The Criminal Allure of Hurricane Harvey

History has shown us that scammers and malicious entities will go to any lengths to distribute their wares. No event or tragedy is off limits, and the events surrounding Hurricane Harvey are no exception.

As we have seen with past events, almost immediately, the hurricane was being leveraged as a social engineering lure. On the malware/spam side of the coin we have observed multiple phishing campaigns where Harvey was used to spread malicious software/adware or other unwanted consequences.

It is unfortunate that those affected by these events need to worry about more than the usual scams (insurance fraud, shady repair/ contracting companies and the like).



Fig 1: Be Careful to Verify the Authenticity of Donation Sites

This should serve as yet another reminder that nothing is off the table when it comes to the bad guy and phishing/social-media-based scams. On August 28, the US-CERT issued an alert on this issue. Their guidance serves as a great template on the prevention of basic fraud of this nature. That being said, the threat extends beyond email.

We encourage our customers and the greater public to apply that same diligence to any platform on which they are active (Twitter, Facebook, various IMs, and beyond). According to the Better Business Bureau, there have already been several hundred unique complaints surrounding fake Hurricane Harvey fundraising sites. False fundraising/crowdfunding sites and campaigns have quickly become a top concern threat-wise.

To that point, the United Stated Department of Justice (along with several other agencies) have issued detailed alerts. We have linked to some of these resources below and encourage all to review them to as to not fall victim to fraud and abuse.

Stop, think, and be careful, no matter how real the emails/tweets/posts may look at first.

Mayweather + McGregor = Malware

On the lighter side of social engineering, the recent match-up of Connor McGregor and Floyd Mayweather really caused scammers to ‘pull out all the punches.’

The highly advertised live-streaming offers became a prime opportunity for ne'er-do-wells to ‘come out swinging’ with malicious tweets and Facebook posts. While monitoring for related malicious activity, it did not take long for exactly that to appear. We have included one such example below.

We have what appears to be a rogue Twitter account, responding for requests for a live-stream link. The responses contain a (shortened) malicious link. The payload delivered varied depending on platform and browser. In most cases, Windows users would see delivery of FakeAV PUPs and fake Flash Player installs (often coupled together) as well as a variety of adware/spyware-laden browser plugins.





Fig 2: Popups Containing Malicious Links



Fig 3: Adware/Spyware-laden Plugins



Fig 4: Fake Flash Player Updates

MacOS users saw a similar chain of events. A DMG with a fake Flash Player update/install, coupled with MacKeeper.

Fig 5: More Fake Flash



Fig 6: Fake Software Update

As always, Cylance urges everyone to exercise caution when following links on social media or other unverified sources. CylancePROTECT® was able to prevent execution of PUPs and malware distributed via these campaigns (and others like it before).



Two Million Records Stolen in CeX Data Breach

This week CeX, a large second-hand goods chain based in the United Kingdom, announced a data breach. According to their statement the stolen data contains the following pieces of personal information: First name, last name, mailing address, email address, and phone number. There have also been some instances of leaked (but encrypted) credit card data.

The ‘good news’ is that any exposed credit card data is from 2009 and prior, and therefore likely expired or invalid at this time. CeX is advising customers and anyone else affected to change relevant passwords (webuy.com for example), as well as to strictly avoid the trappings of password reuse.

Additional details can be found via CeX’s statement. Users looking to further protect themselves should always: