Posted on behalf of Dan Bleaken, Malware Data Analyst, Symantec Hosted Services The Haiti earthquake happened at 21.53 GMT on Tues Jan 12. It wasn’t long before we saw something related in spam, about 24 hours in fact. Spammers, almost without fail, produce spam campaigns containing text relating to virtually every major newsworthy event that is going on. And also plenty of events that are in the news, that are not particularly global or exciting or even interesting sometimes. The approaches that spammers frequently use when newsworthy events arise include: 1. Spammers may just continue to send the same old spam campaigns, Pharmaceuticals, fertility drugs, watches or whatever. But, if they include the latest news headlines in the subject or somewhere in the body, this works to grab the attention of the recipients and make it more likely they will open the spam and get drawn into whatever the spam is offering. These tend be large in volume, but we haven’t seen them for Haiti earthquake yet. 2. They also continue to send the same old spam campaigns, but include large chunks of text scraped from news websites (or sometimes from other websites, such as blogs), to act as anti-spam "poison" in the mail message body. This is intended to confuse signature-based or Bayesian anti-spam tools, and may also seek to obstruct attempts at tracking different types of spam. We have seen a few of these types for Haiti. 3. The spammers may take moretime to create brand new spam runs related to the newsworthy event – these are often the most interesting from a research perspective. In this case spammers go out of their way to create a new campaign from scratch which is wholly related to the event, rather than just mentioning an event as above. There are plenty of examples of these below, especially for 419-style or advance-fee fraud scams. Because 3. is harder to produce, spammers usually go for the simpler "insert subject here," "or add some text here" approach of 1. And 2. It’s very easy for spammers to set-up automated scripts to take news text and news headlines from various website and include them into their latest spam campaigns. We have been tracking spam message that contains keywords such as "haiti," "quake," "port-au-prince," etc. from a few hours after the earthquake first struck: The initial few spam messages that were related to the Haiti quake were on January 13 and 14, but they were not really about the earthquake. They just included some of the keywords we had been tracking, as anti-spam poison (as in example 2. above). However, we have seen a lot more of these in the days following the disaster. The first spam that we found which really was related to the earthquake included a 419-style scam which arrived at about 0500 GMT on January 14. My colleague, Mat Nisbet wrote a nice blog posting about this one (http://www.symantec.com/connect/blogs/419-style-scammers-seeking-exploit-appeal-donations-support-victims-haitian-earthquake). Here’s another one: And another one: Shortly after these 419s we saw a campaign with the Subject: "Help Wyclef Jean and the Haiti Earthquake Victims." In this example, they’ve included a list of legitimate domains to donate to, but it invites the recipient to reply to the mail in order to make a donation as well. This spammer is counting on people replying in order to receive their money. The spammer is using the service akapost.com, to conceal the reply address. Haiti-born Wyclef Jean is actively involved in generating support for Haiti (http://wyclefjean.wordpress.com/2010/01/13/statement-by-wyclef-jean-on-haiti-earthquake), and spammers perhap are aware of this are trying to use his name to add legitimacy to their scams. And here's an exampe of another 419 scam from last Sunday. The link given in the email is for an image, hosted on a well-known UK-based newspaper's website: We found something quite stunning last Thursday – a 419 style scam related to the Haiti earthquake, containing a large chunk of text used in a 419 scam relating to the Indian Ocean Tsunami in January 2005. A great example of spammers re-cycling old campaigns/templates. First the original Tsunami 419 scam from 2005: And now the more recent Haiti Earthquake 419 scam: And on Sunday, a UNICEF phishing attack was intercepted. The email claims to be from UNICEF asking for a donation to the Haiti earthquake. In actual fact it’s a phish which would lead recipients to a phishing website (which doesn’t exist anymore as it has been taken down). The phishing website asked for their personal details, including their credit card details: In terms of volumes of spam seen, it has only been relatively tiny fractions of a percentage of all spam; however, bearing in mind that more than 100 billion spam mails are sent globally each day, there is a very large volume of Haiti related mails in circulation. I’d estimate that an average of at least 50 million spam have been sent each day related in some way to the Haiti earthquake. It demonstrates what we often see elsewhere in the cyber criminal world, that spammers especially are quick to react to and use the latest news stories in existing spam campaigns or sometimes they will create brand new ones, as we have seen here. My general advice is that whenever you learn of an appeal for donations that you wish to contribute towards, you should contact the charity directly yourself and ensure that it is a genuine appeal, and that your money really is going where to where you want it to go.