Online scammers prep for Gustav, say researchers

Computerworld - Nearly 100 domains related to Hurricane Gustav have been registered in the past 48 hours, security experts said Sunday, some of which may be used by bogus charity and relief scams after the storm strikes the U.S. Gulf Coast.

According to television station KTAL in Shreveport, La., the office of Louisiana's Attorney General Buddy Caldwell has warned residents of Gustav phishing attacks already in progress.

On Saturday, Marcus Sachs, director of the SANS Institute's Internet Storm Center (ISC), noted that numerous domains containing the word "gustav," "charity," "hurricane" and "relief" had been recently registered.

"On the day [Hurricane] Katrina hit New Orleans [in 2005] hundreds of donation sites appeared online, many if not most were scam sites," said Sachs in a post yesterday to the ISC research blog. "Well, this time around, it looks like the people who like to register domain names in anticipation of a storm's arrival have already started registering them for Gustav."

By Sunday, Sachs had listed almost 100 Gustav sites culled from the DomainTools' Web site. "Most of these sites are parked domains and many of them are for sale," he said. "They will be worth monitoring, particularly if 'donate here' messages appear."

Several of the domains, in fact, do appear to be parked, or registered but not fleshed out with content. Others, including helpgustavictims.com and helpgustavvictions.net, were for sale on eBay as of midday Sunday.

A few, however, led to legitimate charities. The domain gustavcharity.com, for example, redirected users to the Web site of the evangelical Christian organization "Samaritan's Purse," while contributegustav.org took users to the Baton Rouge Area Foundation's site.

Another security expert, Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, also posted a list of parked domains that may be used for scamming purposes. "Anytime we've seen a natural disaster, we've been on the lookup for domains which might be abused for fraud," said Warner Sunday on his blog. "It was only natural then that I retuned my settings at DomainTools yesterday to alert on Gustav domains."

Warner also pointed out a handful of domains that led to legitimate content.

Three years ago, before and after Hurricane Katrina slammed into New Orleans, security researchers noted a similar run-up of domain registrations. Enough were used for phony relief scams, often by identity thieves hoping to trick consumers into divulging personal information, that the U.S. Department of Justice set up a Katrina antifraud task force.

More than a year later, two brothers were convicted on federal charges for running a fake Salvation Army site that solicited money, supposedly for Katrina relief efforts. The pair, Steven and Bartholomew Stephens, were sentenced to more than 100 months in prison for the scam last December.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.