Scammers First on the Scene for Türkiye’s “Disaster of the Century”

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Kathleen Persighetti

 

On Monday morning, Türkiye, frequently referred to as Turkey, was hit with one of the deadliest earthquakes the world has seen in 80 years. As of 9 February, the death toll had surpassed 20,000 people.1 Since the quake hit in the early morning hours, many people were still in bed and are now trapped underneath rubble. Deadly disasters like these are a breeding ground for cyber criminals, who have jumped at the opportunity to take advantage of individuals seeking to send aid to the struggling victims.

Almost immediately after the disaster was announced, online scams claiming to provide aid to the victims of the earthquake began appearing. An email phishing campaign from a counterfeit organization called the Wladimir Charity Foundation attempted to collect cryptocurrency funds that they claim will help homeless families and children. The campaign began circulating within 24 hours after the earthquake struck.2 Another scam used Twitter to ask for donations via PayPal. The cybercriminals deposited $500 into the account to make the account appear more legitimate.3 However, PayPal has not operated in Turkey since 2016, so any charity that seems to be Turkish and is asking for donations via PayPal is most likely fraudulent.

The Infoblox Threat Intelligence Group has found over 150 fraudulent web pages related to this disaster thus far. Many display images of children in crisis and ask for donations through a QR code, TWINT, PayPal, or other online fund transfer methods. A list of the current domains that Infoblox has flagged as malicious or suspicious can be found at our public Github repository here, we have also added a separate list of legitimate donation sites. The images below are screenshots of fake donation sites.

As we saw with the invasion of Ukraine, cybercriminals are quick to act and produce material that is very hard to distinguish from legitimate sites.4 In domains related to the earthquake, we have seen malicious domains with the U.S. Federal Bureau of Investigation listed as the registrant, illustrating one tactic they will use to fool people.

Figure 1. Screenshot of help-turkiye[.]com phishing website attempting to collect online donations.

Figure 2. Screenshot of turkeyhelp[.]world phishing website attempting to collect online donations.

Endnotes

  1. https://www.npr.org/2023/02/09/1155647266/turkey-earthquake-erdogan-government-response-criticism
  2. https://www.bitdefender.com/blog/hotforsecurity/cybercriminals-exploit-human-misery-in-earthquake-hit-turkey-and-syria-with-new-online-disaster-scam/
  3. https://www.bleepingcomputer.com/news/security/paypal-and-twitter-abused-in-turkey-relief-donation-scams/
  4. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/newly-observed-domains-and-the-ukraine-war/

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×