Keypoints
- CRIL identified multiple domains and IP addresses hosting fake donation sites targeting earthquake victims.
- The phishing sites impersonate legitimate charities, including using the Red Cross branding and Oxfam logos.
- Users are prompted to provide personal information (mobile number, email) and donation amount on these sites.
- After submission, users are redirected to legitimate donation pages, enabling continued deception and trust transfer.
- Collected contact data can be used by scammers to contact victims via calls or emails to solicit funds.
- The websites transmit user data to servers through Google scripts, indicating a web-based data exfiltration flow.
MITRE Techniques
- [T1566] Phishing – The attackers create fake donation websites to collect user information. ‘claims to be created to accept donations for those affected by the earthquakes in Turkey and Syria’
- [T1036] Masquerading – The fake site uses the logo of a legitimate organization to appear authentic. ‘falsely uses the logo of a legitimate organization, https://www.oxfam.org.uk/’
- [T1567.002] Exfiltration Over Web Service – Data submitted by users is transmitted to a server via a Google script. ‘transmits the user-provided information to a server through a Google script’
Indicators of Compromise
- [URL] Fraudulent donation sites – redcrossturkey[.]com, help-turkey[.]org, and turkeyrelieftoken[.]help
- [IP Address] Hosting/phishing pages – 128.199.90[.]75, 35.208.102[.]247, and 162.213.251[.]229