Cyber Alert: Cyber Threat Actors Expected to Leverage Hurricane Harvey

Date Issued: August 30, 2017

Cyber threat actors (CTA) leverage public interest during natural disasters and other high profile events in order to conduct financial fraud and disseminate malware. Most recently, Hurricane Harvey is propelling the emergence of new and recycled scams involving financial fraud and malware.

Malicious actors are active in posting links to fake charities and fraudulent websites that solicit donations for victims of the hurricane or deliver malware. The MS-ISAC observed similar scams and malware dissemination campaigns in response to previous high profile events including the Boston Marathon bombing, Hurricane Sandy, and the Tennessee wildfires. It is highly likely that more scams and malware will follow over the course of the recovery period, so Internet users need to exercise caution before opening related emails, clicking links, visiting websites, or making donations to Hurricane Harvey relief efforts.

The MS-ISAC observed the registration of more than 500 domain names associated with Hurricane Harvey during the past week. The majority of these new domains include a combination of the words “help,” “relief,” “victims,” “recover,”“claims”, “donate,”or “lawsuits.”
Most of the domains were registered in the days following Harvey’s landfall and appear to be currently under development. However, as a few appear malicious and the domains themselves appear suspect, these domains should be viewed with caution. More domain registrations related to Hurricane Harvey are likely to follow

The potential of misinformation during times of disaster is high and users should verify information before reacting to posts seen on social media. Malicious actors are also using social media to post false information or links to malicious websites. Some of these posts may go viral, as did the one below. In this example, the number provided for the National Guard is incorrect and when dialed, connects to an insurance company. The insurance company corrects the misinformation and instructs the caller to contact 9-1-1.


It is likely that CTAs will also capitalize on this disaster to send phishing emails with links to malicious websites advertising relevant information, pictures, and videos, but contain phishing web pages or malware. Other phishing emails will likely contain links to, or attachments with, embedded malware. Victims who click on links or open malicious attachments risk compromising their computer to malicious actors.

User Recommendations

The MS-ISAC recommends that users adhere to the following guidelines when reacting to high profile events, including news associated with Hurricane Harvey, and solicitations for donations:

Technical Recommendations

The MS-ISAC recommends that technical administrators adhere to the following guidelines when reacting to high profile events, including news associated with Hurricane Harvey, and solicitations for donations:

  • Warn users of the threats associated with scams, phishing, and malware associated with high profile events.
  • Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall.
  • Flag emails from external sources with a warning banner.

Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowd funding websites, or in an email, even if it appears to originate from a trusted source. When making donations, users should consult the Texas Voluntary Organizations Active in Disaster website for a list of vetted disaster relief organizations at the National Voluntary Organizations Active in Disaster website at

  • Be cautious of emails or websites that claim to provide information, pictures, and videos.’
  • Do not open unsolicited (spam) emails or click on the links or attachments in those emails.
  • Never reveal personal or financial information in an email or to an untrusted website.
  • Do not go to an untrusted or unfamiliar website to view the event or information regarding it.
  • Malicious websites often imitate a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs .org).

The information provided above is intended to increase the security awareness of an organization’s end users and to help them behave in a more secure manner within their work environment. Organizations have permission and are encouraged to brand and redistribute this advisory in whole for educational, non-commercial purposes. For more information regarding potential cyber threats please visit the Center for Internet Security website at