As the world responds with kindness and compassion to the devastating 7.0 earthquake that struck Port-au-Prince on January 12, 2010, fraudsters and cyber criminals are quick at work to take advantage of the situation. In addition to the traditional forms of despicable profiteering that occur surrounding many natural disasters, new technologies for emergency philanthropy and disaster assistance are creating novel opportunities for fraud.
Text-to-give campaigns have gone viral in the past few days allowing people around the globe to donate small amounts of money via their cell phone bills. The largest such campaign has been run by the American Red Cross, which has allowed people to donate $10 by sending an SMS message with the word “Haiti” in it to phone number: 90999.
This new method of charitable donation has exploded in use since the earthquake struck and according to the American Red Cross has been responsible for 5 million dollars in donations in less than 72 hours. Even the White House has encouraged members of the international community to utilize SMS philanthropy as a quick and easy way to contribute and make a difference. Within short order, a number of other such services appeared, including:
* Text HAITI to 25383 to donate $5 to International Rescue Committee
* Text HAITI to 45678 to donate $5 to the Salvation Army in Canada
* Text YELE to 501501 to donation $5 to Yele
* Text RELIEF to 30644 for Catholic Relief Services
* Text HAITI to 864833 to donate $5 to The United Way
* Text CERF to 90999 to donate $5 to The United Nations Foundation
Of course, given the tens of millions of dollars being donated, it is not surprising that international cyber criminals and fraudsters are quick to take advantage of the misfortune of others. What is to prevent a group of criminals from setting up their own completely fraudulent charity to take advantage of all this giving? Not much. Sadly, the practice is nothing new and dozens of such frauds were committed in the name of other global disasters such as the 2004 Asian Tsunami and later with Hurricane Katrina.
What makes this case different is that mobile payments and donations represent a relatively new technology, not particularly well understood by the general public and thus can be readily exploited. For example, how easy would it be to stand in Leicester Square in London, Times Square in New York or along the Ginza in Tokyo–passing out leaflets to concerned citizens with a fake or spoofed SMS number on it. Thousands of nice fliers could be prepared with the Red Cross Logo prominently displayed, but instead of the correct 90999 number listed, criminals could instead encourage people to text the word Haiti to “999999″ or “9099999.” The profits might quickly be siphoned off by international organized criminals who are expert at moving large amounts of money very quickly to bank accounts around the world.
Already in the UK there is evidence of scammers using 419 type scams sending email appeals on behalf of the British Red Cross appealing for donations via Western Union. See, story below. In addition, the FBI has also issued warnings against Haiti-relief scams.
As noted previously, criminals and fraudsters trying to take advantage of a disaster situation for profit is nothing particularly new and scam charities around for dozens of years. What is different this time is the proliferation of technology and the decreasing role of the traditional media. In the old days, if one were to see a report on the BBC or ABC news about where to send paper-checks for disaster relief, the information could be trusted. Today however, in a world in which every internet user is potentially also a broadcaster, streams of newsfeeds come in from all sources. Trust is a major issue. Thus on Facebook, Twitter and other social media, it is quite easy to create a fully legitimately looking disaster appeal campaign meant to defraud. In addition, the proliferation of electronic and virtual forms of currency will only complicate the trend for investigators and law enforcement. How long will it be before users in Second Life are accepting donations in Linden Dollars or World of Warcraft players are donating pieces of gold to relief efforts. For that matter, how easy would it be to create a virtual Red Cross building in an MMORPG (without the knowledge of the real Red Cross) and to begin accepting charitable donations? Given the rapid ability to trade and transfer electronic and virtual currencies around globe, they will make for an attractive new modus operendi for international cyber criminals.
Let’s hope law enforcement stays on top of this deplorable behaviour and vigorously investigates and prosecutes anybody attempting to benefit from the misery and suffering of others.
Story Update: As of January 18, 2009, text message donations to victim’s of the devastating earthquake in Haiti crossed the $10 million dollar mark. It undoubtedly will grow even higher, representing an even more tempting target for global high-tech criminals.
419-Style Scammers Seeking to Exploit Appeal for Donations to Support Victims of Haitian Earthquake
by Paul Wood
The Symantec BlogJanuary 14th, 2010
Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services
People all over the world are currently feeling a great deal of sympathy for the people of Haiti, who were recently hit by a severe earthquake. Humanitarian aid is being offered by many countries around the globe, and aid charities are looking for donations so that they can send all the help they can.
And then there are people who don’t want to help and will use any means to try and get those donations. ’419′ advance fee fraud scams are common and the perpetrators are always looking for new attention-grabbing topics which will trick people into handing over their money. Something like the humanitarian crisis of the Haiti earthquake is, sadly, a prime target for these scammers. They count on the public’s good nature, concern, and desire to help, and hope that they won’t see through the scam email which they are reading. The desire to help can often cloud a person’s good judgement.
Below (screenshot attached) is a 419 style scam we have already seen. They have used the correct postal address, and there is indeed a British Red Cross appeal for donations to help the victims of this disaster, but the BRC do not use Western Union for donations. Also, the email address supplied for contact is not one belonging to the BRC. Any money sent using the instructions in this email would not help anyone in Haiti, it would end up in the pockets of a cyber-criminal.
