Disaster fraud: you’ll never even know you were conned


Governments must build a “web of trust” to counter online fraudsters who exploit natural disasters using bogus help pages that con the public out of money, a cybersecurity expert is urging.

“What’s often the most exploited piece of a normal organization – it’s their supply chain,” says Joel Burleson-Davis, SVP of Worldwide Engineering at cyber company Imprivata. “Well, the interesting thing that happens with natural disasters is you create all sorts of ad hoc supply chains, right? If you can break a long-standing chain from an organization because that's still the weakest link, just imagine how fragile these chains are.”

ADVERTISEMENT

The “ad hoc” supply chains Burleson-Davis is referring to are, for the most part, well-intentioned enough. For example, the GoFundMe pages that were set up by the public in the aftermath of natural disasters like Hurricane Harvey, which swept through his native Texas in 2017, to help victims.

Unfortunately, such websites create precisely the kind of territory that digital crooks like to lurk in.

“You can have 15, 20, 30, GoFundMe pages to help this family, community, whatever,” says Burleson-Davis. “And, you know, 95% or 99% of them could be some strangers setting it up where they have good intentions. But it doesn’t mean that 31st one couldn't be someone randomly trying to get all this capital that's easily available, masquerading as someone that’s going to help.”

The problem is only compounded by the sense of urgency that a natural disaster like a flood, hurricane, or earthquake creates – because this kind of psychological pressure is exactly what social engineering and phishing scams thrive off.

“They’re like throwing funds at, you know, these quickly built sort of GoFundMe pages or whatever,” says Burleson-Davis. “And they don’t know who really started it. They’re just emotional. You feel the urgency to help, and it doesn’t keep someone from making off with a piece of these available resources.”

Vital and potentially compromising data too can be extracted from target organizations under pressure, simply by persuading them you’re there to help in the middle of a crisis.

“Think of natural disasters and federal money flowing or organizations coming to help, you can exploit that same dynamic,” he says. “It’s not particularly hard: ‘Hey, I’ve emailed you. It happens to be from my personal account, but I'm really a Red Cross worker. Can you send me x, y, z?’ Someone’s like, ‘Yes, I need help, I’m tired. Sure, I'll send that to you.’ And then suddenly you have a malicious actor into whatever you’ve sent them.”

A sticky problem

ADVERTISEMENT

I put it to Burleson-Davis that his concerns may well be valid – without divulging details, he says he has seen disaster scammers on the rise in recent years – countering the problem will be difficult. Telling the public not to give charitable donations during disasters to avert cybercriminality would be to do more harm than good, surely?

Burleson-Davis agrees. “This is one of the reasons it’s a great [target] for a morally bankrupt person to go after,” he concedes. “Because we don’t want to spread the message that, when you see people in pain or an emergency, don’t help them. We as a society don’t want to say that.”

Acknowledging it to be a “sticky problem” with no quick fix, he says he’d like to see the government, particularly in states like Texas and California that are prone to natural disasters, adopt an official ‘safe list’ of web pages that the public can donate to in times of crisis.

“Your official channel says these are the GoFundMe pages you should go after, say, here are the ten vetted,” he posits. “We know the identity, the organization, behind this.”

He also thinks state and federal governments should do more to communicate their disaster response plans to the public so ordinary citizens know what to do when trouble strikes: “If a natural disaster happens, south-east Texas gets taken out, the people that you need to talk to, the channels you should communicate with, and easy ways to verify the identity of those.”

So it’s more about raising awareness among the public as a whole rather than trying to go after the individual threat actors who might be behind the scam pages?

“This is not that dissimilar to trust on the internet, particularly like SSL or TLS certificates,” he says, referring to the digital system that allows browsers to identify and establish encrypted network connections to websites. “At some core level, there’s just this web of trust. You know, Alice trusts Bob, who trusts Charlie – I trust Alice, therefore I trust Charlie. You create some kernel-level web of trust. And then from there, you can do a lot of things to officially extend that trust everywhere else because it's another web of trust. You have to have something like that transitive trust to push out to other organizations.”

"It's like I gave $1,000 to this thing. You never expect to hear back. You don't go check up on whoever that is."

Imprivata cybersecurity specialist Joel Burleson-Davis on why disaster scammers get away with it so easily

And just like that, they’re gone

As for pinning down the source of the problem – the threat actors behind the opportunistic scams – that is even stickier. The global nature of cybercrime means that a crook capitalizing on a flood or an earthquake in the US could theoretically be from the other side of the world – and may well be.

ADVERTISEMENT

“Natural disasters are obviously going to happen in a specific place or not,” says Burleson-Davis. “But we have such a connected world that that doesn’t really matter that much. The moment a disaster hits somewhere, the world knows about it. Because of the way communication is done these days, space and time are compressed.”

Of course, that only widens the attack surface for cybercriminals, who could just as easily find rich pickings from a well-intentioned member of the public in, say, Europe as America when trouble arises in the US.

“Even if a natural disaster is hitting somewhere like Texas, folks in the UK are going to know about it fast,” says Burleson-Davis. Likewise, the global nature of business means weak spots in a target organization’s computer systems can be found almost anywhere.

“It’s interesting to think a location like Texas or Florida, because of hurricanes, might be more vulnerable to this sort of cyberattack,” he says. “It’s not really true because a supply chain can grow and pop up anywhere in the world, right? Because we’re so interconnected.”

Worst of all, most victims of such scams will never even realize they were victims in the first place – who gives money charitably during a crisis and expects to see a return on it? But that “one-way flow,” as Burleson-Davis puts it, means cybercriminals don’t even need to worry about covering their tracks.

“It’s like I gave $1,000 to this thing,” he posits. “You never expect to hear back. You don’t go check up on whoever that is – like the $1,000 that you gave me, these are the things I bought or whatever, right? There’s no feedback mechanism or information flow to say yes, check the box, that’s the right thing that happened. There’s no audit of the activities that happened after you helped.”

As for who is behind disaster-related cyberattacks, that is anybody’s guess – but Burleson-Davis’s is that chances are, they are state-backed, although he can’t prove anything.

“Going after these ‘event-based’ opportunities, often the majority of them seem like they’re state actors,” he says. “It’s the same sort of loosely affiliated groups that are quite active in wreaking havoc around the world.”

ADVERTISEMENT