ESET Threat Blog

I learned a new word today. "Glurge", according to snopes.com, an essential resource when checking the validity of dubious chain letters, glurge is the sending of

inspirational (and supposedly true) tales … that often … undermine their messages by fabricating and distorting historical fact in the guise of offering a "true story".

I came across this definition while checking on the provenance of a number of chain letters that have crossed my path in the past week or two and that I've already described elsewhere. (I'll be returning to them in more detail shortly here, though, probably as a paper rather than as a blog.)

The particular example of glurge listed by snopes.com at http://www.snopes.com/glurge/daughter.asp is one of several chain letters I've seen that require me to forward chain letters in order to prove that I care about the fate of English troops in Afghanistan. (Since I do, in fact, have a close relative serving in the military, I find that somewhat offensive, and I think he would too.)

And thereby hangs a tale. Randy Abrams and I wrote a paper for this year's Virus Bulletin conference called "Whatever happened to the unlikely lads? A hoaxing metamorphosis" that traces the evolution of hoaxes from virus scare stories to emotional blackmail as the social engineering mechanism for persuading people to disseminate hoaxes and semi-hoaxes. If you think that chain letters stopped being an issue when people finally realized that there is no "Good Times" virus and that the SULFNBK hysteria was just that, it might just change your mind. You can find it on the ESET white papers page at http://www.eset.com/download/whitepapers/Harley-Abrams-VB2009.pdf.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

A few days ago, I mentioned an email chain letter that’s going round in the UK about a scam where where "the bad guy poses as a telephone company operative and threatens to cut off service unless the panicked recipient of the call immediately pays an allegedly unpaid bill. Faced with a sceptical potential victim, the caller "proves" that he can cut off service immediately by telling them to try putting down the receiver and then trying to make another call."

The Register’s John Leyden has today picked up on the same story, having been alerted by a reader called Alex, who told El Reg that it happened to a friend of his. Well, that may well be, but the story sounds very like the chain letter that’s being circulated, even to the fact that the friend is apparently a subscriber to Virgin Media. Nevertheless, the Register article is well worth reading: BT seem to have confirmed that this type of scam is not only possible, but actually being carried out against subscribers to a number of telephone services*, and Leyden has quoted a statement at length from the company. He also noted a similar scam being carried out by criminals claiming to represent Ofcom, the UK telecom regulator (since when did they handle digital upgrades?), and also using the temporary disconnection trick I described in my earlier post.

*I don’t know if this means that people are getting these calls irrespective of which service they subscribe to, or that scammers are claiming to represent providers other than BT. I suspect the former, though, since other providers don’t usually provide infrastructure to each other.

Anyway…

• While non-BT telephone services in the UK are often carried over BT cable, BT do not charge subscribers to those services directly for the use of their infrastructure.
• BT staff do not use the "disconnection" trick, engineers do not normally handle financial transactions, and sales staff, helpdesk staff and so on don’t normally have direct access to engineering functionality.
• If you find yourself at the other end of a dubious BT phone call, you can ask the engineer for his ID number. He can also give you an 0800 number to dial to check, but you might prefer to use the  BT general enquiries number (0800 800 150) that BT themselves quote.
• Ofcom have quoted a couple of contact numbers too. To contact Ofcom’s Advisory Team call 0300 123 3333; to contact Consumer Direct call 08454 04 05 06.
• I’m only seeing reports of the scam (and the chain letter) in the UK. However, I wouldn’t be surprised to start seeing reports from other countries in due course. The disconnection trick isn’t restricted to the UK.

Finally, here’s a copy of the chain letter (thanks, Genna!), with comments in italics.

Subject: URGENT – New BT phone scam – BEWARE

— PLEASE PASS ON TO YOUR FRIENDS & FAMILY…

I detest chain letters in principle, but it does seem to be genuine, although not particularly common at the moment.  I suspect that the proliferation of the chain letter will actually encourage other scammers to try variations on the same scam (which is why I didn’t publish the full message before), but I guess that cat is out of the bag.

This new telephone ’scam’ has arrived.

I received a call from a ‘representative’ of BT, informing me that he was dis-connecting me because of an unpaid bill. He demanded payment immediately of £31.00 , or it would be £ 118.00 to re-connect at a later date.

The guy wasn’t even fazed when I told him I was with Virgin Media, allegedly VM have to pay BT a percentage for line rental!

I presume this is true, but BT are not going to ask subscribers to pay directly because of an alleged shortfall (and I suspect that the payment model is less account-specific anyway).

I asked the guy’s name – the very ‘English’ John Peacock with a very ‘African’ accent – & phone number -              0800 0800 152         0800 0800 152.

That’s very close to BT’s general enquiries freephone number, but I can confirm that it isn’t a recognized service number. (See end of quoted email.)

Obviously the fella realized I wasn’t believing his story, so offered to demonstrate that he was from BT. I asked how & he told me to hang up & try phoning someone – he would dis-connect my phone to prevent this.

AND HE DID !! My phone was dead – no engaged tone, nothing – until he phoned me again.

Very pleased with himself, he asked if that was enough proof that he was with BT. I asked how the payment was to be made & he said credit card, there & then.

I said that I didn’t know how he’d done it, but I had absolutely no intention of paying him , I didn’t believe his name or that he worked for BT.

As we’ve previously discussed, you don’t need to be a BT engineer to fake a temporary disconnection, though it won’t work as dependably as it did over analogue lines.

He hung u p.

Did 1471 & phoned his fictitious 0800 number – not recognised.

1471 is a UK service number that gives you the number of your last caller, if Caller ID wasn’t blocked. Unfortunately, it’s not difficult to spoof a Caller ID, and in fact, it may be done legitimately (by organizations that use VoIP, for example).

I phoned the police to let them know , I wasn’t the first!  It’s only just started apparently but it is escalating.

Their advice was to let as many people know by word of mouth of this scam. The fact that the phone does go off would probably convince some people it’s real, so please let as many friends & family aware of this.

I’d like to think that the police are not really advocating the use of chain letters for passing on alerts, but who knows? I would strongly recommend that if you feel it’s necessary to warn people about this scam (and I can see why you might) that you send them links to this blog and the Register article, rather than forward the chain letter.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

The estimable Dan Raywood, of SC Magazine, forwarded me an interesting example of a hoax email, knowing that I have an unhealthy interest in these "electronic ephemera" as Martin Overton calls them. In fact, I have an email address (hoaxchecker@gmail.com) that I use to offer a free service to people who want information on whether a message is a hoax or not. (The advantage to me, of course, is that I get extra hoaxes to feed my addiction.)

I particularly like this one because it starts off the message

This is not a Hoax – it is listed on Hoaxslayer! 

Well, indeed it is listed: as a hoax… It’s not the first example I’ve seen of a site like Hoax-slayer or snopes.com being used to offer spurious validation of a hoax message, but it is one of the cheekiest.

Still, I thought some people might find it useful if I went through the message and also pointed out some "anti-hoax heuristics".

IF A PERSON CALLED SIMON ASHTON ( SIMON25@HOTMAIL.CO.UK ) CONTACTS YOU THROUGH EMAIL DON’T OPEN THE MESSAGE.
DELETE IT BECAUSE HE IS A HACKER!!

This is an example of a very common hoax that we’ve been seeing since the last century, passing on a "warning" that it’s dangerous to open mail from the named individual. Perhaps one or two of the people named in this way have actually been less than virtuous: it’s more likely that if they exist at all, they’ve been victimized by people trying to cause them trouble.

In the hoax detection business, we sometimes talk about the tripartite hoax model of the Threat, Hook, and Request. Of course, most hoaxers don’t conveniently separate the three components, so the paragraph above could be said to contain both the threat and the hook. (HE IS A HACKER!! – shock! horror! thrills! spills! hacking! arrggghhhh!!!)

Back in the 90s, most hoaxes came ALL IN CAPITALS and with too many exclamation marks!!!!! Nowadays, we see hoaxes that are a little more subtle, too. So while that heuristic evidently still holds, a message with good grammar, syntax and spelling can still be a hoax.

TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDS HIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR ID COMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IF YOU DONT CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HE HACKS YOUR MAIL TOO!!!!!… 

The paragraph above makes the threat more explicit: technically, it doesn’t make much sense, but it sounds worrying. It also contains the request: in computer virology terms, you might call it the replicative mechanism that persuades people to forward the message. Well, of course, that makes it a chain letter. Personally, I’m not convinced that anything really needs to be forwarded as a chain letter, but many people do. I’m not sure if many people still fall for trash like the St. Jude chain letter cited by Richard Dawkins in River Out of Eden, but they will forward questionable messages if they think that it will help others avoid a threat, or to find a missing child (unfortunately, that’s also a very common hook for chain letter hoaxes).

Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on.  This information arrived this morning, Direct from both Microsoft and Norton. Please send it to everybody you know who has access to the Internet. You may receive an apparently harmless e-mail titled   ‘Mail Server Report’

Well, this is interesting. Suddenly our hoaxer found the Caps Lock key. Oh no, wait a minute. It’s a different hoax! This is another common type of hoax, in which you’re warned not to open mail with a specific subject. These are almost as old as the Internet: in the 1990s, the "Good Times" virus was a particularly well-known example.

Note that the information is supposed to be hot off the press ("arrived this morning") but there’s no way of dating it. Note also the appeal to authority (Microsoft and Norton). When the prototypes for this type of hoax first appeared, Microsoft knew nothing about viruses, and the Peter Norton branding was better known than the Symantec brand that subsumed it. Now, of course, Microsoft are in the anti-malware business, so you might think that MS and Norton/Symantec should know what they’re talking about. But there’s no way to verify that they said anything of the sort. Some hoaxes are a lot more elaborate in this respect: for instance, they cite specific news services and sometimes even dates. However, anyone can make up a press-release date, and if you don’t check it, you may never knew that the release doesn’t exist. And, of course, not everything that’s reported in the media is true. You knew that, right?

If you open either file, a message will appear on your screen saying:  ‘It is too late now, your life is no longer  beautiful.’

Nice. A reference to yet another hoax. In fact, the hoaxer simply copied and pasted the text from the "LIFE IS BEAUTIFUL" hoax.

Subsequently you will LOSE EVERYTHING IN YOUR PC,
And the person who sent it to you will gain access to your  name, e-mail and password.

Icky… But where did "either file" come from? Well, that information evidently didn’t survive the cut and paste. But the LIFE IS BEAUTIFUL hoax commonly mentions a Powerpoint presentation called "Life is beautiful.pps" which is supposed to carry the malicious code. Unfortunately, as we’ve mentioned many times in other contexts, it is possible for some data files to carry executable malicious code, so while this is a hoax, you should still be careful when people send you Microsoft Office documents, PDFs and so on.

This is a new virus which started to circulate on Saturday afternoon. AOL has already confirmed the severity, and the anti virus software’s are not capable of destroying it .

Yeah, yeah, yeah. Which Saturday afternoon? What do AOL know about its severity? And an undetectable, unstoppable virus? I don’t think so. If AOL know about it the chances are that the AV companies already have detection for it. Except that they don’t, of course, because it’s not real.

The virus has been created by a hacker who calls himself  ‘life owner’.

Blimey. How many of these guys are there? I thought he was called Simon Ashton? (In fact, the "life owner" tag also comes from the LIFE IS BEAUTIFUL hoax.)

PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask them to
PASS IT ON IMMEDIATELY!

"Hey, sucker. Send it to every other lamer in your address book. Damn, why does this CAPS LOCK keep turning itself on and off?"

Nowadays, unfortunately, a lot of hoaxes are more sophisticated than this, and they cover a lot of topics other than hacking and viruses. Many of them also contain at least a grain of truth, to make it harder to distinguish between fact and fiction. But the chain letter heuristic is pretty dependable.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Embarrassingly, I keep catching myself promising to come back to a topic and never getting round to it, however often I try to blog here. (The server is gradually filling up with my half-completed drafts!) There are just too many interesting things happening and not enough time to record them all here – this isn’t, after all, my primary job.

But I did promise you a little more on hoaxes and chain letters – actually, a specific hoax which I’ll get to in a while. First of all, I’d like to mention a specific chain letter that circulated for a while at a medical research organization I worked at some years ago. This particular email demanded that all recipients send it on because of the perceived danger from fake black cabs.

It’s not uncommon for old cabs to be sold off and find their way into the possession of private owners (I’ve known one or two people who bought one). The "danger" was said to be from private individuals posing as cab drivers who would then commit crimes against women. That particular chain letter doesn’t seem to have survived, perhaps because while it had the shock factor, it wasn’t specific enough. People seem to like their urban legends to have a "real" horror story as the hook more than a vague "look what might happen!" message.

I was reminded of it by an article I came across by accident today. Ironically, it concerns a real cab-driver and serial rapist. The significance of that particular chain letter, to me, though, is that it came at a time when chain letters were starting to move away from the classic hoaxes about impossible "viruses" that were the most common manifestation of chain email at the time, towards something more ambivalent – I’ve tended to refer to them as semi-hoaxes in other writings on the subject.

Here’s a more recent example, forwarded to me by a former colleague: the subject "A 3-year-old girl named Reachelle Marie Smith is missing. "

IF YOUR CHILD WAS MISSING WOULDN’T YOU PRAY THAT  EVERYONE PASSED THIS EMAIL ON?!!!
PLEASE DO THE RIGHT THING AND LOOK  AND FORWARD.

A 3-year-old girl named Reachelle Marie Smith is missing.  

You never know where  this e-mail could end up and I’m not going to stop passing this one around  if it means a little girl can be found!!!

Please spread this  picture far and wide….You just never know, someone you know, might know her!

PLEASE, BEFORE YOU DELETE THIS, LOOK AT THE CHILD AND THEN LOOK AGAIN.
IF YOU CAN, PLEASE SEND THIS TO EVERYONE IN YOUR ADDRESS BOOK. IT TAKES ONLY 10 SECONDS AND COULD HELP LOCATE HER.
THANK  YOU!

There’s also a poster, not included here, that includes information about the suspected kidnapping, including a photograph and description of Leigh Cowan, the suspected kidnapper, and his van.

As with somewhat similar chain letters last year referring to Madeleine McCann it’s hard to escape the emotional pull of this communication, and some attractive pictures of the child add to poignancy of the appeal. However, it’s not all as it seems. According to snopes.com, always a good resource to check with regard to any chain letter or suspected hoax, Reachelle has been missing since mid-May 2006 and is now 6-years-old, if she’s still living. It’s likely that even if she’s still recognizable from the photographs, her physical dimensions have changed dramatically. And Cowen, her presumed kidnapper, apparently committed suicide a few days after she went missing.

I guess that someone might recognize her from one of the photos at http://www.snopes.com/inboxer/missing/reachelle.asp, but this mail illustrates a persistent problem with information disseminated by chain letter. Even if it was true originally, time and mutations introduced deliberately or inadvertently as the message travels make the information less and less useful.

When I worked for the UK’s National Health Service, our mail servers were frequently found buckling under the strain of chain letters relating to children orphaned by the 2004 Indian Ocean tsunami, long after the children concerned had been identified and/or their relatives found, and the original information was completely obsolete.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Now here’s an old favourite I received today.

This  information arrived this morning direct from both Microsoft  and Norton.
Please  send it to everybody you know who has access to the  Internet. You may  receive an apparently harmless email with a Power Point  presentation 
‘Life  is beautiful.’
If you  receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES and delete  it immediately .
If  you open this file, a message will appear on your screen  saying: ‘It is too late now, your life is no longer  beautiful.’
Subsequently  you will LOSE EVERYTHING IN YOUR PC and the person who sent it  to you will gain access to your name, e-mail and  password.
This is  a new virus which started to circulate on Saturday  afternoon. AOL  has already confirmed the severity, and the antivirus  software’s are not capable of destroying it. 

The  virus has been created by a hacker  who calls himself ‘life owner.’
PLEASE  SEND A COPY OF THIS EMAIL TO ALL YOUR FRIENDS and ask them to  PASS IT ON IMMEDIATELY

It’s a hoax, of course. It’s been around for several years that I know of: since 2002 according to snopes.com, which is an excellent resource for checking these things, and the first place I check when I see a likely hoax that I’m not familiar with.

But apart from that…When I get a chain letter like this, I don’t usually respond to everyone else who received it, even when it’s a hoax (as it usually is). That’s because when I first started getting interested in urban legends and the internet in the early 90s, I found that as more people learned about the scale of the hoax problem responding to everyone generated mailstorms of "oh yes it is – oh no it isn’t" arguments and "I know it’s a hoax – stop telling me what I already know" responses.

 (Incidentally by the end of the 90s and well into this century, the problem was HUGE: when I was responsible for antivirus on mail services run on behalf of the UK’s National Health Service, hoaxes caused me far more problems than real malicious software. Fortunately, we see a lot less in the way of virus hoaxes nowadays, though other forms of hoax and chain letter remain very prevalent.)

As it happens, I did make an exception in this case. I didn’t go all the way down the chain of nested copies looking for everyone who’d ever received it, but I did make an offer to everyone who received it at the same time as I did. And now I’m making it to you. Not for the first time, actually, but I don’t mind repeating myself. i said, I don’t mind repeating myself.

I have an email account (hoaxchecker@gmail.com) that I use as a sort of honeytrap for hoaxes. If you send a copy of any chain letter you receive there, I’ll respond as quickly as I can with a "yes it’s a hoax" or "no it isn’t" or even "well, it’s not altogether wrong, but…" Having been in the computer security business for nearly 20 years, I can usually give a yes or no straight away, but I also have the resources to check with when I’m not sure. It’s not that I’m short of something to do, but it’s quite useful to me to see what is currently circulating in the wild and woolly internet.