Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Consumer's Guide to Spotting "Fake" Charities

Published: 2012-12-20
Last Updated: 2012-12-20 20:32:43 UTC
by John Bambenek (Version: 3)
2 comment(s)

Earlier in the week we've mentioned that people should be on the lookout for "fake" charities trying to exploit the Sandy Hook tragedy.  About 150 or so domains have been registered that are "suspect" and about a dozen I can safely say are fraudulent.  Some basic steps we already know about how to deal with this:

  • Only deal with charities that are already known to you (i.e. the Red Cross) or that you have a personal relationship (your church or church-related organization, local civic group, etc).
  • Don't donate to charities simply by clicking on an e-mail; affirmatively go to website to donate directly.
  • Always be sure to check for real contact information, if you don't see anything, don't donate.

That said, let's say you find a website and you want to "verify" whether it is suspect or not.  There are several things you can do.  Advance warning, this is US-centric mostly because I don't know "charity" laws in other countries, if someone would like to clue me in how to do similar in other countries, feel free to contact me directly.

  • Check the domain registration using WHOIS.  One online WHOIS tool is here.  If it is a "private registration", it is suspect and move along.
  • Check with the IRS whether the organization is, in fact, tax exempt.  Their lookup tool is here.  If the website doesn't have an organization name, it's suspect.  If they are talking to you, try to get their tax ID (or FEIN) number.  Ask for a copy of their IRS Form 990 (which they are required to disclose).  Many states also require charities to register themselves and you can search those filings online as well.
  • Check with Guidestar which is sort of a Consumer Reports / Better Business Bureau for charities.

A couple of quick case studies.  First, let's use an example where you have information about the "charity" in question.  I haven't found anything this detailed for Sandy Hook, but here is one that came up a little while ago during an unrelated matter.  

I got this email forwarded to me recently which you can read at tinyurl.com -slash- vets4change. The organization purports to help veterans, and one of their newsletters quite helpfully it lists the address, Tax ID number and California business number.  Plugging in either Veterans for Change or the Tax ID number at the IRS Website shows nothing. Plugging in the CA corporation ID number (3340400) at the website of the State of California Attorney General results in some interesting records.  Apparently, they tried to get registration information from the person running the charity and they simply ignored the State and were fined.

In this case, you have someone who is purporting some things which are obviously not true, so we'd label this one suspect and move on.  Perhaps filing a complaint or two with the appropriate authorities.

Now let's try one of the various domains registered after Sandy Hook.  One such domain is hopefornewtown-dot-com. There is no identifying information on the website except a gmail email address. WHOIS shows the domain has a private registration and the PayPal donate button lists the name as Hope for Newtown.  The time it takes to get tax exemption from the IRS is many months so there is no way it's registered, but just in case, the IRS doesn't show such a registration either.  File this one under suspect and move on.

If you see any such organizations, you can report to your local state attorney general (which in general is the one who regulates charities, though this may vary), IC3.gov, and you can feel free to send suspicious emails and websites to us using the contact form.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

Keywords:
2 comment(s)

White House strategy on security information sharing and safeguarding

Published: 2012-12-20
Last Updated: 2012-12-20 01:38:42 UTC
by Daniel Wesemann (Version: 1)
1 comment(s)

Today, the White House published its new national strategy for information sharing and safeguarding. See http://www.whitehouse.gov/sites/default/files/docs/2012sharingstrategy_1.pdf for the full PDF (15 pages).

The document touches a key point that has in the past often stymied cooperation and information sharing between the government and the private sector. In my experience, the gov organizations were always very open to receive and soak up information shared with them by private enterprise, but were far less forthcoming with returning the favor. Very rarely did I ever receive intel from government contacts that wasn't either mostly public knowledge, or that I hadn't received already anyway from peers in the industry. 

Almost ironically, it is a security problem and security trade-off decision in itself to determine how much realtime security intel can be shared, and with whom, to maximize the benefit without incurring undue additional risk by the intel leaking to the attackers' side. We are - as security professionals - supposed to be good at this kind of judgment call, but our ingrained paranoia often gets into our way. The result is that we tend to be over-cautious with sharing intel, which in turn hurts our peers and ourselves, and helps the bad guys.

As such, I was positively surprised to read in the new national strategy that "collecting intel" seems to slowly but steadily be supplanted by "collecting intel and making timely use of it", which is definitely an improvement for everyone. But the "Top Five" priorities on the summary page 14 seem to me to rather reflect the approach of old again, where "guidelines were developed" and "frameworks were established", but nothing really changed in the real world outside of the Beltway. Which was a bit of a letdown after reading the front portion of the document... but in general, I still find it quite refreshing that the trade-off between sharing and safeguarding is officially recognized, and that there is also a hint of self-reflection in the document that suggests to me that not all is lost :)

If you have any comments on the content of the White House paper, or on security intel information sharing in general, please let us know via our contact form, or use the comments field below.

 

1 comment(s)
Diary Archives