Welcome to the SecAware blog

I spy with my beady eye ...

8 Jan 2007

Charity phishing lure

Many of us will have seen the emails circulated just after hurricane Katrina struck, inviting us to visit a number of dubious websites to "donate" to the disaster fund. Well here's something similarly sinister that just landed in my inbox:

---------- Email received -----------

You have a personal invitation to join S.O.S. Children's Villages donation program.

Today there are over 143 million children orphaned worldwide. S.O.S. Children's Villages is working hard to provide homes for these children, protecting them from abuse and exploitation, and giving them a place to call home...

Help us to help children in need. Any contribution you are able to make helps make a difference in the lives of children, giving them a new, loving home, a proper education, and health-care - in short, giving them the chances in life they deserve.

S.O.S. Children's Villages' work is built upon the generosity of our donors all over the world and all contributions, large or small, regular or occasional, go towards helping us make a difference to children's lives. What better way to secure the future of our world than supporting the world's children?

Give the Gift of Hope - Make a Donation to Help Orphaned Children! <- There was a dotted-decimal URL here>

Our online donation form is a fast, convenient and secure way for your online donation. When making your online donation, you can either specify a continent where you would like your contribution to go, one of our featured projects, or decide to help where you money is needed most.

Thank you for wanting to contribute to give children a new home and a family.

S.O.S. Children's Villages International.

---------- End of email -----------

I believe S.O.S. Children's Villages is a legitimate global charity based in Austria. However, the URL embedded in the email was a numeric dotted-decimal URL that is registered to an ISP in Japan - it is most likely a compromised system being used by fraudsters, not a genuine charity server. The (probably spoofed) sender's email address belongs to a domain registered by an Indian biometrics/security company (nice touch!) that is not currently in use. I discovered these facts simply with a bit of digging on Google, Wikipedia and using the handy IP/domain lookup WHOIS function provided by DNSstuff. I also did a quick search on the wonderful HoaxBusters site but this particular type of scam isn't listed.

By the way, this was an HTML email. Outlook normally hides the actual URL under the link text, in this case the line "Give the Gift of Hope...". If you hover the cursor over the link, a 'tooltip' appears, showing the true URL (this works in Mac Mail too, I believe). I have my Outlook set to display all emails as plain text by default (Tools > Options > Preferences > E-mail Options > Check the option to "Read all standard mail as plain text") which means it displays all URLs in angle brackets. Sure, I sometimes need to click the option to "Display as HTML" emails from people I trust but on balance, I prefer to check the true URLs of links I might be following.

I've taken the precaution of removing the embedded URL from the email above just in case it installs a Trojan on your machine. Needless to say, I will not be visiting it on this occasion.

This kind of social engineering attack using a charity as a lure is particularly nasty as it plays on the goodwill and naivite of ordinary people like you and me. I hope this topical little example, or something similar from your own inbox, finds its way onto the security awareness pages on your corporate intranet as a warning to your colleagues. Tell your family and friends too. I'm sure it will not be the last one we see.

More links on phishing and security awareness.

PS I have notified the charity, the ISP, the biometrics company and HoaxBusters, offered my help and directed them to the excellent Anti-phishing Working Group for professional assistance

PPS The charity's Internet Manager has indeed confirmed this is a fake that started circulating last Friday. Anyone who wants to donate is invited to visit www.sos-usa.org.


  1. Here is a variation which appears to have caught a number of worthy folk who should have known better!!!


    Alisdair McKenzie

  2. Have seen numerous similar scams but the most repellent use (IMNSHO) is to recruit the money mules for more normal phishing scams. I saw a lot of gullible but (or should that be 'and') innocent people getting involved with fraud rings after the Beslan tragedy.

    These people honestly thought that the money they were receiving and sending on was destined for kids and families affected. That way, the Eastern European destination addresses seemed perfectly normal and the mules didn't have to be bribed with the usual percentage cut. A win-win for the scumbags :(

    Keep up the good fight.