Financial Scammers Capitalizing on Natural Disasters
Donation scams are fraudulent schemes where individuals or organizations falsely claim to be collecting money for a charitable cause, such as a natural disaster or a medical emergency, a recent example being the Kahramanmaras earthquake in Turkey and Syria. The scammers may ask for donations through email, social media, telephone calls, or door-to-door solicitations. They may use fake websites, bank accounts, and other means to trick people into giving money. The funds are then used for personal gain rather than going toward the intended cause.
The Kahramanmaras earthquake in Turkey and Syria on 6th February 2023 is a prime example of how scammers take advantage of natural calamities to carry out donation scams. After a disaster, people often want to help those affected by donating to charity organizations.
Scammers exploit this generosity by falsely claiming to be collecting funds for disaster relief efforts when the money will actually be used for personal gain.
Observations & Findings
Cyble Research & Intelligence Labs (CRIL) discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.
Figure 1 depicts a website, hxxps://redcrossturkey[.]com/, which falsely uses the logo of a legitimate organization, https://www.oxfam.org.uk/.
This fake website, “redcrossturkey[.]com, “ claims to be created to accept donations for those affected by the earthquakes in Turkey and Syria.
It requests personal information, such as the user’s mobile number and email ID, as well as the desired donation amount. After the user submits their information, the website displays the message “We will contact you soon!!” and redirects the user to the legitimate donation website, https://www.oxfam.org.uk/oxfam-in-action/current-emergencies/turkey-and-syria-earthquake-appeal/.
After obtaining the users’ contact information, the scammers can use it to contact them through phone calls or emails and deceive them into transferring money to their accounts.
The website transmits the user-provided information to a server through a Google script, as depicted in the accompanying image.
The image below provides the WHOIS domain information that displays the creation and expiry dates.
The serving IP address for the aforementioned website is 128.199.90[.]75, which has also been utilized to host other phishing pages, as illustrated below.
The following image shows a website, hxxps://help-turkey[.]org/, falsely created to collect funds for those affected by the earthquake in Turkey.
Upon clicking the “Make a Donation” button, the user is redirected to a page where the donation can be completed using PayPal. Through this method, the scammers can successfully transfer the money into their own accounts.
The image shows the WHOIS domain information, revealing details such as the creation and expiration date.
The serving IP address for the website hxxps://help-turkey[.]org/ is 35.208.102[.]247, which has also been utilized to host other phishing pages, as depicted in the accompanying image.
Another website, hxxps://turkeyrelieftoken[.]help/, claims to be created to provide financial help to the people impacted by the earthquake in Turkey.
The image displays the WHOIS domain information, including the creation and expiration dates.
The serving IP address for the website hxxps://turkeyrelieftoken[.]help/ is 162.213.251[.]229, which has also been utilized to host other phishing pages, as depicted in the accompanying image.
There has been an increase in reports of fraudulent donation schemes following the earthquake in Turkey & Syria. Even with the best intentions, one needs to be cautious and verify the legitimacy of any donation opportunities before providing information or making a donation.
Cyble Research & Intelligence Labs continuously monitors the ongoing malicious campaigns against Turkey and Syria. We will keep updating our readers with the latest information as and when we find it.
We have listed some essential practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Beware of fraudulent donation accounts.
- Choose a traceable method of payment to ensure accountability.
- Beware of phishing websites.
- Proceed with caution when participating in crowdfunding initiatives.
Indicators of Compromise (IoCs)