PayPal and Twitter abused in Turkey relief donation scams


Scammers are now exploiting the ongoing humanitarian crisis in Turkey and Syria: this time stealing donations by abusing legitimate platforms like PayPal and Twitter.

This week, high magnitude earthquakes claimed more than 15,000 lives, caused extensive infrastructural damage and disrupted network connectivity across the Middle East and Mediterranean region.

As government, businesses and charity organizations step up to raise funds and aid victims of this ecological disaster, threat actors are wasting no time in targeting unsuspecting donors.

‘Fundraising’ scam abuses PayPal.com

BleepingComputer has identified multiple scams running on Twitter and abusing legitimate platforms like PayPal’s fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims.

One of the scams, for example, touts itself to be a “Turkey Earthquake Relief” fundraiser on Twitter. To lend itself some credibility, the account persistently retweets updates from established news outlets and government officials:

Fake Turkey Relief Twitter account
Fraudulent ‘Turkey Relief’ Twitter account (BleepingComputer)

Notice the PayPal link in this account’s bio, however. This is the ultimate lure—to drive donors to the real PayPal.com website which is hosting a fundraiser page:

https://www.paypal.com/pools/c/8RmZmKAxvQ

The fake Twitter account has since been suspended, although the PayPal fundraising page is still up at the time of our analysis.

Genuine PayPal fundraising site abused in donation scam
Genuine PayPal.com abused in Turkey relief scam (BleepingComputer)

BleepingComputer further observed the PayPal fundraiser had collected a total of $900 in donations, with the creator of the page “donating” $500 to their own “cause” to make the fundraiser appear authentic:

Donation amounts raised by PayPal fundraiser
Donation amounts raised by the PayPal ‘fundraiser’ (BleepingComputer)

BleepingComputer has reported this fundraiser to PayPal and approached the company for comment.

A PayPal spokesperson shared a statement with BleepingComputer:

“PayPal is used by over 500,000 legitimate charities and non-profit organisations around the globe. While the vast majority of people using PayPal to accept donations have the best intentions, there are inevitably some who attempt to prey on the charitable nature and generosity of others. PayPal teams are always working diligently to scrutinise and ban accounts, particularly in the wake of events like the earthquake in Turkey and Syria, so that donations go to intended causes. We also encourage the community to flag any suspicious activity to the company. As always, we recommend that anyone looking to support disaster relief efforts do so through verified, reputable organisations or corporate campaigns.”

What makes a scam like this especially convincing is, instead of using a separate scam or phishing domain, threat actors use a trustworthy payments platform like PayPal. Picking scams apart from real fundraisers is further complicated by the fact that any person can set up fundraisers online and claim to have the best of intentions, which remains questionable.

On PayPal alone, there exist multiple fundraisers for the current cause. How do you tell a fraudulent one from the real deal?

Multiple PayPal fundraisers for Turkey and Syria
Multiple PayPal fundraisers for Turkey and Syria (BleepingComputer)

In some other instances, we observed individual Twitter users pointing donors to their personal PayPal.me links and claiming to raise funds for the noble cause.

Luckily, some sharp-eyed observers [1, 2] caught an interesting detail: PayPal has not been operating in Turkey since at least 2016. As such, Twitter user accounts with “Turkish” sounding names who claim to be based in Turkey but instead urge donors to pay up via PayPal raise a red flag.

PayPal ceased to operate in Turkey in 2016
English translation of PayPal Turkey’s notice issued in 2016 (BleepingComputer)

Bear in mind though, legitimate charities operating outside of Turkey may very well choose to use PayPal, Venmo, and similar payments platforms for genuine fundraising efforts, where applicable.

A Venmo account we came across, for example, appears to belong to UC Berkeley’s Turkish Student Association that is raising funds for earthquake victims, according to information on social media. While that may indeed be the case, it becomes increasingly difficult to readily verify the authenticity of such accounts and any duplicate (copycat) accounts that may spring up from threat actors.

For clarity, we aren’t claiming that such Venmo accounts are necessarily part of a scam but, at the same, we have been unable to verify their authenticity. Donors should therefore exercise discretion when giving online.

Twitter replies flooded with illicit crypto addresses

In another scam, we observed scammers abusing Twitter by flooding replies with their illicit Bitcoin and crypto wallet addresses.

The threat actor controlling a burner Twitter account replies to tweets from prominent personalities and businesses with a huge following, such as Elon Musk and @DogeCoin, to maximize the scam’s reach. In these replies, the scammer posts their fraudulent wallet address to dupe donors:

Scammer flooding Twitter replies with illicit crypto addresses (BleepingComputer)

In yet another scam, we saw individual Twitter users claiming to raise crypto donations:

fake crypto donation addresses
Fake crypto donation addresses (Twitter)

Searching these wallet addresses online quickly revealed that these had been associated with suspicious accounts and webpages (including adult content threads on the Russian social media website, VK [1, 2]). This casts doubts on the veracity of claims made by these “fundraisers.”

Same wallet addresses repurposed elsewhere
Same wallet addresses re-purposed elsewhere by other accounts (Twitter)
Russian VK.com thread listing the wallet address
Wallet addresses were earlier listed on VK.com threads (BleepingComputer)

BleepingComputer traced similar fraudulent wallet addresses and observed that altogether these crypto wallets were either empty or had no more than a few hundred dollars, given the recency of these scams. That is not to say that this will forever remain the case, should unsuspecting donors start falling for these scams.

Fake charity emails and websites

As if all these cons haven’t already added to Turkey’s ongoing crisis, threat actors have also spun up fake charities, as they did during ‘Help Ukraine’ scams that BleepingComputer had reported on last year.

This week’s report from Romanian cybersecurity company Bitdefender reveals, adversaries are sending phishing emails that claim to come from charities. These charities themselves have dubious origins.

These emails urge recipients to support earthquake victims by making crypto donations to wallet addresses that are, predictably, not associated with any known government or trustworthy entities:

phishing email claims to come from a charity
Fake Turkey/Syria fundraiser email claims to originate from a dodgy charity (Bitdefender)

“The domain hosting the so-called Wladimir Charity Foundation was created on Oct. 3, 2022, and is already blacklisted by our anti-spam and anti-fraud filters,” states Bitdefender’s Alina Bîzgă in the report.

The ‘Wladimir Charity Foundation’ website had earlier been claiming to raise funds for Ukraine war victims:

Dubious Wladimir Foundation charity website
Dubious ‘Wladimir Foundation’ charity website listing crypto address (BleepingComputer)

Also circulating lately are scam emails claiming to originate from ‘UNICEF’ partners:

phishing emails claim to be associated with UNICEF
Fake ‘Earthquake Relief’ emails claim to be associated with UNICEF (Bitdefender)

“Scammers claim they are a world charity organization in collaboration with UNICEF and call for donations in support of the affected children and families in both countries,” Bîzgă points out in the same report.

UK govt urges you to ‘Give safely’

When giving online, if in doubt, hold back and think.

UK government has urged public to ‘give safely’ when supporting global aid efforts in response to humanitarian crises such as this one.

“The impacts of the earthquakes in Turkey and Syria are shocking and devastating. Charities are once again stepping in to support those in need,” said Helen Stephenson, Chief Executive of the Charity Commission in a statement.

“I know that so many people across the UK will want to contribute and so I want to ensure every donation reaches its intended cause. This is why we are reminding everyone to give through the DEC or follow our simple steps, such as checking our online register, to make sure they’re giving safely.”

Check the charity register

Among various guidelines issued for donors, a particularly handy one is searching the government’s charity register to ensure your proceeds are reaching a legitimate cause. This advice is applicable to UK-centric donors. Your regional government or tax authority (such as the IRS) may have similar directories and non-profit registers.

Look up bank account numbers online

Legitimate charities and government relief fundraisers like Syria Relief, as well as Turkey’s AFAD and AKUT list their authentic bank account numbers on their official websites. Often these account numbers are then further cited by credible media outlets in news reports.

As such, ensure the accounts you are donating to are associated with real organizations. A quick Google search can be useful here.

When making online transfers to an external bank account, your bank will typically warn you should the recipient name mismatch the one on the bank account (this is common for British, European and Asian banks). Ensure that the name on the bank account represents the charity that you’re donating to.

Legitimate crypto donation routes

For those who prefer to donate in cryptocurrency, legitimate means do exist.

The Web3 community has stepped up to raise millions from crypto enthusiasts, according to a report from Decrypt.

The report mentions several blockchain companies including Binance, Tether, Bitfinex, OKX, and Kucoin who have pledged to collect over $9 million in donations, and announced their legitimate wallet addresses and webpages via their official websites and social media channels.

Once again, a simple web search for a crypto wallet address will reveal if it’s relatively unknown (a red flag) or indeed associated with a real charity, business or government website. News reports from media outlets will often cite genuine crypto addresses with proper context.

Don’t wait: report online scams

BleepingComputer continues to monitor and report online scams both to the public via our website, and to the concerned online platforms being misused by scammers.

If you come across similar donation scams related to the ongoing crisis in Turkey and Syria, consider sending us a news tip online or via Signal at +1 (646) 961-3731.





Source link