SEO poisoning, Londoning and Icelanding

I was asked whether I'd seen SEO (Search Engine Optimization) poisoning relating to the Icelandic eruption and the very widespread grounding of aircraft in Europe. Well, there were certainly attempts in March to exploit the earlier Eyjafjallajokull eruption in order to drive googlers interested in finding out more towards malicious web sites. So it would be naive to assume that they haven't or won't make use of the current travel crisis. I haven't noticed an upsurge, but I don't have the lab resources to monitor that kind of activity personally: if our research labs mention a significant uptick we'll pass it on here.

However, a post by Zeljka Zorz at Help Net Security raised an interesting idea. The post actually deals with the "friend in need" scam (or "London scam" or "Londoning") that I've mentioned here and at other blogs several times before. Technically, I suppose you'd have to call it Wolverhamptoning, since the address given by the scammer was near to that part of the UK's West Midlands. As I've spent much of my life in that part of the country (in fact, I was there last week), I was kind of amused by the picture of robbers rampaging through semi-rural English hotels and stealing luggage, money and "my contact dairy" (obviously la creme de la crime...) What would Miss Marple have said? I'm not saying that Wolverhamption doesn't have its rough spots, but Robin Hood ceased his operations some centuries ago, and anyway seems to have preferred the East Midlands.

Still, I can see that a potential victim might be as unfamiliar with the locality as this scammer appears to be,and if you're not familiar with this type of scam, it's useful to remember that the site of the "robbery" doesn't have to be London, or even the UK: indeed, it's likely that we'll see further diversification of locale and scenario. Which leads us to Zeljka's most interesting point.

Also, this situation made me think and realize that we will probably soon witness scam emails that take advantage of this "Iceland volcano erupting" situation and will try to claim that your friend has been stranded in the UK because of the lack of flights and has run out of funds, so would you please send some? Thanks!

Ordinarily, I'm cautious about proposing hypothetical scenarios for new scams and other threats. The bad guys are inventive enough, without giving them more ideas. But this scenario fits in so neatly with the "friend in need" approach to scamming, that it's hard to imagine it hasn't already been tried.

So what can you do about it? Here's a slightly expanded list of suggestions from my last post on the topic.

1. Well, you can be very suspicious of messages like this, however they arrive and wherever or whoever they come from. The message described in Zelkja's post may give you some ideas about what constitutes "suspicious" in the email context: it's clear from the headers that it was sent to more than one person, doesn't indicate that the sender actually knows anything about the recipient other than their address (no personal touches) and so on.
2. Don't even think of responding to the request until you've verified the source with extreme prejudice.
3. Absence of personalization (personal touches in the message that actually indicates the sender knows you well) is a pretty good indicator of untrustworthiness (and characteristic of all generalized phish and 419 messages). If I was going to tap you for a few thousand dollars, I think I'd probably ask after your spouse and children, for instance, however upset I was. However, bear in mind also that not all social engineering attacks are untargeted. Remember that someone who compromises your Facebook account, for instance, has access to your profile and those of your friends, not just your account details and contact lists.
4. If the way the message is expressed is uncharacteristic (especially if it sounds more "foreign" than you'd expect), that's a pretty good indication that you're not talking to the person you think you're hearing from.
5. Be particularly sceptical when a "friend" (or, even more suspiciously, an acquaintance) wants you to send them cash by a scam-friendly channel such as Western Union.
6. 419 scams sometimes inventive in social engineering terms, but not necessarily hi-tech: take reasonable precautions to avoid having your accounts (email, Facebook, other social networking sites) compromised. Use hard to break passwords, don't use the same password for multiple accounts, and be on the lookout for any attempt to trick you into giving your password away, and that will reduce your attack surface (no guarantees of invulnerability though!)
7. Facebook have a terse summary of their take on it here: http://www.facebook.com/security?v=app_4949752878&viewas=22000040.

(Tip of the hat to Sorin Mustaca for the pointer to Zeljka's post.)

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com