Editor’s Note: We have reorganized the blog entry previously titled “Most Recent Earthquakes in Japan” Searches Lead to FAKEAV as of March 14, 2011, 8:07 PM Pacific Time for better reading. As of this writing, we have identified several different disaster-squatting attacks taking advantage of the recent disaster in Japan. We will continue posting other related disaster fraud scams in succeeding blog posts to help users identify fraud and other attacks exploiting this unfortunate turn of events.
“Most Recent Earthquakes in Japan” Searches Lead to FAKEAV
Analysis by Norman Ingal, posted March 11, 2011, 2:58 AM Pacific Time
Unsurprisingly, we saw blackhat search engine optimization (SEO) attacks almost immediately after an 8.9 magnitude earthquake affected Japan, which was followed by a tsunami, causing massive damage to affected areas.
 |
We immediately monitored for any active attack as soon as news broke out. True enough, we saw Web pages that have been inserted with keywords related to the earthquake. One of the active sites that we saw used the keyword “most recent earthquake in Japan” that led to FAKEAV variants we currently detect as TROJ_FAKEAV.PB.
 |
Blackhat SEO attacks leading to rogue antivirus downloads is still very common. We recommend that our readers get the latest news from trusted media outlets to prevent becoming victims of blackhat SEO attacks. Similar attacks from among several are highlighted here:
- Search for News on Moscow Subway Explosions Result in FAKEAV
- Another Earthquake, Another FAKEAV
- Stuxnet Used in Blackhat SEO Campaign
- FAKEAV: Out of the Spotlight but Still a Problem
- Fake YouTube Pages, Flash Installers Used in Blackhat SEO Attacks
Be careful out there.
“Japanese Tsunami RAW Tidal Wave Footage!” Facebook Pages
Analysis by Karla Agregado and Michael Cabel, update as of March 13, 2011, 4:26 AM Pacific Time
Cybercriminals launched Facebook pages claiming to contain Japanese tsunami videos to lure users to the malicious site hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-ans.
The Facebook page title is “Japanese Tsunami RAW Tidal Wave Footage!” and a script on that page leads users to a fake video page where the video is actually a clickable image. Clicking the image eventually leads users to a page asking for the user’s mobile phone number. The script also triggers an automatic “Like” and displays the link on the victim’s wall.
Trend Micro detects the script that leads to the fake video page as HTML_FBJACK.A. Users are protected from this threat via the Smart Protection Network that blocks access to the malicious URL to prevent users from executing the malware.
Parked Domains with Donation-Related Keywords
Analysis by Ralph Hernandez, update as of March 14, 2011, 12:27 AM Pacific Time
We recently found many newly created domains that bear keywords related to earthquake and tsunami in Japan. Keywords such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used. The domains are still parked, meaning that the users who registered the domains have not populated the sites with actual content.
We’ve blocked access to the said domains and will continue to monitor them for any malicious activity such as phishing attacks and other scams. Such techniques—using currently relevant keywords in creating domains—are commonly used by cybercriminals to trick people into thinking that they are part of a legitimate charitable organization.
Users should be reminded that organizations such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) already have established channels to receive donations and are highly unlikely to create new domains for such purpose.
Disaster Relief Scam: Fake Unicef Call to Help Japan
Analysis by Dhan Praga, update as of March 14, 2011, 4:00 AM Pacific Time
Aside from the above-mentioned threats, we also found spammed messages that attempt to scam users into giving their personal information. The messages pose as an appeal from the Unicef for people to send in their donations to assist the people in Japan.
 |
The scheme is quite easy to catch—the message asks the recipients to respond with personal information such as their whole name, phone number, and email address. Only after the recipient responds with the said information will he get the instructions how he can make a donation.
In line with this, users are strongly advised to ignore and delete such messages and resort to already-known channels mentioned in the previous update to send in their donations.
