Read Time:5 Minute, 45 Second

Authored by Vallabh Chole and Oliver Devane

Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.

This blog covers some of the malicious sites and emails McAfee has observed in the past few weeks.

Crypto wallet donation scams

A crypto donation scam occurs when perpetrators create phishing websites and emails that contain cryptocurrency wallets asking for donations. We have observed several new domains being created which perform this malicious activity, such as ukrainehelp[.]world and ukrainethereum[.]com.

Ukrainhelp[.]world

Below is a screenshot of Ukrainehelp[.]world, which is a phishing site asking for crypto donations for UNICEF. The website contains the BBC logo and several crypto wallet addresses.

While investigating this site, we observed that the Ethereum wallet used use was also associated with an older crypto scam site called eth-event20.com. The image below shows the current value of the crypto wallet which is worth $114,000. Interestingly this wallet transfers all its coins to 0xc95eb2aa75260781627e7171c679a490e2240070 which in turn transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The final wallet currently has 313 ETH which is worth over $850,000. This shows the large sums of money scammers can generate with phishing sites.

Ukrainethereum[.]com

Ukrainethereum[.]com is another crypto scam site, but what makes this one interesting is the features it contains to gain the victim’s confidence in trusting the website such as a fake chatbox and a fake donation verifier.

Fake Chat

The image above shows the chatbox on the left-hand side which displays several messages. At first glance, it would appear as if other users are on the website and talking, but when you reload the site it shows the same messages. This is due to the chat messages being displayed from a list that is used to populate the website with JavaScript code as shown on the right-hand side.  

Fake Donation Verifier 

The site contains a donation checker so the victim can see if their donation was received, as shown below. 

 

The first image on left shows the verification box for donation to check if it is completed or not 
Upon clicking ‘Check’ the victim is shown a message to say the donation was received.  
What occurs, is upon clicking ‘Check’ the JavaScript code changes the website code so that it displays the ‘Thanks!’ message, and no actual check is performed. 

Phishing Email 

The following image shows one of the examples of phish emails we have observed. 

The email is not addressed to anyone specifically as they are mass-mailed to multiple email addresses. The wallet IDs in the email are not associated with the official Ukraine Twitter and are owned by scammers. As you can see in the image above, they are similar as the first 3 characters are the same. This could lead to some users believing it is legitimate. Therefore, it’s important to check that the wallet address is identical.  

Credit Card Information Stealer 

This is the most common type of phishing website. The goal of these sites it entices the victim into entering their credit card and personally identifiable information (PII) data by making them believe that the site being visited is official. This section contains details on one such website we have found using Ukraine donations as a lure.  

Razonforukrain[.]com 

The image below shows the phishing site. The website was used to save the children’s NGO links and images, which made it appear more genuine. You can see that is it asking the victim to enter their credit card and billing information.  

Once the data is entered, and the victim clicks on ‘Donate’, the information will be submitted via the form and will be sent to scammers so they can then use or sell the information. 

We observed that a few days after the website was created, the scammers change the site code so that it became a Mcdonald’s phishing site targeting the Arab Emirates. This was a surprising change in tactics. 

The heatmap below shows the detections McAfee has observed around the world for the malicious sites mentioned in this blog. 

Conclusion 

How to identify a phishing email? 

Look for the domain from where you received mail, attackers masquerade it. 
Use McAfee Web Advisor as this prevents you from accessing malicious sites 
If McAfee Web Advisor is not used, links can be manually checked at https://trustedsource.org/. 
Perform a Web Search of any crypto wallet addresses. If the search returns no or a low number of hits it is likely fraudulent. 
Check for poor grammar and suspicious logos  
For more detailed advice please visit McAfee’s How to recognize and protect yourself from phishing page (https://service.mcafee.com/?locale=en-CA&articleId=TS101810&page=shell&shell=article-view 

How to identify phishing websites? 

Use McAfee Web Advisor as this prevents you from accessing malicious sites 
Look at the URL of the website which you are visiting and make sure it is correct. Look for alterations such as logln-paypal.com instead of login.paypal.com 
If you are unsure that the website is legitimate. Perform a Web search of the URL. You will find many results If they are genuine. If the search returns no or a low number of hits it is likely fraudulent 
Hyperlinks and site addresses that do not match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you would expect from the sender? It may be a spoofed address from the 
Verify if the URL and Title of the page match. Such as the website, razonforukraine[.]com with a title reading “McDonald’s Delivery” 

For general cyber scam, education click here (https://www.mcafee.com/consumer/en-us/landing-page/retention/scammer-education.html) 

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee Web Advisor 

 

Type 
Value 
Product 
Detected 

URL – Phishing Sites  
ukrainehelp[.]world 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainethereum[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
unitedhelpukraine[.]kiev[.]ua/ 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
donationukraine[.]io/donate 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
help-ukraine-compaign[.]com/shop 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainebitcoin[.]online/ 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainedonation[.]org/donate 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
ukrainewar[.]support 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
sendhelptoukraine[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
worldsupportukraine[.]com 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
paytoukraine[.]space 
McAfee WebAdvisor  
Blocked 

URL – Phishing Sites  
razonforukraine[.]com 
McAfee WebAdvisor  
Blocked 

 

The post Scammers are Exploiting Ukraine Donations appeared first on McAfee Blog.

Read More