Michael Sutton, VP of security research at Zscaler has spent some time looking for sites that are taking advantage of the disappearance of Malaysia Airlines flight 370 (MH370) to profit from the tragedy. Unsurprisingly, it was all too easy to find examples of this as it is almost a given that scammers will attempt to profit from any breaking news story, especially those where the public is desperate for the latest tidbit of news – regardless of where it may be coming from.
The first example is an advertising scam. The scam begins with the infection of a legitimate site, in this case debiworley[dot]com, a personal website for a photographer. A subdomain has been added to the site, which hosts different scams, all leveraging the same approach. In the case of the MH370 scam, an alleged video has been posted to alert[dot]debiworley[dot]com/news/?mh370. At that page you’ll see an image, which purports to show a Malaysian Airlines plane crashed in the jungle. The page includes the fake video and also includes comments formatted to appear as though they’re from Facebook. Despite the look of the page, everything is simply an image. Clicking anywhere on the video doesn’t actually play the video, but instead prompts the user to share the video on Facebook by presenting the following popup, before it can be played. If the user chooses to share the video, it does not ever play, but instead simply shares the scam with their Facebook friends. What the victim is promoting is a quickly hacked together site hosted at vinreox[dot]com, a simple website that acts as a front end for various YouTube videos and the owner profits from advertisements on the site.
This time around, the scam appears to be hosted at a site controlled by the attacker. There are various URLs on the domain that ultimately link to the same content, but one in particular (rentadp[dot]com/malaysia/) appears to be piggybacking on the MH370 disappearance. When visiting that URL, the victim is redirected to a completely fake Facebook page. Once again, most of the page is nothing more than an image and the only links either refresh the page or prompt the user to share the scam on their real Facebook profile before they can view the video. It would appear that the scammers were a bit lazy this time as despite the URL referencing ‘Malaysia’, they’ve clearly used a picture of US Airways Flight 1549, which crash landed on the Hudson river in 2009. Should users choose to share the scam, they won’t ever see the video, but instead will be redirected to a pay-per-click scam which requires yet another task, this time around the victim must fill out one of three surveys before they can proceed. This is where the the scammers make money. They’re paid a few cents for every survey completed.
Sutton says: “Unfortunate that anyone would seek to profit from a tragedy, but unfortunately, this has now become the norm.”