Haiti earthquake themed blackhat SEO campaigns serving scareware

Haiti earthquake themed blackhat SEO campaigns serving scareware

Summary: Cybercriminals quickly mobilized following the news of a massive earthquake that hit Haiti on Tuesday. The blackhat SEO campaigns are only the tip of the iceberg. Here's what else to look for, and how to make sure you're donating money to the right organization.

TOPICS: Security, Browser

Cybercriminals quickly mobilized following the news of a massive earthquake that hit Haiti on Tuesday, by introducing several hundred compromised domains embedded with bogus blackhat seo (search engine optimization) content related to Red Cross donations and general Haiti earthquake relief information.

The sites are already appearing within the first 10 search results on Google, and upon clicking on them the user is redirected to one of the most profitable monetization tactic (FBI: Scareware distributors stole $150M) that scammers use these days - scareware also known as rogueware.

Naturally, the blackhat SEO campaigns are only the tip of the iceberg. Here's what else to look for, and how to make sure you're donating money to the right organization.

What's particularly interesting about the blackhat SEO campaign serving scareware (Setup_2022.exe; install.exe), is that a huge percentage of the sites are hosted within the network of Heart Shared hosting (heartinternet.co.uk), indicating some some of automatic exploitation of its customers.

The same practice of relying on compromised legitimate domains within a particular ISP was also evident in blackhat SEO campaigns that were analyzed over the last couple of months.

For instance, not only was the same practice used to affect over a million web sites (Thousands of web sites compromised, redirect to scareware) in November, 2009, but also the campaign itself was traced back to the Koobface gang, which is clearly involved in fraudulent activities going beyond the Koobface botnet.

Different fraudulent groups either multitask, or cover a specific fraud segment exclusively. According to Symantec, spam campaigns impersonating the British Red Cross are already in circulation, requesting Western Union payments to support the victims of the earthquake. Anticipating the upcoming flood of earthquake relief scams, the FBI has released the following tips in order to raise more awareness:

  • Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
  • Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
  • Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
  • Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
  • Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
  • Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.

If you want to donate money to the real organizations, consider going through Google's Support Disaster Relief in Haiti campaign page.

Topics: Security, Browser

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Could you please clarify..

    ..which operating system(s) are affected by this
    malware? It isn't of absolutely vital importance,
    but it really would make the article more
    • If you notice in the article, that it refers to

      some .exe's and the screen shot of course depicts Windows XP, and based on historical evidence that in all likely hood >97% of all attacks are targeting Windows.
      • So it's Windows' fault?

        So, of course, you want us to go to Linux or Mac, right?
        Never mind phishing scams, which have nothing to do with the OS.
        • Nonsense!

          The phisher-price OS (Windows) is great for
          phishing on, or being phished on!

          If you like paying through your nose, that is.
          • Ignorance and brainwashing

            Still plague the computer industry. Thanks for the demonstration.

            Anybody with the brain of a toad can avoid ALL of it, even my little kids don't get "infections".
          • Thanks for demonstrating your ignorance.

            You don't need "infections" to get phished. You
            just need an email account, and an OS (with a

            I will once again recommend Windows for this, if
            you like paying through your nose.
          • Hey Apu, clarify whatever it is you are trying to contribute.

            You yourself point out that you don't need an infection to be affected by this. I don't see anything inthe article indicating that this is a OS specific issue. Anybody could follow a bad link with any OS.

            You have several postings on this article and I haven't read one yet that makes any sense or even relates to the article.

            Seriously, do you just get bored in your basement between mosque and chicken choking?

            What is your deal?
          • Hey *Gwoman*..

            ..I was just pointing out that it can happen with
            any OS, but that Windows should be preferred if
            you like paying through your nose. That's pretty
            much the only difference between them when it
            comes to phishing. That you pay through your nose
            for Windows.
        • re:So it's Windows' fault?

          You're fine as you are, the wolves of this world need sheep to prey on.
        • Yes and no

          Being a very big player on the market, it's just natural that most OS-specific attacks will be directed to the sector with most market share. The article does, as you say, note about OS-independent attacks like phishing.
          Federico Churca-Torrusio
      • Okay. Thanks for clarifying.

        Another attack not to worry about.
  • RE: Haiti earthquake themed blackhat SEO campaigns serving scareware

  • RE: Haiti earthquake themed blackhat SEO campaigns serving scareware

    What the hell is a blackhat SEO campaign?
    Would be nice if you explain yourself.
    • "Blackhat SEO Campaign"

      SEO - Search Engine Optimization.
      Blackhat - loosely, a bad person.

      So, a balckhat SEO capaigm would be a campaign organized by bad people using search engine optimization to scam the unwary.

      Suggest you install 1-Click Answers and never be mystified by an acronym again. :-)
      • Blackhat

        In old Western Movies the bad cowboys always wore black hats. The savior wore a white hat.

        That is where it comes from.
  • RE: Haiti earthquake themed blackhat SEO campaigns serving scareware

    also ck out http://en.wikipedia.org/wiki/Blackhat_seo#White_hat_versus_black_hat
  • RE: Haiti earthquake themed blackhat SEO campaigns serving scareware

    I find it somewhat short of amazing that the FBI, with all their resources and expertise, cannot precisely identify the physical location of these websites; the banks and accounts where the donations are sent by the unwary; or post office boxes used by these jerks and close them down - or better yet, shoot them. Somehow, I don't think they would be any loss to society.
  • Re: FBI

    It would be nice to shut down all the bad guys and sell their body parts, but it's easier said than done. Most of them are prime examples of "cloud computing," using the global nature of the web to hide. A bad guy in one country might use servers in several other countries and a web address that indicates he's in another. Some of the malware they dish out infects your computer and recruits it as a member of a "botnet," spreading itself to all your email & messaging contacts. So at the same time you're asking that the FBI should be shutting these guys down, your own computer may be gathering stolen financial & identity info (yours and others') and forwarding it to some anonymous server overseas.
    • And what's Google doing about it?

      How hard can it be to prevent these cretins' websites from showing up in search results? That's how most people end up on these sites in the first place.
  • RE: Haiti earthquake themed blackhat SEO campaigns serving scareware

    Isn't EVERTHING WINDOWS' fault! We wouldn't want to blame anything on the real bad guys in these scams now would we~...