The Nepal Tragedy: Social Engineering Lures Turn Donors into Victims

The news of the catastrophic earthquake that hit Nepal before the end of April generated concern and sympathy around the globe. The magnitude-7.8 earthquake greatly affected the region, not just with the number of lives lost, but in terms of the damage to property and livelihood. Images of the haunting remains of the devastation captured the world, compelling people from all over to extend a helping hand to survivors after weathering what is being called one of the disastrous earthquakes ever to hit the region since 1934.

As is expected in calamities such as this, aid organizations, charitable institutions, government administrations and even private individuals and companies have all spearheaded relief efforts and donation drives for the victims of the disaster. But as quickly as these efforts have been established, cybercriminals are also quick to pounce on the interest with schemes that take advantage of the global event for profit.

How are cybercriminals taking advantage of the Nepal tragedy?

The United States Computer Emergency Readiness Team (US-CERT) has issued a warning to users of potential scams expected use the Nepal earthquake as hook. Social engineering lures that ride the wave of big events similar to the damaging earthquake in Nepal may have been one of the oldest tricks in the book but these have been proven effective through the years.

The US-CERT notes that scam emails are known to contain links and attachments used as ploy to lead users to compromised websites: tricking users to give out information and, of course, money. It was earlier reported that a barrage of messages using the earthquake as a hook for spam emails has been seen. For example, spammed emails that peddle medicine will make use of the Nepal earthquake as hook to grab user attention. Customized scam messages claiming to be sent by victims of the disaster have also surfaced.

Tapping into the giving spirit of users has been a go-to tactic for cybercriminals to dupe online users into sending them money for "help". Email messages claiming to have come from victims of the disaster and organizations pushing for relief efforts have also been circulating.

A malware campaign has also been sighted involving a spam message with a malicious attachment that uses the Nepal tragedy as a lure. Clicking on the link downloads malware that's capable of logging keystrokes from the infected system before sending these over to a remote server.

The tragedy has also spawned fake versions of legitimate donation drives aimed at collecting relief efforts for Nepal. The ActionAid site was replicated and designed to look like the actual site to trick users into donating via PayPal.

What can you do?

Big global events like the tragedy in Nepal will remain as an effective tool that cybercriminals use to turn unsuspecting online users into victims. However, awareness will always be the most effective defense against the tactics mentioned above.

  • Verify email messages. One reckless click can lead you into a cybercriminal trap. Always check with your contacts before opening an email message, especially if it contains an attachment.
  • Bookmark trusted sites. Creating bookmarks of websites you frequent reduces the chances of accidentally visiting into a compromised site.
  • Think before you click. Avoid trusting links that lead to unknown targets.
  • Invest in a security solution. With the help an effective security solution, your system, and your data will be protected from all kinds of threats.
  • Donate to legitimate organizations. Lastly, if you wish to send any type of help, go through the official channels of known charitable organizations to make sure that the donations you send out goes to your intended recipients—and not to an online scammer's pocket. 
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Опубликовано в Cybercrime & Digital Threats, social engineering, Spam