FYI...

- http://isc.sans.org/diary.php?date=2005-08-30
Updated August 31st 2005 14:54 UTC
"Like after similar events in the past, we do expect scams and viruses to take advantage of this situation. Please be careful with e-mails containing 'hurricane videos' as attachments, or e-mail asking for donations. Refer to fema.gov for a list of reputable agencies (see link below) or donate to organizations you trust and have past experience with.

Hurricane Katrina
Our sympathies for those affected by Katrina. This has been one of the worst storms in history, and it looks as if it is actually getting worse. For those who are interested, I would encourage you to help out in any way you can."
- http://www.fema.gov/news/newsrelease.fema?id=18473

FYI...(this is legit):

New Orleans Mayor Issues 'Desperate SOS'
- http://news.yahoo.com/news?tmpl=story&cid=514&u=/ap/20050901/ap_on_re_us/hurricane_katrina_49
September 1. 2005
"NEW ORLEANS - Storm victims were raped and beaten, fights and fires broke out, corpses lay out in the open, and rescue helicopters and law enforcement officers were shot at as flooded-out New Orleans descended into anarchy Thursday. "This is a desperate SOS," the mayor said. Anger mounted across the ruined city, with thousands of storm victims increasingly hungry, desperate and tired of waiting for buses to take them out. "We are out here like pure animals. We don't have help," the Rev. Issac Clark, 68, said outside the New Orleans Convention Center, where corpses lay in the open and other evacuees complained that they were dropped off and given nothing — no food, no water, no medicine... National Guardsmen poured in to help restore order and put a stop to the looting, carjackings and gunfire that have gripped New Orleans in the days since Hurricane Katrina plunged much of the city under water. In a statement to CNN, Nagin said: "This is a desperate SOS. Right now we are out of resources at the convention center and don't anticipate enough buses. We need buses. Currently the convention center is unsanitary and unsafe and we're running out of supplies"...Terry Ebbert, head of the city's emergency operations, warned that the slow evacuation at the Superdome had become an "incredibly explosive situation," and he bitterly complained that FEMA was not offering enough help. "This is a national emergency. This is a national disgrace," he said. "FEMA has been here three days, yet there is no command and control. We can send massive amounts of aid to tsunami victims, but we can't bail out the city of New Orleans"..."

FYI...

- http://isc.sans.org/diary.php?date=2005-09-01
Updated September 1st 2005 23:47 UTC
"Katrina Malware
It didn't take long. This morning, we received an email which is promising news about the Hurricane. However, the site it links to appears to provide malware in addition to a brief news article. The text of the email (the original is in HTML):
Subject: Re: Katrina killed as many as 80 people...
Katrina Donation Scams
A couple of the domains we discovered yesterday removed the paypal button. Again, please let us know if you find any suspect domains. There are now about 230 .com domains that contain the strings 'katrina' and 'hurrican'.
We could use your help checking out domains we found that 'sound suspect'. These have been filtered from the .com zone file using keywords like 'katrina'. Lots of innocent domains, so don't use it as a block list just yet. We are trying to anotate this list as needed. NOTE: If you send us an anotation to add, we will add an e-mail address of yours to 'sign' the comment. The email address will be obfuscated. Unsigned comments come from our ISC handler team.
>>> http://isc.sans.org/katrina.com.txt ..."

...and:
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=272
September 01, 2005
Malicious Website / Malicious Code: Katrina News Email Scam
"Websense Security Labs™ has received multiple reports of a new email scam, which attempts to lure users into visiting a malicious website. The message gives a brief news update on Hurricane Katrina and provides a link to the full news story. This website contains encoded JavaScript, which attempts to exploit two HTML Help vulnerabilities. Microsoft has addressed these vulnerabilities with http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx.
In the event that either of the exploits are successful, a Trojan downloader is placed on the workstation. The Trojan begins downloading a second malicious file, which is also a Trojan. The second Trojan has backdoor functionality that gives the attacker complete control of the workstation. The technique, exploit, and Trojan used in this attack are nearly identical to the Iraqi News Email Scam that began circulating in early August.
The first website involved in the attack is hosted in Mexico; the second is in the United States. Both were online at the time of this alert.
Websense Security Labs™ has also observed several hundred new websites, which are requesting donations for Hurricane Katrina relief. Many of these sites are believed to be fraudulent. We strongly recommend you verify the authenticity of any charity before making a donation.
Sample email text:
Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph.
Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday.
Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans.
Read More.. <URL Removed>..."

FYI...

More Katrina Malware
- http://isc.sans.org/diary.php?date=2005-09-02
Updated September 2nd 2005 14:53 UTC
"The latest malware spotted uses the subject line:
"Is Government Reaction to Katrina Because of Loss of Life, or Loss of Property?".
A link in the email will lead to the malware."

EDIT/ADD:
- http://www.sophos.com/virusinfo/articles/katrina.html
1 September 2005
"... Subject lines used in the malicious emails include, but are not limited to, the following:
Re: g8 Tropical storm flooded New Orleans.
Re: g7 80 percent of our city underwater.
Re: q1 Katrina killed as many as 80 people.
Sophos experts believe that the people behind the email attack are deliberately adding random characters into the subject lines in an attempt to avoid detection by rudimentary anti-spam filters... "Receiving or reading the emails themselves does not mean you are infected," said Graham Cluley, senior technology consultant for Sophos. "However, if users click on the link contained inside the email they will be taken to a malicious website which will try and infect their computer. Once infected the computer is under the control of remote criminal hackers who can use it to spy, steal or cause disruption." Windows users who follow the web link visit a website which pretends to be a fuller version of the news story, but exploits vulnerabilities in Microsoft's Internet Explorer software to install a variety of malicious code including Troj/Cgab-A, Troj/Borobot-P, Troj/Borobot-Q, Troj/Borodldr-H, and Troj/Inor-R. The malicious attack is designed to allow remote hackers to gain unauthorized access to the victim's computer..."

FYI...

Phishing Alert: Red Cross / Hurricane Katrina
- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=275
September 04, 2005
"Websense® Security Labs™ has received reports of a new phishing attack that targets people to donate money in order to support the relief efforts for Hurricane Katrina. The spoofed email is written in HTML and poses as if it was coming from the Red Cross. The email also has the Verisign "Secure Site" Logo on it to help deceive the end-user that it is legitimate. Upon connecting to the link provided within the email, the user is directed to a fraudulent website which is hosted in Brazil and was up at the time of this alert. The site is also hosting other content and appears to have been compromised. The user's credit card, expiry date, and PIN are requested through a online form and, once entered, the user is then redirected to the real Red Cross website..."

EDIT/ADD:
- http://www.techweb.com/wire/ebiz/170700815
September 06, 2005
"In the eight days since the American Red Cross began collecting donations for Hurricane Katrina relief, it's gathered more than half of the $409 million total from the Web, the organization said Tuesday.
Approximately $209 million has come from Web donations, the Red Cross said...Last week the Red Cross also appealed to 700,000 former contributors via e-mail, and raised $4.5-million. A follow-up was mailed on Thursday...

Some differences can be spotted, however, in the phishing site. While the real American Red Cross site includes links to information on non-online ways to donate -- such as by phone or by mail -- the bogus site has trimmed the choices to online only..."

FYI...

Hurricane Katrina Spawns Phishing Sites
- http://www.us-cert.gov/current/#kat
Last reviewed: September 8, 2005 16:37:35 EDT
"US-CERT has received reports of multiple phishing sites that attempt to trick users into donating funds to fraudulent foundations in the aftermath of Hurricane Katrina. US-CERT warns users to expect an increase in targeted phishing emails due to recent events in the Gulf Coast Region.
Phishing emails may appear as requests from a charitable organization asking the users to click on a link that will then take them to a fraudulent site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.
Users are encouraged to take the following measures to protect themselves from this type of phishing attack:
1. Do not follow unsolicited web links received in email messages
2. Contact your financial institution immediately if you believe your account/and or financial information has been compromised
US-CERT strongly recommends that all users reference the Federal Emergency Management Agency (FEMA) web site for a list of legitimate charities to donate to their charity of choice."
- http://www.fema.gov/news/newsrelease.fema?id=18473