Cyber Threats
Cybercriminals Exploit the Moroccan Tragedy in New Scam Campaign
This blog entry details a scheme that exploits the recent Morocco earthquake by impersonating the domain name of a well-known humanitarian organisation for financial fraud.
Cybercriminals have always exploited instances of natural calamities to prey on innocent people. This blog post exposes a scam that has taken advantage of the earthquake in Morocco by deceiving users to buy relief equipment purportedly meant to aid quake victims.
The fraudsters registered two domains, one of which impersonates the identity of the French Red Cross (Croix Rouge Française).
Our discovery of this nefarious scheme, in addition to exposing the fraud, also emphasises the importance of monitoring domain names so criminal attempts to abuse them can be swiftly addressed.
The attack
A few days ago, cybercriminals registered the domain croixrougefrancaise.fr, which redirects to another domain, alerteseisme.fr.
The Croix-Rouge Française, also referred to as the French Red Cross, is the French branch of the International Red Cross and Red Crescent Movement. It is a humanitarian organisation that provides a wide range of services and assistance to people in need in France and around the world. Propelled by its mission to alleviate human suffering, the organisation engages in many activities, including disaster response, which it is currently performing in Morocco.
The scammers used the term “alerte seisme,” which translates to “earthquake alert,” in reference to the earthquake in Morocco.
The same user registered both domain names. While the postal address in Paris provided by the malicious actor does exist, more than 400 other companies have also been using it for the purpose of company domiciliation or as their registered postal address. The malicious actor also used the same email address and phone number to register both domains.
The website content Is straightforward and was built using Shopify, a platform that allows users to run their own online shop (Figure 1).
Once a user selects the products, only one type is available: a so-called “fraternity tent.” The product description is written to elicit pity or compassion from readers (Figure 2). Also worth noting is that the photo used by the scammers can also be found on an AliExpress product listing.
The copy on the fraternity tent webpage can be translated as:
“Imagine having no place to sleep, no shelter to protect your children from the elements. This is the reality for thousands of families in the aftermath of this disaster. By purchasing a tent on our platform, you are providing a living space, a refuge where these families can begin to heal.”
After users add their desired number of tents to their shopping basket, they proceed to payment. At this stage, the website requires them to provide their credit card information, shipping address, and email address (Figure 3). This paves the way for cybercriminals to obtain personally identifiable information (PII), which can lead to monetary theft.
In addition, we discovered that a Facebook page was also created on the same day the domain names were registered, providing a link to the domain:
Note that while the page advertises earthquake detectors, selecting the “order” button redirects to the fraternity tent page of the alerteseisme.fr website.
This unusual behaviour indicates the scammers’ intent to deceive users by trying different kinds of schemes, such as pretending to sell earthquake detectors or tents for earthquake victims to make the ruse believable.
One French LinkedIn user also wrote that the fraudsters running the website were asking for donations on LinkedIn. He reported it immediately, thus prompting LinkedIn to take swift action. However, no further information can be found on how their donation campaign went.
The croixrougefrancaise.fr domain
This domain was registered on September 2023, but we found that it had been used twice before: from August 2021 to August 2022 and from January 2008 to December 2013.
We investigated the use of the domain during the aforementioned periods and could not find any evidence that it has ever belonged to the Croix Rouge Française. It only showed usual domain parking website at times, but it might have also been used for emails during those times.
The registration of the domain names does not show any reference to the official Croix Rouge Française website, yet it was done anonymously and could still have belonged to the Croix Rouge Française.
Another alarming discovery is that we found an online article referencing croixrougefrancaise.fr as a website for donations during periods when it was not even registered. Luckily, no scam was reported at that time, but cybercriminals could have easily leveraged the promotion of the domain in those online articles by registering it to trick people into making donations.
Domain monitoring is a must for every organisation.
Cybercriminals will grab any opportunity to make money so the need for organisations to monitor their domain names is as crucial as ever. Organisations can learn more about how to detect and prevent phishing attacks in our guide to domain monitoring so they can take precautionary action to protect their brand and keep phishing threats at bay. We’ve also discussed the best practises on how organisations can identify and mitigate phishing attacks.
In the case that we exposed here, a domain name from a well-established organisation has been registered several times without any indication that it was indeed registered by the organisation itself.
When registering a domain, organisations should always show essential information in the “Whois” information that can be queried by any user to remove doubts about the legitimate owner of a given domain.
Domain names that contain full brand names such as “Croix Rouge Francaise” should be carefully monitored. Organisations that own such domain names should keep and never drop them. They should also be mindful about alerts on domain expiration and ensure it is properly set to prevent fraudsters from abusing it.
This blog entry also serves as a timely reminder to consumers to always be wary of websites used to collect donations in times of calamities even if their domain names appear legitimate. The linked resource on best practises to identify and prevent phishing attacks provides helpful information.
We’d like to thank Nicolas Pawlak from Red Flag Domains for informing us about the fraudulent croixrougefrancaise.fr domain registration.