site.
In the end, the person who called me was saved by their skepticism. Unfortunately, they had learned their lesson the hard way, having been burned by an earlier phony warning of a virus infection.
Hopefully you won't have to learn the hard way.
This story, "Haiti Texting Scam, Dissected" was originally published by Computerworld.