[ISN] Phishers, virus writers exploit tsunami disaster

InfoSec News isn at c4i.org
Tue Jan 18 06:38:26 EST 2005


January 18, 2005

PETALING JAYA: Computer security firms have issued warnings about
phoney e-mail and fraudulent websites that seek to exploit the Asian
Tsunami disaster to steal confidential data or spread malicious

Sophos Plc has discovered a mass-mailing worm that poses as a plea for
donations. The VBSun-A worm (W32/VBSun-A) spreads via e-mail, tempting
innocent users into clicking its malicious attachment by pretending to
be information about how to donate to a tsunami relief effort.

However, running the attached file will not only forward the virus to
other Internet users but can also initiate a denial-of-service (DoS)  
attack against a German hacking website, the British antivirus company
said in a statement.

A DoS attack seeks to crash a webserver by overloading it with a flood
of requests for data.

E-mail sent by the VBSun-A worm arrive with the subject line "Tsunami
Donation! Please help!" and the message text "Please help us with your
donation and view the attachment below! We need you!"

The worm has an attachment named "tsunami.exe." Sophos recommends that
recipients delete the e-mail and not open the attachment.

"Duping innocent users into believing that they may be helping the
tsunami disaster aid efforts shows virus writers stooping to a new
low," said Graham Cluley, senior technology consultant at Sophos.

"This gruesome insensitivity is a despicable ploy to get curious
computer users to run malicious code on their computers.

"Everyone should be wary of unsolicited e-mail attachments, and visit
the established charity websites (www.google.com/tsunami_relief.html)  
instead if they wish to assist those suffering as a result of the
disaster," he added.

Further details about VBSun-A can be found at

VBSun-A is not the first virus to try and take advantage of the
tsunami disaster, Sophos said.

The VBS/Geven-B worm tried to spread a sick message earlier this month
that the tsunami was God's revenge on "people who did bad on Earth."

Not only have criminals in Taiwan send SMS (short message service)  
messages posing as the Red Cross, but a variety of fraudulent e-mail
and phishing websites impersonating donation collection sites have
also cropped up, warned Tokyo-based antivirus company Trend Micro Inc.

Such cases have already cropped in Australia, Canada, China, England,
Singapore and the United States, Trend Micro said in a statement.

These cases include e-mail messages that give account information for
wiring donations or links to what appears to be relief websites.

Trend Micro said donors should be careful when using search engines to
find relief organisations.

One such donor used a search engine to find the China Charity
Federation's website; the organisation's actual website is
www.chinacharity.cn, but instead he found www.chinacharity.cn.net (an
additional .net was present).

Donors should make certain they are donating money to an actual
charitable organisation, and not a phisher posing as one.

They should also NOT forward e-mail asking for donations without first
confirming their authenticity, in order to prevent more victims from
falling prey.

In addition, users should not click on any links in the body of an
e-mail, even if it is a known address -- these addresses should be
typed manually into the address bar.

If an e-mail soliciting donations is suspicious, users can forward
them to Trend Micro as an attachment (do not forward directly as the
body of the e-mail) to let experts determine its authenticity free of

Suspicious e-mail containing links: antifraud at support.trendmicro.com.

Suspicious e-mail not containing links: hoaxes at support.trendmicro.com.


Nigerian scam

Trend Micro also warned that the infamous Nigerian Letter scam
operators have "revamped" their fraudulent practice -- which usually
takes the form of seeking help from outsiders to transfers hundreds of
millions of dollars in a frozen account -- to now enable a businessman
to donate billions of dollars to relief efforts.

The e-mail claiming to be from a rich businessman who is dying from
oesophageal cancer appears with the subject "HOW YOU CAN BE OF HELP TO

The body of the text includes a lengthy letter, explaining how the
author contracted cancer and will not live long, and is willing to
donate his US$1.2bil (RM4.6bil) located in a European bank to the
victims of the tsunami.

The letter says, "I will want you to assist me transfer this deposit
into your bank account and dispatched (sic) it to TSUNAMI VICTIMS.  
Please kindly contact me through my private e-mail address below."

Trend Micro reminded users not to make contact as requested if they
receive this e-mail -- not only will they not receive their "service
fee," but they might also see their own savings washed away.


Sri Lankan 'phisherman'

The company said it also recently received fraudulent e-mail in
Australia claiming to be from a victim of the disaster.

The apparent author of the letter, Ram-Kisha Narayan, claims to be a
fisherman from Sri Lanka whose wife and three children died in the
tsunami, while his house and fishing boat were swept away, along with
half of the houses in his village.

The letter states that he is seeking financial assistance for all the
fishermen in his village so that their fishing boats can be repaired
or replaced, and their livelihoods restored.

The village described in the letter is Klalutara, a resort town south
of the capital Colombo. An Associated Press report showed comparison
photos of this area before and after the tsunami, leaving a deep
impression in many people around the world.

The suspicious part of this e-mail is that the bank account
information included is at Postbank in the Netherlands, Trend Micro

Another e-mail from Phuket vividly describes the tsunami washing away
the alleged author's family, "... my beautiful daughter was calling me
daddy to come and save her, but there was nothing I could do, because
the flood was very heavy and dangerous."

The moving letter asks for financial assistance to be wired to London
through Western Union, as locals there are helping him rebuild his

More information about the ISN mailing list