The FBI is warning that fraudsters are using the war in Gaza to solicit cryptocurrencies from the sympathetic.
On Nov. 14, and Nov. 6, different branches of the FBI published alerts that cybercriminals are masquerading as fundraisers and charities, using emails, social media, cold calls, and crowdfunding websites to convince victims that their money will go to either Palestinian or Israeli victims of the conflict. Often they're opportunistic cybercriminals, but sometimes they're terrorist organizations, which "often establish fake charities using social media platforms to subsidize their operations," the Bureau noted.
Many hundreds of such scams have popped up since Oct. 7 and, apparently, they're working. One report compiled by Netcraft last month traced 1.6 million dollars' worth of crypto to accounts associated with these fake charities.
It makes sense, then, that the trend isn't going away, and new campaigns — like the one described on Nov. 16 by Abnormal Security, targeting 212 individuals at 88 organizations — are still going strong.
"When you see suffering on the news, the human brain wants to make things better. That's just the natural condition of how we're wired, and attackers know this," warns Mike Britton, CISO at Abnormal Security.
"That's really the crux of why these campaigns are so effective — they know how to kind of short circuit your normal thinking, and hit you with a certain stimulus you're going to respond to differently than if you were looking at something without the same emotion and urgency."
How Fraudsters Try to Make Emails Seem Legit
Per the FBI, citizens should be suspicious of any unsolicited emails asking for money sent in forms not easily traceable, such as cash, wire transfers, gift cards, or, more often than not, cryptocurrencies.
Crypto, in fact, played more than one useful role in the latest campaign tracked by Britton, playing on the suffering of Palestinian children.
The perpetrator used a few everyday tricks, like spoofing a real India-based company's email domain (erode@gwcindia[.]in), changing the display name (help-palestine[.]com) to make it look extra legitimate, and peppering in emotional and urgent language (e.g. "the children in Palestine are dying") presented in mostly grammatically correct English.
Often, scams like these lure victims to click on phishy links. By requesting payment in crypto, however, the attackers were able to avoid using any kind of URLs which might be picked up by a traditional email security filter.
In fact, the links that were included in the email only served to lend emotion and legitimacy to the message.
"If you look at the links here, they're normal links: AlJazeera, NBC News, UNICEF. Those lend credibility because as the recipient of this email, I'm going to think: 'Okay, Al Jazeera is a well-known news organization. NBC is well-known, UNICEF well-known — these aren't fishy BitLy domains," Britton points out.
It Gets Worse
Unwitting victims who believe they're donating a modest amount of crypto to a good cause could, in the end, lose much more than they bargained for.
As Robert Duncan, vice president of product strategy at Netcraft points out, scammers have been using crypto wallet drainers to turn small donations into big money.
"The crypto drainers are particularly effective — rather than many other types of donation fraud where the victim is still choosing how much cryptocurrency to send, crypto drainers can entirely empty a crypto wallet in one fell swoop," he explains.
This might help explain the 1.6 million dollars lost to Gaza scams in only the first couple of weeks following the outbreak of conflict. And, Duncan adds, "the total amount lost is likely to be higher, as many of the scams do not surface the underlying cryptocurrency transaction without making a payment which Netcraft was not in a position to track."
To snuff out these emails before they lead to crypto drains, Britton suggests the use of behavioral AI-enabled spam filtering, or some simple common sense.
"You're always better off donating to a known, reputable organization. Don't do it through an unsolicited email, do it through their website, or a known contact that you have," he advises.