Its simple, Rule No. 1 Don't pass the mails to everyone in your address book... Why? I hear you say, Read on...
What Are Internet Hoaxes and Chain Letters?
Internet hoaxes and chain letters are e-mail messages written with one
purpose; to be sent to everyone you know. The messages they contain are
usually untrue. A few of the sympathy messages do describe a real
situation but that situation was resolved years ago so the message is
not valid and has not been valid for many years. Hoax messages try to
get you to pass them on to everyone you know using several different
methods of social engineering. Most of the hoax messages play on your
need to help other people. Who wouldn't want to warn their friends
about some terrible virus that is destroying people's systems? Or, how
could you not want to help this poor little girl who is about to die
from cancer? It is hard to say no to these messages when you first see
them, though after a few thousand have passed through your mail box you
(hopefully) delete them without even looking.
Chain letters are lumped in with the hoax messages because they have
the same purpose as the hoax messages but use a slightly different
method of coercing you into passing them on to everyone you know.
Chain letters, like their printed ancestors, generally offer luck or
money if you send them on. They play on your fear of bad luck and the
realization that it is almost trivial for you to send them on. The
chain letters that deal in money play on people's greed and are illegal
no matter what they say in the letter.
The Risk and Cost of Hoaxes
The cost and risk associated with hoaxes may not seem to be that high,
and isn't when you consider the cost of handling one hoax on one
machine. However, if you consider everyone that receives a hoax, that
small cost gets multiplied into some pretty significant costs. For
example, if everyone on the Internet were to receive one hoax message
and spend one minute reading and discarding it, the cost would be
something like:
50,000,000 people * 1/60 hour * £50/hour = £41.7 million
Most people have seen far more than one hoax message and many people
cost a business far more than £50 per hour when you add in benefits and
overhead. The result is not a small number.
Probably the biggest risk for hoax messages is their ability to
multiply. Most people send on the hoax messages to everyone in their
address books but consider if they only sent them on to 10 people. The
first person (the first generation) sends it to 10, each member of that
group of 10 (the second generation) sends it to 10 others or 100
messages and so on.
As you can see, by the sixth generation there are a million e-mail
messages being processed by our mail servers. The capacity to handle
these messages must be paid for by the users or, if it is not paid for,
the mail servers slow down to a crawl or crash. Note that this example
only forwards the message to 10 people at each generation while people
who forward real hoax messages often send them to many times that
number.
Recently, we have been hearing of spammers (bulk mailers of unsolicited
mail) harvesting e-mail addresses from hoaxes and chain letters. After
a few generations, many of these letters contain hundreds of good
addresses, which is just what the spammers want. We have also heard
rumors that spammers are deliberately starting hoaxes and chain letters
to gather e-mail addresses (of course, that could be a hoax). So now,
all those nice people who were so worried about the poor little girl
dying of cancer find themselves not only laughed at for passing on a
hoax but also the recipients of tons of spam mail.
How to Recognize a Hoax
Probably the first thing you should notice about a warning is the
request to "send this to everyone you know" or some variant of that
statement. This should raise a red flag that the warning is probably a
hoax. No real warning message from a credible source will tell you to
send this to everyone you know.
Next, look at what makes a successful hoax. There are two known factors that make a successful hoax, they are:
(1) technical sounding language.
(2) credibility by association.
If the warning uses the proper technical jargon, most individuals,
including technologically savvy individuals, tend to believe the
warning is real. For example, the Good Times hoax says that "...if the
program is not stopped, the computer's processor will be placed in an
nth-complexity infinite binary loop which can severely damage the
processor...". The first time you read this, it sounds like it might be
something real. With a little research, you find that there is no such
thing as an nth-complexity infinite binary loop and that processors are
designed to run loops for weeks at a time without damage.
When we say credibility by association we are referring to who sent the
warning. If the janitor at a large technological organization sends a
warning to someone outside of that organization, people on the outside
tend to believe the warning because the company should know about those
things. Even though the person sending the warning may not have a clue
what he is talking about, the prestige of the company backs the
warning, making it appear real. If a manager at the company sends the
warning, the message is doubly backed by the company's and the
manager's reputations.
Both of these items make it very difficult to claim a warning is a hoax
so you must do your homework to see if the claims are real and if the
person sending out the warning is a real person and is someone who
would know what they are talking about. You do need to be a little
careful verifying the person as the apparent author may be a real
person who has nothing to do with the hoax. If thousands of people
start sending them mail asking if the message is real, that essentially
constitutes an unintentional denial of service attack on that person.
Check the person's web site or the person's company web site to see if
the hoax has been responded to there. Check these pages or the pages of
other hoax sites to see if we have already declared the warning a hoax.
Hoax messages also follow the same pattern as a chain letter (see below).
Recognizing a Chain Letter
Chain letters and most hoax messages all have a similar pattern. From
the older printed letters to the newer electronic kind, they all have
three recognizable parts:
A hook.
A threat.
A request.
The Hook
First, there is a hook, to catch your interest and get you to read the
rest of the letter. Hooks used to be "Make Money Fast" or "Get Rich" or
similar statements related to making money for little or no work.
Electronic chain letters also use the "free money" type of hooks, but
have added hooks like "Danger!" and "Virus Alert" or "A Little Girl Is
Dying". These tie into our fear for the survival of our computers or
into our sympathy for some poor unfortunate person.
The Threat
When you are hooked, you read on to the threat. Most threats used to
warn you about the terrible things that will happen if you do not
maintain the chain. However, others play on greed or sympathy to get
you to pass the letter on. The threat often contains official or
technical sounding language to get you to believe it is real.
The Request
Finally, the request. Some older chain letters ask you to mail a dollar
to the top ten names on the letter and then pass it on. The electronic
ones simply admonish you to "Distribute this letter to as many people
as possible." They never mention clogging the Internet or the fact that
the message is a fake, they only want you to pass it on to others.
Chain letters usually do not have the name and contact information of
the original sender so it is impossible to check on its authenticity.
Legitimate warnings and solicitations will always have complete contact
information from the person sending the message and will often be
signed with a cryptographic signature, such as PGP to assure its
authenticity. Many of the newer chain letters do have a person's name
and contact information but that person either does not really exist or
does exist but does not have anything to do with the hoax message. As
mentioned in the previous section, try to use other means than
contacting the person directly to find out if the message is a hoax.
Try the person's web page, the person's company web page, or this and
other hoax sites first to see if the message has already been declared
a hoax.
For example, the PENPAL GREETINGS! hoax shown below appears to be an
attempt to kill an e-mail chain letter. This chain letter is a hoax
because reading a text e-mail message does not execute a virus nor does
it execute any attachments; therefore the Trojan horse must be self
starting. Aside from the fact that a program cannot start itself, the
Trojan horse would have to know about every different kind of e-mail
program to be able to forward copies of itself to other people. We have
had to modify this statement slightly for the newer html mail readers.
If a mail message is formatted with html and contains scripts, those
scripts will run when the e-mail message is read. Active scripting
should always be turned off for a mail reader so that malicious code
like the KAK worm cannot automatically run.
Notice the three parts of a chain letter, which are easy to identify in this example.
The Hook
FYI!
Subject: Virus Alert
Importance: High
If anyone receives mail entitled: PENPAL GREETINGS! please delete it WITHOUT reading it. Below is a little explanation of the message, and what it would do to your PC if you were to read the message. If you have any questions or concerns please contact SAF-IA Info Office on 697-5059.
The Threat
This is a warning for all internet users - there is a dangerous virus
propogating across the internet through an e-mail message entitled "PENPAL GREETINGS!". DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"
This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The "trojan horse" virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone
who's e-mail address is present in YOUR mailbox!
This virus will DESTROY your hard drive, and holds the potential to DESTROY the hard drive of anyone whose mail is in your inbox, and who's mail is in their inbox, and so on. If this virus remains unchecked, it has the potential to do a great deal of DAMAGE to computer networks worldwide!!!! Please, delete the message entitled "PENPAL GREETINGS!" as soon as you see it!
The Request
And pass this message along to all of your friends and relatives, and the other readers of the newsgroups and mailing lists which you are on, so that they are not hurt by this dangerous virus!!!!
Validating a Warning
CIAC recommends that you DO NOT circulate warnings without first
checking with an authoritative source. Authoritative sources are your
computer system security administrator, your computer incident handling
team, or your antivirus vendor. Real warnings about viruses and other
network problems are issued by computer security response teams (CIAC,
CERT, ASSIST, NASIRC, etc.) and are digitally signed by the sending
team using PGP. If you download a warning from a team's web site or
validate the PGP signature, you can usually be assured that the warning
is real. Warnings without the name of the person sending the original
notice, or warnings with names, addresses and phone numbers that do not
actually exist are probably hoaxes. Warnings about new malicious code
are also available at the antivirus vendors sites and at the operating
system's vendor site.
Companies like Microsoft will not send out mass emails explaining
Bidwieser frog screensavers or possible virus threats and they certanly
do not give out money for Beta Testing.
What to Do When You Receive a Warning
Upon receiving a warning, you should examine its PGP signature to see
that it is from a real response team or antivirus organization. To do
so, you will need a copy of the PGP software and the public signature
of the team that sent the message. The CIAC signature is available at
the CIAC home page:
http://ciac.llnl.gov/ You can find the addresses of other response teams by connecting to the FIRST web page at:
http://www.first.org.
If there is no PGP signature, check at this and other hoax sites to see
if the warning has already been declared as a hoax. If you do not find
the warning at the hoax sites, it just may mean that we have not yet
seen this particular hoax.
See if the warning includes the name of the person submitting the
original warning. If it does, see if you can determine if the person
really exists. If they do, don't send them an e-mail message. It is
likely that they have nothing to do with this hoax and thousands of
people sending them questions will be just as damaging to them as
sending around the hoax message. Instead, check their personal or
company web site. Often if a person has been the brunt of a hoax, that
hoax message will be debunked on the person's company web site. If you
still cannot determine if a message is real or a hoax, send it to your
computer security manager, your ISP, or your incident response team and
let them validate it.
When in Doubt, Don't Send It Out
In addition, most anti-virus companies have a web page containing
information about most known viruses and hoaxes. You can also call or
check the web site of the company that produces the product that is
supposed to contain the virus. Checking the PKWARE site for the current
releases of PKZip would stop the circulation of the warning about
PKZ300 since there is no released version 3 of PKZip. Other useful
virus and hoax sites are listed on our Other Hoax Sites pages. In most
cases, common sense would eliminate Internet hoaxes.
Why People Send Chain Letters and Hoax Messages
Only the original writer knows the real reason, but some possibilities are:
To gather Email addresses to go on a Spam List.
To see how far a letter will go.
To harass another person (include an e-mail address and ask everyone to send mail to, e.g. Michael Knight).
To bilk money out of people using a pyramid scheme.
To kill some other chain letter (e.g. Make Money Fast).
To damage a person's or organization's reputation.
History of Virus Hoaxes
Since 1988, computer virus hoaxes have been circulating the Internet.
In October of that year, according to Ferbrache ("A pathology of
Computer Viruses" Springer, London, 1992) one of the first virus hoaxes
was the 2400 baud modem virus:
SUBJ: Really Nasty Virus
AREA: GENERAL (1)
I've just discovered probably the world's worst computer virus
yet. I had just finished a late night session of BBS'ing and file
treading when I exited Telix 3 and attempted to run pkxarc to
unarc the software I had downloaded. Next thing I knew my hard
disk was seeking all over and it was apparently writing random
sectors. Thank god for strong coffee and a recent backup.
Everything was back to normal, so I called the BBS again and
downloaded a file. When I went to use ddir to list the directory,
my hard disk was getting trashed again. I tried Procomm Plus TD
and also PC Talk 3. Same results every time. Something was up so I
hooked up to my test equipment and different modems (I do research
and development for a local computer telecommunications company
and have an in-house lab at my disposal). After another hour of
corrupted hard drives I found what I think is the world's worst
computer virus yet. The virus distributes itself on the modem sub-
carrier present in all 2400 baud and up modems. The sub-carrier is
used for ROM and register debugging purposes only, and otherwise
serves no other purpose. The virus sets a bit pattern in one
of the internal modem registers, but it seemed to screw up the
other registers on my USR. A modem that has been "infected" with
this virus will then transmit the virus to other modems that use a
subcarrier (I suppose those who use 300 and 1200 baud modems
should be immune). The virus then attaches itself to all binary
incoming data and infects the host computer's hard disk. The only
way to get rid of this virus is to completely reset all the modem
registers by hand, but I haven't found a way to vaccinate a modem
against the virus, but there is the possibility of building a
subcarrier filter. I am calling on a 1200 baud modem to enter this
message, and have advised the sysops of the two other boards
(names withheld). I don't know how this virus originated, but I'm
sure it is the work of someone in the computer telecommunications
field such as myself. Probably the best thing to do now is to
stick to 1200 baud until we figure this thing out.
Mike RoChenle
This bogus virus description spawned a humorous alert (even in my own inbox) by Robert Morris III :
Date: 11-31-88 (24:60) Number: 32769
To: ALL Refer#: NONE
From: ROBERT MORRIS III Read: (N/A)
Subj: VIRUS ALERT Status: PUBLIC MESSAGE
Warning: There's a new virus on the loose that's worse than
anything I've seen before! It gets in through the power line,
riding on the powerline 60 Hz subcarrier. It works by changing the
serial port pinouts, and by reversing the direction one's disks
spin. Over 300,000 systems have been hit by it here in Murphy,
West Dakota alone! And that's just in the last 12 minutes.
It attacks DOS, Unix, TOPS-20, Apple-II, VMS, MVS, Multics, Mac,
RSX-11, ITS, TRS-80, and VHS systems.
To prevent the spread of the worm:
1) Don't use the power line.
2) Don't use batteries either, since there are rumours that this
virus has invaded most major battery plants and is infecting the
positive poles of the batteries. (You might try hooking up just
the negative pole.)
3) Don't upload or download files.
4) Don't store files on floppy disks or hard disks.
5) Don't read messages. Not even this one!
6) Don't use serial ports, modems, or phone lines.
7) Don't use keyboards, screens, or printers.
8) Don't use switches, CPUs, memories, microprocessors, or
mainframes.
9) Don't use electric lights, electric or gas heat or air-conditioning, running water, writing, fire, clothing or the wheel.
I'm sure if we are all careful to follow these 9 easy steps, this
virus can be eradicated, and the precious electronic flui9ds of
our computers can be kept pure.
---RTM III
Since that time virus hoaxes have flooded the Internet.With thousands
of viruses worldwide, virus paranoia in the community has risen to an
extremely high level. It is this paranoia that fuels virus hoaxes. A
good example of this behaviour is the "Good Times" virus hoax which
started in 1994 and is still circulating the Internet today. Instead of
spreading from one computer to another by itself, Good Times relies on
people to pass it along.
If you need to forward anything to more than 1 person, Please use the
BCC field, thus breaking the chain. I hate getting these mails from
people, and when I tell them they are fake they never beleive me thus
always having to prove it.
