Make money with Oziconnect referral program

Cybercriminals always try to use current events to lend credibility to their attacks, and the Gaza conflict is no exception. Netcraft detected over $1.6 million in cryptocurrency transferred to accounts associated with this scam.

In donation scams, cybercriminals use a variety of tactics to trick users into donating to what appears to be a legitimate cause. This includes referencing current events, urging readers to act urgently, and using emotional language (or situations). The criminal’s goal is to pressure victims into acting impulsively and transferring funds without due diligence.

In this blog post, we detail how opportunistic cybercriminals took advantage of the conflict and carried out donation fraud within the first few days. In almost every case we’ve seen, these campaigns solicit “donations” via cryptocurrencies. Many go one step further and use a cryptocurrency ejector to drain the victim’s entire cryptocurrency wallet.

Criminal activity taking advantage of the situation is chaotic, with campaigns starting and stopping and site content constantly changing. Some sites were completely replaced with fraudulent content less than a week after they were first monitored by Netcraft.

Two scam emails soliciting donations to Israel and Palestine, respectively, taking advantage of the conflict. Both destination sites send funds to the same cryptocurrency wallet, suggesting indiscriminate targeting by threat actors.

Rise of crypto asset generators

Piggyback donation scams often ask for a “donation” in cryptocurrency. At the beginning of the Ukraine war, several large-scale email campaigns targeted Ukrainian President Volodymyr Zelenskiy, the British Red Cross, and the British Prime Minister’s Office. Regardless of the impersonating party, the email states directly in the body of the email that he was asking for donations to one or more cryptocurrency addresses. This form of donation fraud relies on the victim having the know-how and willingness to send cryptocurrency to the listed address. There is some precedent for legal donations being made in this manner. On February 26, 2022, Ukraine asked for donations in cryptocurrency on her X (formerly Twitter).

Donation scam email impersonating Volodymyr Zelensky and asking for donations to be sent to a listed Bitcoin address

Recently, Netcraft analysis revealed that criminals are using cryptocurrency drainers as part of donation fraud. Cryptocurrency drainer scams, or cryptocurrency drainers, are a type of website-based attack that attempts to trick users into sending the contents of their cryptocurrency wallets to scammers. Cryptocurrency drainers take advantage of victims who connect their cryptocurrency wallets to their browsers and interact with her Web3 applications. The convenience of connecting your wallet to your browser is double-edged, reducing friction when approving all transactions, including unwanted ones generated by cryptocurrency emitters. Typically, this scam completely empties (or “drains”) the victim’s wallet if they approve the transaction.

Example of a cryptocurrency exfiltration in which a victim attempting to donate is told to “confirm your wallet to continue” – in reality, the victim agrees to send the entire contents of their cryptocurrency wallet to the criminals That means you are doing it.

Our research shows that criminals who conduct cryptocurrency exfiltration tend to be opportunistic. Back in March 2023, Netcraft blogged about a cryptocurrency exfiltration attack and explained how criminals were taking advantage of the Silicon Valley bank failure.

Both approaches to soliciting cryptocurrency “donations” are being used in campaigns exploiting the Gaza conflict. This included hundreds of donation scam emails directing victims to websites registered to host cryptocurrency emitters, and hundreds of scam emails encouraging victims to send donations directly to cryptocurrency addresses included in the email. Contains several donation scam emails.

Donation scam emails requesting donations be sent to a listed virtual currency address

Parody about Israel and Palestine

The malicious websites detected since the start of the conflict demonstrate how existing cybercriminals can simply modify the lures they use to attract potential victims. Based on her Netcraft analysis of one attacker, they used different domains claiming to support different parties involved in the conflict.This too mission israel[.]com, help palestine[.]online, lebanon needs help[.]onlineand egypt help[.]online.

We believe this is a single attacker for the following reasons:

  • Very similar email campaigns are used to distribute links to multiple sites
  • 3/4 of the sites observed had nearly identical designs
  • The sites are on the same IP address (113.30.189.220).
  • The sites were registered with each other within a few days using the same registrar (Hostinger).
  • Site requires donations to be sent to the same cryptocurrency address
  • The sites load the same encryption drainer script from the same external domain (dappbackend).[.]House)

This represents a common tactic scammers utilize to attack themes and social vulnerabilities, as long as they are effective.

Scam emails used to distribute links

Donation scam email used to lure victims to Missionary Israel[.]com

Netcraft systems detected hundreds of donation scam emails linked below. mission israel[.]com. These utilize call-to-action themes like “.“Together we support Israel”, “A chance to support Israel”, “Unite for Israel – join the cause”, “Strengthening Israel – your support matters”, “Heart of Israel” Help – Donate now”.

Donation scam email used to lure victims to support Palestine[.]online

Additionally, we have seen a small number of very similar donation scam emails, including: help palestine[.]online. The layout and text of these emails are almost identical, the only difference being the colors and the exact wording used. The subject line used is likewise an emotional call to action, such as “.Children in Gaza appeal for your support. ”,”Gaza needs you, lend your support”, “Your help can change lives in Palestine”, “Bring hope to Palestinian families”.

Each of these emails uses text that is similar to the email content, but is not identical. I’ve paraphrased each line slightly, keeping the meaning of each sentence the same.“We appeal to your empathy and generosity”, “We appeal to your empathy and generosity”, “We appeal to your empathy and generosity”. Combined with sending these from a different email address, it becomes more difficult for spam filters to detect and block these emails.

Link Level Tactics: Eliminate the Villain

mission israel[.]com

website mission israel[.]com It appealed for donations to “support victims in Israel” and solicited donations to various crypto wallet addresses. An address is provided where victims can “donate” via Ethereum, Bitcoin, Litecoin, or Tether.

The site also had a cryptocurrency emitter, which was launched if the victim chose to “pay with wallet.” If the user chooses to connect to the wallet and agrees to the subsequent pop-up, 95% of its contents will be sent to the threat actor.

Screenshot from Mission Israel[.]com

The site impersonates MDA Israel (a legal non-profit organization in Israel) by including their contact details in the footer.

help palestine[.]Online Egypt Help[.]online lebanon help needed[.]online

These websites were very similar in design, but the text differed depending on the political party to which the donations were allegedly solicited.

  • help palestine[.]online “Palestine needs your help! By donating even a small amount, you could save hundreds of lives. Don’t remain indifferent, the Palestinian people need your help.” I need it!”
  • lebanon needs help[.]online “Lebanon needs your help! By donating even a small amount, you could save hundreds of lives. Don’t remain indifferent, the Lebanese people need your support. It is!”
  • help egypt[.]online “Palestine and Egypt need your help! Your support will help Egypt accept and resettle Palestinian refugees. Let’s fight Israeli terrorism together!”

From left to right, screenshots from help-palestine[.]Online Egypt Help[.]online lebanon help needed[.]online

All three pages solicit donations to the same cryptocurrency address. mission israel[.]com We discussed it before. All three also Donate with wallet option. This loads the same encryption drainer script. mission israel[.]com.

These sites include pay by credit card option. This page claims to be “”.On the platform “Stripe”; however, we do not use the Stripe platform for payments. Instead, the details collected are simply sent to an endpoint named Her on the same site. update_payment.php.

help palestine[.]Online Egypt Help[.]online lebanon help needed[.]Online includes credit card payment options.

crypto help israel[.]com

crypto help israel[.]com is another cryptocurrency dumping website, this time masquerading as a legitimate website. The genuine Crypto Aid Israel was registered in October 2023.Web3 friends in Israel come together to raise money for victims‘. Both the website URL and design are attempts to trick users into believing they are dealing with a genuine organization.

Genuine site cryptoaidisrael.com (left) and crypto leak site cryptohelpisrael[.]Com (right)

If the user chooses to donate crypto help israel[.]com, you will be prompted to connect your wallet. Victims are told to “confirm their wallet to continue.” In reality, they are agreeing to send the contents of their wallet to the scammer.

We found that the stolen funds were sent to multiple wallet addresses, through which the criminals received over $1.6 million in ETH since October 14th. Note that this revenue does not necessarily come only from: crypto help israel[.]com: The same criminals may be using the same set of addresses to run other fraudulent campaigns.

Prakarikral[.]com/pcf/

website Prakarikral[.]com/pcf/ was a phishing page masquerading as the legitimate Palestine Children’s Relief Fund (PCRF) website. This legitimate website is currently displaying an overlay on its website asking for donations, which has been exactly replicated by the malicious website.

Genuine site pcrf.net (left) and fraudulent page masquerading as plakaliklar[.]com/pcf/ (right)

Click . donate now A link on the malicious website directed victims to a “payment form” containing a Bitcoin wallet address to send funds. Victims were told to “remit their donations within 24 hours so that they can be properly processed.” After submitting the form, the page simply said “Thank you for your donation!” without confirming whether the funds were transferred.

plakaliklar payment form[.]com/pcrf/ and a “thank you” message is displayed.

How can Netcraft help?

Netcraft provides cybercrime detection, disruption, and takedown services to organizations around the world, including 12 of the world’s top 50 banks and the largest cryptocurrency exchange by volume. We perform takedowns on approximately one third of the world’s phishing attacks, defeating over 90 different attack types and exploiting brand identity at a rate of 1 every 15 seconds. Protect your organization from cryptocurrency fraud.

Netcraft is a world leader in detecting, disrupting, and removing cybercrime and has been protecting businesses online since 1996. Our systems analyze millions of potentially malicious sites every day and typically block attacks within minutes of discovery.

Make money with Oziconnect referral program
Make money with Oziconnect referral program
Make money with Oziconnect referral program
Make money with Oziconnect referral program
84512

About Us

We are a leading IT agency in Lagos, Nigeria, providing IT consulting and custom software development services. We offer a wide range of IT solutions across software development, web and mobile application development, blockchain development services, digital marketing, and branding.

Contact Us

25B Lagos-Abekouta Expressway Lagos

info@ozitechgroup.com

Phone: (234) 907 155 5545

@2023 OzitechGroup – All Right Reserved.