Charitable Donations on Your Behalf  
Posted by Gunter Ollmann on September 20, 2007 at 6:24 PM EDT.

A colleague in the UK pointed me to an interesting news story concerning fraudulent donations that have been made to CastleCops (a volunteer security community seeking to make the Internet a safer place).  The story comments on a blog posting by Robin Laudanski that details how certain miscreants are probably trying to discredit what CastleCops and its volunteers do.

Basically, someone (it may even be a group of people) is using multiple stolen credit cards identities to donate money via PayPal to fund the organization.  The supposed purpose of this action by the fraudsters is an attempt to discredit CastleCops – who have also been the target of various types of Internet attacks for quite some time (in fact they are currently combating targeted DDoS attacks). 

If their purpose was to discredit the organization in this way, then they appear to have been rather naïve.  Perhaps, more importantly, they have unintentionally indicated their level of maturity and understanding of how people really perceive this threat.  I believe that the net result of their actions has been to strengthen outsiders perception of CastleCops, and to publicly validate that more work needs to be done to make the Internet a safer place. 

I’d say that there is also a high probability that the people who had their identities stolen and accounts fraudulently used to donate via PayPal, instead of being angry at CastleCops and directing their displeasure at them, will instead be more likely to recognize them as being a benefit (and perhaps donating for real in the future).

Charity Validation

As I explained to my UK colleague though, the fraudulent use of credit card details at donation sites is pretty common.  In fact, during major charity launches (particularly telethons), charity organizations become the preferred target for thousands of small donation attacks from around the world.

Why? Picture yourself as someone that has just purchased/stolen/found a list of 10,000 credit card details.  A lot of these credit cards have probably been cancelled or are old and contain out of date information.  How do you quickly find out which card details still work?  What you need to do is find a website that accepts Internet payments and then cycle through all your cards noting which cards have successful transactions.

The problem is that, to cycle through 10,000 cards, you want to do it quickly.  Most online transaction sites can take tens of seconds to complete each transaction – even for small denominations – and you have to go through the bother of dealing with shopping carts and inventory lookups.

No so for big charity sites.  For major telethons, online donation systems are specifically built and optimized to complete hundreds of card transactions per second (they’re designed to cope with millions of TV viewers suddenly responding to the hosts plea - “we need another $200,000 in donations within the next 20 minutes if to want to see George Bush eat a motorcycle!”), and don’t require shopping carts etc. 

In addition, they’re designed to accept small and arbitrary monetary amounts.  And, to top it all off, with thousands of other legitimate transactions happening at the same time, who’s really going to notice someone cycling through 10,000 cards over the next hour or two?

Consequently, keeping track of when major charity events are happening is important to the identity traders and you’ll often see exchanges about upcoming major telethon events (regardless of country) in private IRC channels.

So, with that said, don’t be surprised in the future if the first time you notice a small fraudulent transaction on your credit card it happens to be associated with a charity.

    Copyright 2001-2007 © Gunter Ollmann