Authored by Vallabh Chole and Oliver Devane
Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.
This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.
Crypto wallet donation scams
A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.
Ukrainhelp[.]world
Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.
While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.
Ukrainethereum[.]com
Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.
Fake Chat
The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.
Fake Donation Verifier
The site contains a donation checker so the victim can see if their donation was received, as shown below.
The first image on left shows the verification box for donation to check if it is completed or not
Upon clicking ‘Check’ the victim is shown a message to say the donation was received.
What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed.
Phishing Email
The following image shows one of the examples of phish emails we have observed.
The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.
Credit Card Information Stealer
This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.
Razonforukrain[.]com
The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.
Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information.
We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics.
The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog.
Conclusion
How to identify a phishing email?
Look for the domain from where you received mail, attackers masquerade it.
Use McAfee Web Advisor as this prevents you from accessing malicious sites
If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/.
Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent.
Check for poor grammar and suspicious logos
For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page (https://service.mcafee.com/?locale=en-CA&articleId=TS101810&page=shell&shell=article-view)
How to identify phishing websites?
Use McAfee Web Advisor as this prevents you from accessing malicious sites
Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com
If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent
Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the
Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery”
For general cyber scam, education click here (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html)
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor
Type
Value
Product
Detected
URL – Phishing Sites
ukrainehelp[.]world
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainethereum[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
unitedhelpukraine[.]kiev[.]ua/
McAfee WebAdvisor
Blocked
URL – Phishing Sites
donationukraine[.]io/donate
McAfee WebAdvisor
Blocked
URL – Phishing Sites
help-ukraine-compaign[.]com/shop
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainebitcoin[.]online/
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainedonation[.]org/donate
McAfee WebAdvisor
Blocked
URL – Phishing Sites
ukrainewar[.]support
McAfee WebAdvisor
Blocked
URL – Phishing Sites
sendhelptoukraine[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
worldsupportukraine[.]com
McAfee WebAdvisor
Blocked
URL – Phishing Sites
paytoukraine[.]space
McAfee WebAdvisor
Blocked
URL – Phishing Sites
razonforukraine[.]com
McAfee WebAdvisor
Blocked
The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.
More Stories
Friday Squid Blogging: Squid Sticker
A sticker for your water bottle. Blog moderation policy. Read More
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
OpenAI must also initiate a six-month public awareness campaign across Italian media, explaining how it processes personal data for AI...
Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
The Security Service of Ukraine has accused Russian-linked actors of perpetrating a cyber-attack against the state registers of Ukraine Read...
LockBit Admins Tease a New Ransomware Version
The LockBitSupp persona said LockBit 4.0 will be launched in February 2025 Read More
Webcams and DVRs Vulnerable to HiatusRAT, FBI Warns
The FBI has issued a warning about the Hiatus RAT malware targeting Xiongmai and Hikvision web cameras and DVRs, urging...
CISA Urges Encrypted Messaging After Salt Typhoon Hack
The US Cybersecurity and Infrastructure Security Agency recommended users turn on phishing-resistant MFA and switch to Signal-like apps for messaging...