Secureworks® Counter Threat Unit™ (CTU) researchers are investigating websites that target individuals seeking information about recently deceased individuals. Scammers monitor Google search trends to identify heightened interest in obituaries, especially during the initial hours or days following a death. They fill the information void with mock obituaries hosted on funeral or memorial-themed websites. The threat actors then manipulate Google search results via SEO poisoning to achieve a high ranking for their sites, leading visitors to web pages that push adware and potentially unwanted programs (PUP), or direct visitors through other clickbait revenue-generating schemes.
The fake memorial websites are a subcategory of bereavement scams, which have been on the rise for years. Similar online schemes include YouTube videos in which a scammer reads an obituary notice, likely to earn income for each view.
CTU™ analysis of a February 2024 obituary suggests that generative artificial intelligence (AI) technology was used to create a lengthy tribute from facts gleaned from a shorter text posted to a social media account. The obituary appeared on six sites within 48 hours of the death, each version using slightly different verbiage but all containing the same details shared in the original social media post. The use of AI by "obituary pirates" has mixed results, with some notices containing obvious errors, inaccuracies, or fabrications.
CTU researchers identified numerous domains and websites that host fake obituaries and other recirculated news stories. Visitors to these sites are redirected to e-dating or adult entertainment websites or are immediately presented with CAPTCHA prompts that install web push notifications or popup ads when clicked (see Figure 1). The notifications display false virus alert warnings from well-known antivirus applications like McAfee and Windows Defender, and they persist in the browser even if the victim clicks one of the buttons. The buttons link to legitimate landing pages for subscription-based antivirus software programs, and an affiliate ID embedded in the hyperlink rewards threat actors for new subscriptions or renewals.
Figure 1. Web push notifications issuing false virus infection warnings. (Source: Secureworks)
Although CTU researchers did not observe evidence that the analyzed sites deployed malware, it is possible that threat actors with different motivations could repurpose this scheme to deliver infostealers or other malicious programs. Financially motivated threat groups such as GOLD ZODIAC successfully employ SEO manipulation to direct victims to infected WordPress sites that deliver GootLoader malware.
Fraudsters and opportunists often prey upon emotional vulnerabilities. The abuse of emerging AI technology and weaknesses in popular search engines, combined with social engineering techniques, contribute to the success of these schemes. CTU researchers recommend that organizations educate employees about these threats and implement an extended detection and response (XDR) solution such as Secureworks Taegis™ XDR to detect potentially malicious websites and unauthorized software installation. Individuals should use caution when navigating to unknown websites.
To mitigate exposure to this threat, CTU researchers recommend that organizations use available controls to review and restrict access to the known scam sites listed in Table 1. The domains may contain malicious content, so consider the risks before opening them in a browser. This list represents a sample of the websites used in these schemes, and others may emerge in the future.
Indicator | Type | Context |
---|---|---|
nextdoorfuneralhomes.com | Domain name | Obituary scam site |
memorialinfoblog.com | Domain name | Obituary scam site |
obituaryway.com | Domain name | Obituary scam site |
obitsmemorialhomes.com | Domain name | Obituary scam site |
funeralinfotime.com | Domain name | Obituary scam site |
obituaryinfotimes.com | Domain name | Obituary scam site |
Table 1. Indicators for this threat.
Learn more about the dangers of SEO poisoning and infostealers in the 2023 State of the Threat report and The Growing Threat from Infostealers. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.