X

Scamming non-profit organizations leads to Google gripe

A new scam, targeted at non-profits, attempts to install malicious software when you do a Google search

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.

Disclosure.

See full bio
Michael Horowitz
2 min read

Warning of a new scam targeting non-profits comes from Alex Eckelberry of Sunbelt Software, the company behind the anti-Spyware program CounterSpy.

The scam starts out with an email message that seems to be from Barbara Moratek Vice President, Director of Grant Programs at Ivete Foundation. The come-on in the body of the message is:

"Would you have additional information for prospective donors or volunteers other than what is on your website? Thank you in advance."

I've said before, you can never trust the FROM address of an email message. According to the email header from one of the messages, it originated in Brazil, in the city of Curitiba from a computer with a name of virtua-cwbas189-4-7-26ctb.virtua.com.br.

But, there is a new twist to this scam, the bad guys have set up traps for someone doing a Google search for "Barbara Moratek". Alex provides a screen shot of this Google search from Thursday January 10th showing "... a bunch of links pushing fake codec Trojans and other junk sites (many on Blogger)." So, the process of checking whether the email is legitimate can result in your computer getting infested with malicious software. Fortunately this scam has gotten enough attention that the top links on Google are now warnings about Barbara Moratek.

Yet another wrinkle to this scam is that the malicious web pages Google offered up were from sites that are not obviously suspicious. For example, Digg and Lycos both served up phony Barbara Moratek web pages as did Blogspot and Celebrity-pictures-gossip.com. User contributed content has to always be consumed with a grain of salt.

One thing strikes me as inexcusable. The alert about this first went up on January 10th, Brian Krebs picked up on it and wrote about it at WashingtonPost.com on the 11th. Both the Sunbelt blog and Brian's Security Fix column are well known and popular, which begs the question:

Why are there still malicious Barbara Moratek web pages showing up in Google?

As I write this on January 13th, three of the scam Barbara Moratek pages still show up on the first page of search results at Google. Is anyone minding the store? Yahoo's search is clean, the first two pages of results of a search for "Barbara Moratek" turn up nothing but warnings about the scam. No actual malicious pages are shown. Google should do better, it can't be a big deal for them to remove known malicious web pages from their database.

For more on deciding whether an email message is on the level see a couple earlier postings of mine:

-- Defending against a phishing email message October 27, 2007

-- Is that e-mail message legit? How a computer nerd analyzes it November 11, 2007

Always be skeptical on the Internet.


Update: You can report a web site that you suspect contains malicious software to Google at google.com/safebrowsing/report_badware/. The trailing slash is required. January 14, 2008.

See a summary of all my Defensive Computing postings.