6:07 am (UTC-7) | by Ryan Flores (Senior Threat Researcher)
The recent tragedy that affected Japan is not the first incident that cybercriminals leveraged. Cybercriminals have established early on just how low they would go just to steal money from users—Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and recently the Haiti Earthquake in 2010 were all used one way or another as social engineering bait.
From a technical perspective, it is disheartening how closely cybercriminals monitored the entire incident just to take advantage of not only the event itself but also the ones that happened afterward. Let’s trace the events, along with the threats we found leveraging them.
Information Demand Met with Attacks
The earthquake happened on March 11, 2011 and, almost immediately, most of the world was aware of the incident and constantly sought out more information on Japan’s status.
The sudden and fast increasing demand for information on the earthquake was met with blackhat SEO attacks wherein cybercriminals rigged search results for strings related to the incident and led users to malicious sites.
Unsurprisingly, social networks were also filled with inquiries, footage, bits of information on the tragic event, and, of course, posts set up to look like footage and information but actually led to malicious sites and files.
A few hours after, the tsunami that was triggered by the earthquake hit the coasts of Aomori, Iwae, Miyagi, and Fukushima, causing more damage to the affected areas. Many people from Japan who managed to get themselves in safer ground by the time the tsunami struck were able to take videos showing how the waves destroyed the infrastructure located near coastal lines.
The cybercriminals again quickly took action to leverage the event and deployed attacks in social networks such as Facebook. Posts that posed as footages of the tsunami were seen all over the network and led to other malicious pages.
False Cries for Help
The world watched on as the Japanese endured the earthquake, the tsunami, and their grave effects. Efforts to assist them were immediately triggered all over the world. Leaders of different countries expressed their willingness to provide help to the Japanese. Organizations such as the Red Cross also launched campaigns that enabled other people to help with the efforts by sending in their donations.
Unfortunately, not only relief efforts were triggered but attacks as well. Only a few hours after the disasters hit, phishing sites posing as donation websites already began to surface. This continued on for days after the disaster; bogus domains posing as charity organizations increased in number, along with one that purported to be part of organizations such as Unicef.
Nuclear Meltdown Issues
Nuclear plants were among the infrastructure that were greatly affected by the earthquake. The extent of the damage and its effects caused alarm not only among the Japanese but also among people from all over the world. Possibilities of a nuclear meltdown were continuously speculated on while the Japanese worked hard to prevent any other damage.
However, it seems that not only the Japanese worked hard at this point, as even information on the nuclear plant was used as social engineering bait. We saw several targeted spam attacks with messages supposedly bearing information on the status of the nuclear plant. The messages arrived with attachments, usually .DOC, .XLS, and .PDF files, which contained exploit codes for both old and new vulnerabilities, including one that was only recently patched by Adobe.
What to Do?
Seeing multiple varied attacks for different events related to one event sends a clear message to us of just how much cybercriminals will leverage such an incident—even one as tragic as this—just to steal money from users. For situations like this, it is important for users to have clear guidelines as to how they can prevent being victimized by attacks.
Here are some tips that can help users avoid becoming victims of scams and other Web threats:
- Verify the source. Check if the sender of the email is known or not. Discard the email if the source is unknown. If the sender is someone you know and the message requests for personal information, try to verify the request from the sender through a different medium. Keep in mind that charitable organizations will never mass-send solicitation messages and requests for personal information. It’s best to go directly to the official websites of the said organizations to send in donations.
- Examine the URL. Double-check the links contained in email messages. Check the URL in the browser address bar and make sure that you are in the right website.
- Handle attachments with caution. Refrain from opening attachments contained in email messages from unknown sources. The attachment is likely to be a malicious file, which when opened, will be installed into your system.
- Read between the lines. Check the text of the email message for grammatical lapses, strange wordings, and other errors. Also, observe the quality of the images in the message, as these may also be of low quality if sent by fraudulent users.
- Check with a techie friend. If still in doubt of the integrity of a certain message or website, seek the assistance of a techie friend and ask for ways to verify. Trend Micro offers portals such as the Malware Blog and the Trend Community where users may seek the help of our engineers as well as of other techie users to deal with security concerns. Users may also choose to utilize free services such as the Trend Micro Site Safety, which verifies the nature of URLs, and preventive tools such as eMail ID and Web Protection Add-On.
More information can be found in our report, “Staying Safe from Disaster Relief Scams.”
Share this article