In a world where nothing seems to be constant but change, it’s good to know that there are, in fact, some things that change fairly slowly. Unfortunately, readiness to believe and spread hoaxes is one of them. Even worse, they’re often the same hoaxes that were being spread years and even decades ago. Here’s a hoax message – actually two hoaxes shoehorned into the same message – that was passed on to me last month. (Apologies if you’ve already seen a shorter version of this article in the January ThreatSense Report, but I thought it was about time we had another hoax article on the ThreatBlog.)
It goes back well over a decade: my wife (who received it from a well-meaning friend) and I are both pretty sure we saw hoaxes very much like this in the 1990s.
(If you’re wondering how my wife suddenly turns out to be a hoax expert, it’s because she and I actually worked together on security-related incidents for the UK’s National Health Service even before we met. If you want the story of how I embarrassed her by sending a red rose to her office one Valentine’s Day, you’ll have to wait for my memoirs.)
While this version was received by email, the same or similar hoaxes are also spread via social media, especially Facebook. By the way, I’ve cleaned up the hoax text just a little, mostly to remove a plethora of redundant space characters and the occasional typo. Once an editor, always an editor.
URGENT – PLEASE READ – NOT A JOKE
Well, it’s certainly not funny. (Especially if your name happens to be Simon Ashton.) Perhaps the number of hoaxes passed on with assurances that “this is not a joke” or “this is real”, do at least indicate that people are a little more sceptical than they used to be, though. Ever the optimist…
IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK) CONTACTS YOU THROUGH EMAIL DON’T OPEN THE MESSAGE. DELETE IT BECAUSE HE IS A HACKER!!
[In fact, this message has been spread using a variety of names for the ‘hacker’ over the years: recent versions name, for example, Christopher Butterfield, Tanner Dwyer, Stefania Colac or Alejando Spiljner. (Apologies to anyone who really does have one of those names: I’m sure you’re a warm and wonderful person who wouldn’t dream of hacking Often, it’s claimed that the alleged hacker will contact you with a friend request, which gives it an extra air of authority when spread by Facebook. In those instances, however, you’re less likely to encounter the next paragraph, which is email-specific, in a muddled and seriously unconvincing sort of way.
TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDS HIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IF YOU DON’T CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!……
Unfortunately, what looks like fantasy to a messaging or security guru may be all too convincing to someone without a tech background. And just to be on the (un)safe side, the hoaxer, like so many hoaxers, scammers, and other undesirables, introduces an element of urgency so that you don’t have too much time to think about it: the threat that if you don’t act quickly, Something Awful will happen.
And at this point we get an abrupt change of focus topic, though it isn’t flagged as such. Still, the fact that the message suddenly stops being all capitals is a bit of a giveaway. Excessive capitalization, by the way, is often a feature of hoax messages, no doubt in order to impress upon us how SERIOUS AND TRUE the message is.
Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on.. This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Internet. You may receive an apparently harmless e-mail titled ‘Mail Server Report’
Where to start on debunking this? Well, the fact that this targets everyone who uses Internet email and everyone who has Internet access should tell you something about the sender’s motivation, and I don’t mean sheer altruism.
Hoaxes are the last refuge of the old-school hobbyist virus writer: unlike today’s criminal gangs, the first generations of malware authors rarely had any idea of making a profit out of viruses. They were more concerned with trying to demonstrate to their peers and the AV industry what great programmers they were. (Actually, you’d be amazed at how many badly written viruses have passed through our labs, not a few of which had their moment in the sun nevertheless.) While some malware was deliberately damaging (and quite a lot was damaging because it was poorly coded), virus writers were often content to see their creations spread far and wide. Hoaxers have somewhat similar motivation: they prove to themselves how clever they are by making other people look (and feel) stupid, and they don’t even have to do any programming. And the measure of their success is the volume of people they manage to convince. It’s scamming, but the motive is bolstering their self-image, not profit.
But back to this particular hoax. (Or meanwhile, back at the plot, as Kenneth Horne used to say.)
Back when I first saw this message (or something very close), the idea that a message from Microsoft was likely to be an authoritative indicator of importance in terms of security was less convincing, but since then Microsoft has been born again as both more security-conscious and a security vendor in its own right, so I guess that bit has actually gained (spurious) authority. Microsoft may have credibility as a source of security information, but as Lincoln said, “The thing about quotes on the internet is that you cannot confirm their validity.”
The assertion that ‘This information arrived this morning’ is something of a giveaway in itself. Hoaxes are notoriously vague about exact dates and, in fact, any information that might help you locate authentic information (corroborative or otherwise). The weakness of this approach is that if the recipient actually notices that the message has been forwarded many times to many people, he might actually start thinking about which morning that might have been, and look for more information. However, the impressive list of previous recipients on this particular email strongly suggests that plenty of people don’t take that extra conceptual step.
This hoax is a variation on the ‘Life is beautiful’ hoax, which claimed that the message would include a malicious file masquerading as a Powerpoint presentation called Life is beautiful.pps. (In itself just one of a long line of hoaxes that tell you not to open a file with a specific name, or an email with a specific subject line.)
As it happens, there was a possibility long ago that a malicious file would arrive with a specific and identifiable filename. Well, I suppose it’s still possible, but the authors of real malware learned long ago that there are all too many ways to vary the name of a malicious file spammed out with email, so it’s not very likely. In this case, though, the hoax somehow got tangled up with real (but long gone) variants of the Win32/Warezov mass-mailer that arrived in an email claiming to be a ‘Mail Server Report’. Sometimes, though not in this case, the hoax picks up an additional ‘verified by Snopes’ message, based on the fact that Snopes – a well-known reference source for information on hoaxes, urban legends and such – listed the real Warezov malware as true.
If you open either file, a message will appear on your screen saying: ‘It is too late now, your life is no longer beautiful.’
As you might guess, that’s a hangover from the Life is Beautiful version.
Subsequently you will LOSE EVERYTHING IN YOUR PC,
And the person who sent it to you will gain access to your name, e-mail and password.
The usual drivel. (Though not as alarming as those viruses that are supposed to eat the magnetic coating of your hard drive, blow up your PC or set fire to your mouse mat. OK, I made that last one up.) Well, trashing of your PC or theft of your credentials certainly might happen to you as a result of malware, but not the fictitious malware described in the message.
This is a new virus which started to circulate on Saturday afternoon.. AOL has already confirmed the severity, and the anti virus software’s are not capable of destroying it ..
Gosh. This must be some serious virus. Not only has it turned Saturday into the day before Friday (or perhaps it was circulating for a week before anyone noticed their system had been trashed) , but AV is incapable of defeating it. I know that the likes of Imperva are still constantly claiming we can’t detect malware we haven’t seen, but even they don’t usually go so far as to claim that we can’t remove malware we know about. And I’m not sure how anyone can know so much about the timeline of a virus that destroys every system it touches.
AOL? Well, I guess that’s an indication of how old the hoax is, going back to the days when the newsagents were perpetually tripping over AOL diskettes and CDs that had fallen off computer magazines, and hoaxes were constantly citing AOL and Microsoft in order to make themselves seem more ‘authentic’ and scary.
Complete with extra period character to give it more weight. Or at any rate, so as to make the line a little longer. This line is another hangover from ‘Life is beautiful’.
Hark! There’s the tinkling sound of another angel getting his wings! Oh, sorry: I’m just getting confused between fact, fiction and Frank Capra movies.
(I don’t think that Goldelse, who resides on top of the Victory Column in Berlin, is really an angel, but according to Wings of Desire, the 1987 film by Wim Wenders – and a personal favourite – she is a gathering point for angels.)
Some papers you might find useful:
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET