Hoax Hacking

The estimable Dan Raywood, of SC Magazine, forwarded me an interesting example of a hoax email, knowing that I have an unhealthy interest in these "electronic ephemera" as Martin Overton calls them. In fact, I have an email address (hoaxchecker@gmail.com) that I use to offer a free service to people who want information on whether a message is a hoax or not. (The advantage to me, of course, is that I get extra hoaxes to feed my addiction.)

I particularly like this one because it starts off the message

This is not a Hoax – it is listed on Hoaxslayer! 

Well, indeed it is listed: as a hoax… It's not the first example I've seen of a site like Hoax-slayer or snopes.com being used to offer spurious validation of a hoax message, but it is one of the cheekiest.

Still, I thought some people might find it useful if I went through the message and also pointed out some "anti-hoax heuristics".

IF A PERSON CALLED SIMON ASHTON ( SIMON25@HOTMAIL.CO.UK ) CONTACTS YOU THROUGH EMAIL DON'T OPEN THE MESSAGE.
DELETE IT BECAUSE HE IS A HACKER!!

This is an example of a very common hoax that we've been seeing since the last century, passing on a "warning" that it's dangerous to open mail from the named individual. Perhaps one or two of the people named in this way have actually been less than virtuous: it's more likely that if they exist at all, they've been victimized by people trying to cause them trouble.

In the hoax detection business, we sometimes talk about the tripartite hoax model of the Threat, Hook, and Request. Of course, most hoaxers don't conveniently separate the three components, so the paragraph above could be said to contain both the threat and the hook. (HE IS A HACKER!! – shock! horror! thrills! spills! hacking! arrggghhhh!!!)

Back in the 90s, most hoaxes came ALL IN CAPITALS and with too many exclamation marks!!!!! Nowadays, we see hoaxes that are a little more subtle, too. So while that heuristic evidently still holds, a message with good grammar, syntax and spelling can still be a hoax.

TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDS HIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IF YOU DONT CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!… 

The paragraph above makes the threat more explicit: technically, it doesn't make much sense, but it sounds worrying. It also contains the request: in computer virology terms, you might call it the replicative mechanism that persuades people to forward the message. Well, of course, that makes it a chain letter. Personally, I'm not convinced that anything really needs to be forwarded as a chain letter, but many people do. I'm not sure if many people still fall for trash like the St. Jude chain letter cited by Richard Dawkins in River Out of Eden, but they will forward questionable messages if they think that it will help others avoid a threat, or to find a missing child (unfortunately, that's also a very common hook for chain letter hoaxes).

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on.  This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Internet. You may receive an apparently harmless e-mail titled   'Mail Server Report'

Well, this is interesting. Suddenly our hoaxer found the Caps Lock key. Oh no, wait a minute. It's a different hoax! This is another common type of hoax, in which you're warned not to open mail with a specific subject. These are almost as old as the Internet: in the 1990s, the "Good Times" virus was a particularly well-known example.

Note that the information is supposed to be hot off the press ("arrived this morning") but there's no way of dating it. Note also the appeal to authority (Microsoft and Norton). When the prototypes for this type of hoax first appeared, Microsoft knew nothing about viruses, and the Peter Norton branding was better known than the Symantec brand that subsumed it. Now, of course, Microsoft are in the anti-malware business, so you might think that MS and Norton/Symantec should know what they're talking about. But there's no way to verify that they said anything of the sort. Some hoaxes are a lot more elaborate in this respect: for instance, they cite specific news services and sometimes even dates. However, anyone can make up a press-release date, and if you don't check it, you may never knew that the release doesn't exist. And, of course, not everything that's reported in the media is true. You knew that, right? :-)

If you open either file, a message will appear on your screen saying:  'It is too late now, your life is no longer  beautiful.'

Nice. A reference to yet another hoax. In fact, the hoaxer simply copied and pasted the text from the "LIFE IS BEAUTIFUL" hoax.

Subsequently you will LOSE EVERYTHING IN YOUR PC,
And the person who sent it to you will gain access to your  name, e-mail and password.

Icky… But where did "either file" come from? Well, that information evidently didn't survive the cut and paste. But the LIFE IS BEAUTIFUL hoax commonly mentions a Powerpoint presentation called "Life is beautiful.pps" which is supposed to carry the malicious code. Unfortunately, as we've mentioned many times in other contexts, it is possible for some data files to carry executable malicious code, so while this is a hoax, you should still be careful when people send you Microsoft Office documents, PDFs and so on.

This is a new virus which started to circulate on Saturday afternoon. AOL has already confirmed the severity, and the anti virus software's are not capable of destroying it .

Yeah, yeah, yeah. Which Saturday afternoon? What do AOL know about its severity? And an undetectable, unstoppable virus? I don't think so. If AOL know about it the chances are that the AV companies already have detection for it. Except that they don't, of course, because it's not real.

The virus has been created by a hacker who calls himself  'life owner'.

Blimey. How many of these guys are there? I thought he was called Simon Ashton? (In fact, the "life owner" tag also comes from the LIFE IS BEAUTIFUL hoax.)

PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to
PASS IT ON IMMEDIATELY!

"Hey, sucker. Send it to every other lamer in your address book. Damn, why does this CAPS LOCK keep turning itself on and off?"

 

Nowadays, unfortunately, a lot of hoaxes are more sophisticated than this, and they cover a lot of topics other than hacking and viruses. Many of them also contain at least a grain of truth, to make it harder to distinguish between fact and fiction. But the chain letter heuristic is pretty dependable.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Author David Harley, ESET

  • Peter Mayhew

    Thank you for this comprehensive blog on hoax mail.

    I’m so tired of receiving mails form “friends” who send me this type of Hoax mail. I do not want to take the time to respond saying it is a hoax as it takes up mine and their time which I guess is all part of the hoaxers “GAME” (sorry Caps Lock got through!!!)

    I think we should send your blog to everybody on our address books but that would just add to the email traffic and could be considered a hoax mail… Can’t win.

  • Thanks, Peter.

    It’s a terrible thing, an out-of-control Caps Lock. :)

Follow us

Copyright © 2016 ESET, All Rights Reserved.