Fake Boston Marathon Scams Update

Published: 2013-04-16
Last Updated: 2013-04-16 16:41:37 UTC
by John Bambenek (Version: 1)
3 comment(s)

Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.

In short, I would have thought this would have picked up quicker than it had.

That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.

As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.

Feel free to send any suspicious sites/spam/twitter accounts/etc to use so we can keep doing analysis.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

3 comment(s)

Comments

Likely more coming:
- http://blog.dynamoo.com/2013/04/boston-marathon-spam-askmeaboutcctvcom.html
17 April 2013
.
As expected...
- http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
April 16, 2013
.
Detection was added to the Sanesecurity sigs early morning UK time...

http://www.freelists.org/post/sanesecurity/Boston-Malware-blocked

Diary Archives