Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Fake Boston Marathon Scams Update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fake Boston Marathon Scams Update

Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.

In short, I would have thought this would have picked up quicker than it had.

That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.

As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.

Feel free to send any suspicious sites/spam/twitter accounts/etc to use so we can keep doing analysis.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

John

248 Posts
ISC Handler
Likely more coming:
- http://blog.dynamoo.com/2013/04/boston-marathon-spam-askmeaboutcctvcom.html
17 April 2013
.
Jack

160 Posts
As expected...
- http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/
April 16, 2013
.
Jack

160 Posts
Detection was added to the Sanesecurity sigs early morning UK time...

http://www.freelists.org/post/sanesecurity/Boston-Malware-blocked
Sanesecurity

21 Posts

Sign Up for Free or Log In to start participating in the conversation!