Author: Kathleen Persighetti
On Monday morning, Türkiye, frequently referred to as Turkey, was hit with one of the deadliest earthquakes the world has seen in 80 years. As of 9 February, the death toll had surpassed 20,000 people.1 Since the quake hit in the early morning hours, many people were still in bed and are now trapped underneath rubble. Deadly disasters like these are a breeding ground for cyber criminals, who have jumped at the opportunity to take advantage of individuals seeking to send aid to the struggling victims.
Almost immediately after the disaster was announced, online scams claiming to provide aid to the victims of the earthquake began appearing. An email phishing campaign from a counterfeit organization called the Wladimir Charity Foundation attempted to collect cryptocurrency funds that they claim will help homeless families and children. The campaign began circulating within 24 hours after the earthquake struck.2 Another scam used Twitter to ask for donations via PayPal. The cybercriminals deposited $500 into the account to make the account appear more legitimate.3 However, PayPal has not operated in Turkey since 2016, so any charity that seems to be Turkish and is asking for donations via PayPal is most likely fraudulent.
The Infoblox Threat Intelligence Group has found over 150 fraudulent web pages related to this disaster thus far. Many display images of children in crisis and ask for donations through a QR code, TWINT, PayPal, or other online fund transfer methods. A list of the current domains that Infoblox has flagged as malicious or suspicious can be found at our public Github repository here, we have also added a separate list of legitimate donation sites. The images below are screenshots of fake donation sites.
As we saw with the invasion of Ukraine, cybercriminals are quick to act and produce material that is very hard to distinguish from legitimate sites.4 In domains related to the earthquake, we have seen malicious domains with the U.S. Federal Bureau of Investigation listed as the registrant, illustrating one tactic they will use to fool people.
Figure 1. Screenshot of help-turkiye[.]com phishing website attempting to collect online donations.
Figure 2. Screenshot of turkeyhelp[.]world phishing website attempting to collect online donations.