- 3 lucrative side hustles you can start right now with OpenAI's Sora video generator
- How to use Microsoft's Copilot AI on Linux
- Protect 3 Devices With This Maximum Security Software
- I tested Samsung's 98-inch 4K QLED TV, and watching Hollywood movies on it left me in awe
- Apple is working on a doorbell that unlocks your door Face ID-style
Scammers are Exploiting Ukraine Donations
Authored by Vallabh Chole and Oliver Devane
Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.
This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.
Crypto wallet donation scams
A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.
Ukrainhelp[.]world
Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.
While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.
Ukrainethereum[.]com
Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.
Fake Chat
The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.
Fake Donation Verifier
The site contains a donation checker so the victim can see if their donation was received, as shown below.
- The first image on left shows the verification box for donation to check if it is completed or not
- Upon clicking ‘Check’ the victim is shown a message to say the donation was received.
- What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed.
Phishing Email
The following image shows one of the examples of phish emails we have observed.
The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.
Credit Card Information Stealer
This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.
Razonforukrain[.]com
The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.
Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information.
We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics.
The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog.
Conclusion
How to identify a phishing email?
- Look for the domain from where you received mail, attackers masquerade it.
- Use McAfee Web Advisor as this prevents you from accessing malicious sites
- If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/.
- Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent.
- Check for poor grammar and suspicious logos
- For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page
How to identify phishing websites?
- Use McAfee Web Advisor as this prevents you from accessing malicious sites
- Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com
- If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent
- Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the
- Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery”
For general cyber scam, education click here
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor
Type | Value | Product | Detected |
URL – Phishing Sites | ukrainehelp[.]world | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | ukrainethereum[.]com | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | unitedhelpukraine[.]kiev[.]ua/ | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | donationukraine[.]io/donate | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | help-ukraine-compaign[.]com/shop | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | ukrainebitcoin[.]online/ | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | ukrainedonation[.]org/donate | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | ukrainewar[.]support | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | sendhelptoukraine[.]com | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | worldsupportukraine[.]com | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | paytoukraine[.]space | McAfee WebAdvisor | Blocked |
URL – Phishing Sites | razonforukraine[.]com | McAfee WebAdvisor | Blocked |