Earthquake in Turkey and Syria: Be Aware of Possible Donation Scams

    Published: 2023-02-06
    Last Updated: 2023-02-06 18:40:43 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Last night, Turkey and Syria were affected by a significant earthquake. Sadly, experience teaches us that disasters like this will often be abused. The most common scam involves fake donation websites. But you may also see malware disguised as a video or images from the affected region.

    Here are some tips to share:

    • Do not donate to organizations you have not heard of before the event. Only donate to organizations that have an established track record.
    • If you have contacts in the affected area: Try to reach out to them to find out how to help them.
    • Scams may target people with links to the affected region. Be careful with phone calls or emails claiming to ask for money on behalf of a relative or friend. Scammers may use social media data and may contact you via social media.
    • Do not blindly believe requests for help on social media.
    • Do not just Google for ways to donate money.

    At this point, I have not seen any active scams. The unpredictability of earthquakes results in a lag between the event and the scam. We are monitoring respective scams, so please let us know if there is something you come across.

    Communication in the affected area is severely limited. Turkish government websites are also experiencing outages due to many website visitors, particularly sites related to the earthquake.

    Thanks to all the first responders helping people in need in the area. They will need our help, but please make sure to help them, not scammers.

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords:
    0 comment(s)

    APIs Used by Bots to Detect Public IP address

    Published: 2023-02-06
    Last Updated: 2023-02-06 16:22:38 UTC
    by Johannes Ullrich (Version: 1)
    5 comment(s)

    Many of the bots I am observing attempt to detect the infected system's public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted.

    Note that there is useful software using these APIs. Do not just block them. But keeping an eye on who is sending these requests can be useful

    Here are a few I remember seeing. The list I have seen isn't very long, making it easy to detect. Let me know if there are others:

    • http://ip-api.com/json/
    • http://api64.ipify.org
    • http://api.ipify.org
    • https://ip.seeip.org
    • http://checkip.dyndns.org
    • https://ipapi.co/ip/

    Some of these APIs will block commonly abused user agents like 'curl' or 'pylib.' This will block many of the common bots from using the specific APIs (and they typically do not bother to specify a user agent but instead use a different API without restrictions).

    There are some other websites that malware could use with a bit of screen scraping, but I have not seen malware use them. And as you are looking through your logs: Requests for "wanipcn.xml" are not related to looking up the WAN IP address. These requests attempt to exploit an older Realtek SDK vulnerability. 

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    5 comment(s)
    ISC Stormcast For Monday, February 6th, 2023 https://isc.sans.edu/podcastdetail.html?id=8356

      Comments

      cwqwqwq
      eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
      WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
      dwqqqwqwq mashood
      [https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
      [https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
      What's this all about ..?
      password reveal .
      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

      <a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

      <a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
      https://thehomestore.com.pk/

      Diary Archives