As the Win32/Waledac nuisance continues to escalate, it’s good to know that there are some certainties in a changing world. One, unfortunately, is that people will continue to fall for hoaxes and chain letters.
Much to my surprise, one of my mailboxes has just been visited by an old friend, a hoax that has been around at least since the late 1990s. Not that hoaxes surprise me in themselves, but because appeared to have been sent to quite a few people in the anti-malware business. I’m not sure what that tells us…
You can find a writeup on a very similar version of the Microsoft/AOL hoax here at http://www.snopes.com, but the basic story is that Microsoft and AOL will pay you ridiculously large sums for forwarding a chain letter, since they are, we’re told, beta testing an email tracking system which will, in some way that isn’t explained, help to ensure that Internet Explorer remains the most used web browser.
Looking at the paragraph above, it’s hard to imagine that anyone needs to read this blog any further, since the proposition is so ridiculous. Not many companies get so large by giving money away to people to do something so obviously useless. However, the mail I received suggests that many hundreds of people received the same instance of the letter I received. (Of course, I imagine that the number of people who’ve received some variation of this letter over the years runs into many, many millions.) But perhaps we can learn something from the particular social engineering tricks used here.
Quite a few of the recipients of this silliness have made some response along the lines of "I’m not sure I believe this, but it must be worth a shot."
Well, I guess forwarding one email on the offchance of a $24,000 check doesn’t seem a big deal. The individual isn’t usually aware of the high volume of similar rubbish wasting the time of overworked mail and security administrators, and may not be concerned that somewhere behind each of these there’s some pathetic little hoaxer laughing up his sleeve. It’s not as though by forwarding one of these you’re likely to get stung by a 419 scammer demanding money in advance so that he can send you a few million dollars.
Except, of course, that people who are naive enough to fall for one of these are also likely to fall for financially dangerous scams. And everyone who forwards these things is encouraging a culture of reckless ignorance of the risks of assuming that everyone on the Internet is (1) who they say they are (2) automatically trustworthy.
Why do people who are quite rational and careful off-line suddenly turn into con victims when they log in to email, believing that hard-headed businessmen are going to give them something for nothing?
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET