Venezuela Aid Live -- Typosquatting Domains surrounding Venezuela Aid

Due to political and economic turbulences, Venezuela is getting a lot of public attention recently. While working with my students on methods to identify typosquatting domains, we found likely spoofed websites that attempt to mislead donations intended for Venezuelan charity.

The concert

On 22 February 2019, Venezuela Aid Live, a charity concert, took place near the Tienditas bridge connecting Venezuela and Colombia. The concert organizers intended to raise donations for aid goods and general awareness for the deteriorating conditions within Venezuela. In addition, the concert was accompanied by interim president Juan Guaidó’s demand to open the borders to allow goods getting into the country.

One way to raise money was through website donations at venezuelaaidlive.com which live streamed the concert. While Richard Branson, one of the organizers, projected to raise 100 million dollars in 60 days, the total amount of donations collected so far is unknown.

The benign domain venezuelaaidlive.com was registered 14 February 2019, the same day of the official concert announcement. As shown in the urlscan screenshot below, the Amazon Web Services hosted domain serves a website featuring a livestream and a donation form.

The lookalikes

While working on domain name similarity methods, one of my students (@jhfrintrop) pointed me to venezuelaidalive.com, a similar domain name hosting a lookalike website of the benign concert website.

venezuelaaidlive.com    # benign
venezuelaidalive.com    # similar, misspelled
         ^^^

At first sight, both sites appear to host the same content. However, a closer look reveals that the donation button points to a PayPal transfer form with the recipient being venezuela@venezuelaidalive.com. The corresponding DOM element is no longer in the current site, but it can be observed in the urlscan.io DOM:

...
<h1>
  <span>Please join the cause now. <strong>Every dollar counts</strong></span>
  <button>
    <a href="https://www.paypal.com/cgi-bin/webscr?cmd=_donations&amp;business=venezuela%40venezuelaidalive.com&amp;currency_code=USD&amp;source=url">
      DONATE FOR VENEZUELA</a>
  </button></h1>
...

The above snippet was recorded in a scan that our method triggered automatically on 24 February 2019, roughly when first noticing the typosquatting domain. The benign site was not observed to include such a PayPal donation mechanism, see e.g. in a benign site scan from 26 February 2019.

The domain venezuelaidalive.com was first registered 22 February 2019, one day before the concert, with registrant information being privacy-protected using Domains By Proxy, LLC. It has resolved to IP address 66.96.147.144.

On 26 February 2019, visitors were intermittently redirected to the benign site as captured in this urlscan.io: venezuelaidalive.com -> venezuelaaidlive.com. A few hours later, a redirect to yet another domain was installed: venezuelaidalive.com -> venezuelaadlive.com captured here. The redirect uses an HTML meta tag:

<HTML><HEAD><META HTTP-EQUIV=Refresh CONTENT="0; url=http://www.venezuelaadlive.com"></HEAD></HTML>

Again, the site at venezuelaadlive.com shows a lookalike to the benign site, and it is hosted on the same IP address (66.96.147.144) as the previously identified misspelled domain venezuelaidalive.com. It was registered recently (27 February 2019) and is also privacy protected via Domains By Proxy, LLC. In contrast to the benign site, clicking the donation button leads to a PayPal donation form.

The donation form only contains a receiver name (Venezuela live), but it is unclear if this is associated with the official organizers. Given that the benign page apparently does not leverage PayPal in the same way, it is possibly fraudulent activity.

The misspelled domain has been distributed, for example in this informe21 article, a Caracas-based online news outlet.

Finally, I’d like to highlight the value of services such as urlscan.io when researching web activities. Being able to inspect HTTP transactions and the DOM makes it a powerful tool. The recorded scans also serve as references for analyses like the above.

Avatar
Christian J. Dietrich
Professor of Computer Security