Tuesday, May 30, 2023
HomeCyber SecurityScammers are Exploiting Ukraine Donations

Scammers are Exploiting Ukraine Donations

Authored by Vallabh Chole and Oliver Devane

Scammers are very fast at reacting to present occasions, to allow them to generate ill-gotten beneficial properties. It comes as no shock that they exploited the present occasions in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum pockets addresses for donations we knew that scammers would use this as a lure for his or her victims.

This weblog covers among the malicious websites and emails McAfee has noticed up to now few weeks.

Crypto pockets donation scams

A crypto donation rip-off happens when perpetrators create phishing web sites and emails that comprise cryptocurrency wallets asking for donations. We’ve noticed a number of new domains being created which carry out this malicious exercise, akin to ukrainehelp[.]world and ukrainethereum[.]com.


Under is a screenshot of Ukrainehelp[.]world, which is a phishing website asking for crypto donations for UNICEF. The web site accommodates the BBC brand and several other crypto pockets addresses.

Whereas investigating this website, we noticed that the Ethereum pockets used use was additionally related to an older crypto rip-off website referred to as eth-event20.com. The picture under reveals the present worth of the crypto pockets which is price $114,000. Curiously this pockets transfers all its cash to 0xc95eb2aa75260781627e7171c679a490e2240070 which in flip transfers to 0x45fb09468b17d14d2b9952bc9dcb39ee7359e64d. The ultimate pockets at the moment has 313 ETH which is price over $850,000. This reveals the massive sums of cash scammers can generate with phishing websites.


Ukrainethereum[.]com is one other crypto rip-off website, however what makes this one fascinating is the options it accommodates to realize the sufferer’s confidence in trusting the web site akin to a pretend chatbox and a pretend donation verifier.

Pretend Chat

The picture above reveals the chatbox on the left-hand aspect which shows a number of messages. At first look, it might seem as if different customers are on the web site and speaking, however if you reload the positioning it reveals the identical messages. That is as a result of chat messages being displayed from an inventory that’s used to populate the web site with JavaScript code as proven on the right-hand aspect.  

Pretend Donation Verifier 

The location accommodates a donation checker so the sufferer can see if their donation was obtained, as proven under. 


  1. The primary picture on left reveals the verification field for donation to examine whether it is accomplished or not 
  2. Upon clicking ‘Examine’ the sufferer is proven a message to say the donation was obtained.  
  3. What happens, is upon clicking ‘Examine’ the JavaScript code adjustments the web site code in order that it shows the ‘Thanks!’ message, and no precise examine is carried out. 

Phishing Electronic mail 

The next picture reveals one of many examples of phish emails we have now noticed. 

The e-mail isn’t addressed to anybody particularly as they’re mass-mailed to a number of e-mail addresses. The pockets IDs within the e-mail should not related to the official Ukraine Twitter and are owned by scammers. As you possibly can see within the picture above, they’re related as the primary 3 characters are the identical. This might result in some customers believing it’s official. Due to this fact, it’s necessary to examine that the pockets tackle is an identical.  

Credit score Card Data Stealer 

That is the commonest kind of phishing web site. The objective of those websites it entices the sufferer into getting into their bank card and personally identifiable info (PII) knowledge by making them consider that the positioning being visited is official. This part accommodates particulars on one such web site we have now discovered utilizing Ukraine donations as a lure.  


The picture under reveals the phishing website. The web site was used to avoid wasting the kids’s NGO hyperlinks and pictures, which made it seem extra real. You possibly can see that’s it asking the sufferer to enter their bank card and billing info.  

As soon as the information is entered, and the sufferer clicks on ‘Donate’, the knowledge will likely be submitted through the shape and will likely be despatched to scammers to allow them to then use or promote the knowledge. 

We noticed that a couple of days after the web site was created, the scammers change the positioning code in order that it grew to become a Mcdonald’s phishing website focusing on the Arab Emirates. This was a shocking change in techniques. 

The heatmap under reveals the detections McAfee has noticed around the globe for the malicious websites talked about on this weblog. 


Learn how to determine a phishing e-mail? 

  • Search for the area from the place you obtained mail, attackers masquerade it. 
  • Use McAfee Net Advisor as this prevents you from accessing malicious websites 
  • If McAfee Net Advisor isn’t used, hyperlinks will be manually checked at https://trustedsource.org/. 
  • Carry out a Net Search of any crypto pockets addresses. If the search returns no or a low variety of hits it’s possible fraudulent. 
  • Examine for poor grammar and suspicious logos  
  • For extra detailed recommendation please go to McAfee’s Learn how to acknowledge and defend your self from phishing web page 

Learn how to determine phishing web sites? 

  • Use McAfee Net Advisor as this prevents you from accessing malicious websites 
  • Take a look at the URL of the web site which you’re visiting and ensure it’s right. Search for alterations akin to logln-paypal.com as an alternative of login.paypal.com 
  • In case you are not sure that the web site is official. Carry out a Net search of the URL. You’ll discover many outcomes If they’re real. If the search returns no or a low variety of hits it’s possible fraudulent 
  • Hyperlinks and website addresses that don’t match the sender – Hover your mouse over the hyperlink or call-to-action button within the e-mail. Is the tackle shortened or is it completely different from what you’ll anticipate from the sender? It could be a spoofed tackle from the 
  • Confirm if the URL and Title of the web page match. Reminiscent of the web site, razonforukraine[.]com with a title studying “McDonald’s Supply” 

For normal cyber rip-off, schooling click on right here

McAfee prospects are protected in opposition to the malicious websites detailed on this weblog as they’re blocked with McAfee Net Advisor 


Sort  Worth  Product  Detected 
URL – Phishing Websites   ukrainehelp[.]world  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   ukrainethereum[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   unitedhelpukraine[.]kiev[.]ua/  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   donationukraine[.]io/donate  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   help-ukraine-compaign[.]com/store  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   ukrainebitcoin[.]on-line/  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   ukrainedonation[.]org/donate  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   ukrainewar[.]help  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   sendhelptoukraine[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   worldsupportukraine[.]com  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   paytoukraine[.]area  McAfee WebAdvisor   Blocked 
URL – Phishing Websites   razonforukraine[.]com  McAfee WebAdvisor   Blocked 




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments