Japanese Earthquake Disaster Scams Exploit at Record Pace

« Fake Ads Posing as AV Solutions Target Browsers | Main | Adobe Warning Issued For Potential of Attacks on Flash Player Vulnerability »


Japanese Earthquake Disaster Scams Exploit at Record Pace

Darren Lanz

It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.

Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.

Phishing site posing as donation site

Site shown after clicking 'join now'
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.

Abused blog function on phishing site
Attacks  like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)

Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.

One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.

These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.

Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.

Perhaps the message here is to be careful when searching for media content by using known trusted media sites.

Facebook pages are being utilized as well.  One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.

The facebook page is titled  â€œJapanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs  visitors  to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.

The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.

Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.

Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.

Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.

These sites are either parked, for sale, or linked to other earthquake websites.

Some example sites include:

  • 3-11-2011-[removed].com
  • 3-11[removed].com
  • earthquake-[removed].com
  • earthquaketsunami[removed].com
  • earthquakerelief[removed].com

Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:

Japan scam message

Attachments and .zip files can be embedded in such emails so beware if the source is unknown.

Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.


You can follow this conversation by subscribing to the comment feed for this post.

This is heartless. Japan was in turmoil and someone has the nerves to exploit that. Wow.

The comments to this entry are closed.