Cyble – Increase In Fake Donation Schemes Following Massive Earthquake In Turkey
Category

Financial Scammers Capitalizing on Natural Disasters

Donation scams are fraudulent schemes where individuals or organizations falsely claim to be collecting money for a charitable cause, such as a natural disaster or a medical emergency, a recent example being the Kahramanmaras earthquake in Turkey and Syria. The scammers may ask for donations through email, social media, telephone calls, or door-to-door solicitations. They may use fake websites, bank accounts, and other means to trick people into giving money. The funds are then used for personal gain rather than going toward the intended cause.

The Kahramanmaras earthquake in Turkey and Syria on 6th February 2023 is a prime example of how scammers take advantage of natural calamities to carry out donation scams. After a disaster, people often want to help those affected by donating to charity organizations.

Scammers exploit this generosity by falsely claiming to be collecting funds for disaster relief efforts when the money will actually be used for personal gain.

Observations & Findings

Cyble Research & Intelligence Labs (CRIL) discovered various domains and IP addresses hosting websites that claim to be collecting funds to aid those affected by the earthquake in Turkey and Syria.

Figure 1 depicts a website, hxxps://redcrossturkey[.]com/, which falsely uses the logo of a legitimate organization, https://www.oxfam.org.uk/.

This fake website, “redcrossturkey[.]com, “ claims to be created to accept donations for those affected by the earthquakes in Turkey and Syria.

It requests personal information, such as the user’s mobile number and email ID, as well as the desired donation amount. After the user submits their information, the website displays the message “We will contact you soon!!” and redirects the user to the legitimate donation website, https://www.oxfam.org.uk/oxfam-in-action/current-emergencies/turkey-and-syria-earthquake-appeal/.

After obtaining the users’ contact information, the scammers can use it to contact them through phone calls or emails and deceive them into transferring money to their accounts.

Figure 1 – Phishing Website
Figure 1 – Phishing Website

The website transmits the user-provided information to a server through a Google script, as depicted in the accompanying image.

Figure 2 Website Sending User Info to the TA
Figure 2  – Website Sending User Info to the TA

The image below provides the WHOIS domain information that displays the creation and expiry dates.

Figure 3 – Domains WHOIS Info
Figure 3  – Domain’s WHOIS Info

The serving IP address for the aforementioned website is 128.199.90[.]75, which has also been utilized to host other phishing pages, as illustrated below.

Figure 4 IP Address Serves More Phishing Pages
Figure 4 – IP Address Serving More Phishing Pages

The following image shows a website, hxxps://help-turkey[.]org/, falsely created to collect funds for those affected by the earthquake in Turkey.

Figure 5 Phishing Website Image
Figure 5 – Phishing Website Image

Upon clicking the “Make a Donation” button, the user is redirected to a page where the donation can be completed using PayPal. Through this method, the scammers can successfully transfer the money into their own accounts.

Figure 6 Payment Page
Figure 6 – Payment Page

The image shows the WHOIS domain information, revealing details such as the creation and expiration date.

Figure 7 WHOIS Information of the Domain
Figure 7 – WHOIS Information of the Domain

The serving IP address for the website hxxps://help-turkey[.]org/ is 35.208.102[.]247, which has also been utilized to host other phishing pages, as depicted in the accompanying image.

Figure 8 IP Address Serves More Phishing Pages
Figure 8 – IP Address Serving More Phishing Pages

Another website, hxxps://turkeyrelieftoken[.]help/, claims to be created to provide financial help to the people impacted by the earthquake in Turkey.

Figure 9 Phishing Website Page
Figure 9 – Phishing Website Page

The image displays the WHOIS domain information, including the creation and expiration dates.

Figure 10 WHOIS Info of the Domain
Figure 10 – WHOIS Info of the Domain

The serving IP address for the website hxxps://turkeyrelieftoken[.]help/ is 162.213.251[.]229, which has also been utilized to host other phishing pages, as depicted in the accompanying image.

Figure 11 Serving IP Hosts More Phishing Pages
Figure 11 – Serving IP Hosting More Phishing Pages

Conclusion

There has been an increase in reports of fraudulent donation schemes following the earthquake in Turkey & Syria. Even with the best intentions, one needs to be cautious and verify the legitimacy of any donation opportunities before providing information or making a donation.

Cyble Research & Intelligence Labs continuously monitors the ongoing malicious campaigns against Turkey and Syria. We will keep updating our readers with the latest information as and when we find it.

Our Recommendations

We have listed some essential practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Beware of fraudulent donation accounts.
  • Choose a traceable method of payment to ensure accountability.
  • Beware of phishing websites.
  • Proceed with caution when participating in crowdfunding initiatives.

Indicators of Compromise (IoCs)

Indicators Indicator Type Description
hxxps://redcrossturkey[.]com/ URL URL
hxxps://help-turkey[.]org/ URL URL
hxxps://turkeyrelieftoken[.]help/ URL URL

Source: https://blog.cyble.com/2023/02/13/increase-in-fake-donation-schemes-following-massive-earthquake-in-turkey/