As the Win32/Waledac nuisance continues to escalate, it's good to know that there are some certainties in a changing world. One, unfortunately, is that people will continue to fall for hoaxes and chain letters.

Much to my surprise, one of my mailboxes has just been visited by an old friend, a hoax that has been around at least since the late 1990s. Not that hoaxes surprise me in themselves, but because appeared to have been sent to quite a few people in the anti-malware business. I'm not sure what that tells us...

You can find a writeup on a very similar version of the Microsoft/AOL hoax here at http://www.snopes.com, but the basic story is that Microsoft and AOL will pay you ridiculously large sums for forwarding a chain letter, since they are, we're told, beta testing an email tracking system which will, in some way that isn't explained, help to ensure that Internet Explorer remains the most used web browser.

Looking at the paragraph above, it's hard to imagine that anyone needs to read this blog any further, since the proposition is so ridiculous. Not many companies get so large by giving money away to people to do something so obviously useless. However, the mail I received suggests that many hundreds of people received the same instance of the letter I received. (Of course, I imagine that the number of people who've received some variation of this letter over the years runs into many, many millions.) But perhaps we can learn something from the particular social engineering tricks used here.

  •  By way of adding spurious circumstantial detail to make it sound more convincing, we're told that the original mail came from an attorney called Pearlas Sandborn. Not a very well-informed one, since she  doesn't know the difference between Microsoft and Intel, or that Bill Gates is not the big name at Microsoft these days.
  • However, she does appear to be aware of a law suit filed by Pepsi Cola against General Electric that no-one else has ever heard of, since she cites it as the sort of class action that would be filed against Microsoft/AOL/Intel if they didn't honor this promise of money for chain mail. Hmm. I'm not an attorney, but I don't see how one company suing another (even if it had ever happened) can be a class action. I certainly don't see how the claims of a chain letter can somehow impose an obligation on international corporations. But evidently this sounds impressive to someone, given the success of the hoax.
  • Still, let's move on. Apparently Ms Sandborn is not the only person contributing to this email thread who "knows the law". OK. If someone I don't know tells me they know the law, I always believe them. The same way that when 6-year-olds tell me that fairies and Saint Nick really exist, I always believe them.
  • Then there's the assurance that this  beta service got two pages in USA Today on Tuesday. I'm not sure which Tuesday, since, like all these things, the audit trail appears to end with one rlmosher@verizon.net who is apparently forwarding a message sent by an anonymous "tech savvy" friend. However, this bit of circumstantial "evidence" has been around for quite a while, so I guess it was many Tuesday's ago. Or, far more likely, a complete fabrication to make the story more convincing.

Quite a few of the recipients of this silliness have made some response along the lines of "I'm not sure I believe this,  but it must be worth a shot."

Well, I guess forwarding one email on the offchance of a $24,000 check doesn't seem a big deal. The individual isn't usually aware of the high volume of similar rubbish wasting the time of overworked mail and security administrators, and may not be concerned that somewhere behind each of these there's some pathetic little hoaxer laughing up his sleeve. It's not as though by forwarding one of these you're likely to get stung by a 419 scammer demanding money in advance so that he can send you a few million dollars.

Except, of course, that people who are naive enough to fall for one of these are also likely to fall for financially dangerous scams. And everyone who forwards these things is encouraging a culture of reckless ignorance of the risks of assuming that everyone on the Internet is (1) who they say they are (2) automatically trustworthy.

Why do people who are quite rational and careful off-line suddenly turn into con victims when they log in to email, believing that hard-headed businessmen are going to give them something for nothing?

David Harley
Director of Malware Intelligence