by March 18, 2011 0 comments



It’s no secret that criminals try to use huge disasters to their benefit to make some cash,  this time is no exception!  We have been able to track several black hat methods to convince people to “help” Japan’s disaster-affected population.  The set of techniques are not new and usually involve:

  • SEO poisoning

  • Rogue AV (anti-virus)

  • Phishing emails asking for donation

  • Malicious files attached to emails claiming to be legitimate documents

  • Facebook apps with CPA (cost per action) lead surveys

Black Hat SEO

SEO poisoning was used within minutes after the first wave hit the Japanese coast.  Using common search terms like, “japan earthquake news 2011” to search for the latest information in search engines is bringing all sorts of results, including malicious sites hosting fake AV.

Looks like a benign search result:




Following a link, the victim lands at a website with a slightly modified version of a redirection to fake AV,  in previous campaigns such websites were directly hosting fake AV,  nowadays they redirect to fake AV.

Rogue AV

When redirected via a “CLICK HERE” button,  a warning appears stating that your computer might already be infected:




Whether the “Cancel” or “OK” button is clicked, rogue Windows OS-like anti-virus will popup,  though it is running on a Linux OS

Phishing Email
Below is a very simple, nicely written and almost legitimate email which asks the recipient for a donation on behalf of Humanitarian Care Japan.  Notice this little detail:  “reply to:”  is a free mail address and completely different from the sender’s address.




Malicious Email

Another type of e-mails used are malicious e-mails and e-mails with links leading to malicious content. One like this is used in a targeted attack,  providing information about the nuclear crisis in Japan, and also has a document attached called “Understanding Japan’s Nuclear Crisis.doc” which surprisingly enough has very low coverage 5/43 in VT. Also, as you can see from the message source, it was also sent from a free mail account.




Facebook apps with CPA lead survey

And the last, but not least, vector of attacks is through social networks.  For example, Websense Threatseeker Network has identified a set of Websites that entice users to watch a video about the latest disaster events in Japan. As you can see per the picture below the involved sites are registered with .info TLD. D1 – stands for “Registered for 1 day”. Instead of getting a movie, users are redirected to a Facebook application installation page. The application asks for permission to post on the user’s wall.




The scam application has different names such as “RemoteViews”,  “Collect”,  “Consumer” and others.  Once clicked it asks the victim to fill in a survey to unlock pictures of people who viewed the victim’s profile:

It also leaves a post on the victim’s wall with a link to this application:

In conclusion we can see how, again and again, such disastrous events give cybercriminals a lot of  “ammo” for their “arsenal” of malicious activities.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<