Posted by: David Harley | March 13, 2014

Mystery Shopper Scam

Here’s a mystery shopper scam phish that Mich Kabay brought to my attention. You can find out more about it in the blog I just put up for ESET: More Mystery Shopper Misery

mystery shopper

David Harley
Small Blue-Green World

Posted by: David Harley | March 10, 2014

Postcard from Hallmark hoax

Here’s a hoax alert I was asked about recently. It’s far from new, but it seems to be enjoying a new lease of life on social media at the moment. As it’s an example of a very prevalent kind of hoax, it’s worth giving it some special attention, in the hope that it will be easier to spot similar timewasters.

THIS IS IMPORTANT BEWARE and tell everybody you can think of!!!

[Yes, we know it’s important because it’s IN CAPITALS and has three exclamation marks!!! Wait a minute… Who decided it was IMPORTANT, and on what authority? We’ll get to that in a minute.]

Regards, Better to be safe than sorry

Regards? End of the message already? Obviously not, but this does suggest more than one message stitched together, a very common feature of dross like this. I don’t think there’s a single line in this message I haven’t seen elsewhere, but so many hoax gambits in a single message is an educational opportunity I can’t pass up.

Dave’ s brother is a very advanced programmer who does computer work for a living…

I don’t know who Dave is (it isn’t me, I haven’t coded anything in years!), let alone his brother. So excuse me if I don’t take their programming expertise or knowledge of malicious software as a given. As a matter of fact, since I sidled into the IT industry in 1986, I’ve found programmers and other IT professionals  to be as capable as anyone else (including security professionals) of spreading misinformation when they step outside their own specializations. And by the way, you can be extremely technically knowledgeable without being a professional programmer, you know, though having no knowledge at all of programming would be a significant disadvantage in some contexts.

…and has a high up status with Microsoft.

Remember that story about Bill Gates being unable to install the Windows 8.1 upgrade? Except that it appears that story originated with the New Yorker’s satirical Andy Borowitz column, which rather casts doubt on its accuracy (even though many sites have republished or summarized it without question). Still, if there’s one thing I’ve learned from nearly 30 years in the industry, it’s this: even technically accomplished people tend to lose their technical grasp as they acquire more and more people who can do routine tasks for them. High status does not equal technical expertise.

He doesn’t send these if they aren’t real. If He says this is for real, it for sure is.

Of course it is. How could anyone not take Dave’s brother’s word on it?

Be aware. VIRUS COMING !

This is just so wrong on so many levels. I don’t know what it reminds me of most: those helpful people who tell you to be careful while you’re picking yourself up off the ice you just slipped on, or those security experts who tell you not to open suspicious messages. “Oh look, it’s a suspicious message. I must open it and see what it says.”

Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

What on earth does ‘gearing up’ mean? They’re looking for a sample? They’re trying to work out how to detect it? They’re putting up sandbags so that it doesn’t leak into their offices? No, it means ‘I haven’t been in touch with anyone at Symantec/Norton at all, but maybe Dave’s brother has.’

I checked Snopes , and it is for real.

This is interesting. And a common claim by hoaxers who’ve done no such thing and are hoping that you won’t either, in case you find that there’s a Snopes entry that says exactly the opposite. In this case, though, the Snopes entry lists this as ‘outdated’ rather than as an out-and-out hoax, despite the manifest improbability of some of the claims made in this message. Which may be why some hoaxes sometimes include the specific URL for this entry.

The rationale here is that there really have been instances of malware spread via what were passed off as links to e-card sites, notably in Nuwar/Storm campaigns, with subject lines like “You’ve received a postcard from a family member!” Quite a few of those subject lines are listed in the Snopes article, but while it’s perfectly possible that future malware campaigns will re-use this approach and even some of those subject lines, the idea that you can spot an incoming malicious message by its subject line is misleading at best. In fact, it’s characterized email virus hoaxes going right back to the venerable (but not venerated) Good Times hoax, and even further back to the ‘Mogul metavirus’ spoof, which was meant to be humorous but, arguably, spawned a million imitators. Elements of many of those imitators are present in the POSTCARD FROM HALLMARK hoax, including the Olympic Torch hoax, A Virtual Card For You, the Invitation hoax and so on.

Get this E-mail message sent around to your contacts ASAP.

Quick, before you have time to think about it and see how ridiculous it is. This does give you some idea of how old this hoax actually is, going back to the days when email was the main channel for Internet communication and social media were barely an idea.


“You know we mean it. We’re typing in capitals again.” But please don’t forward it. Really.

You should be alert during the next few days.

Be alert. Facebook needs more lerts. (Sorry. Couldn’t resist.)

Do not open any message with an attachment entitled POSTCARD FROM HALLMARK , regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of your computer.

Sounds alarming. Imagine all those melting hard disk platters. “Hello, Dali, well, hello, Dali….” Actually, it sounds as if Dave’s brother doesn’t know a lot about storage technology or even how Windows sees a hard drive.

This virus will be received from someone who has your e -mail address in his/her contact list. This is the reason you need to send this e -mail to all your contacts.

Specious reasoning if ever I saw it… This just means “I want you to forward this to as many people as possible and hopefully you won’t look too carefully at the logic.”

It is better to receive this message 25 times than to receive the virus and open it.

That could possibly be true if the virus was real, but it’s even better not to receive any copies of a useless but somewhat viral message. It’s better not to receive real malware (most modern malware isn’t viral) than to receive it. But receiving a memetic virus is in itself pretty irritating, if not as unequivocally damaging as a CIH or Autostart.

If you receive an email entitled “POSTCARD,” even though it was sent to you by a friend, do not open it!

That, at least, makes some sense in that you can’t safely trust a message just because it appears to come from a person whose intentions you trust. Unfortunately, simply assuming that all email with the subject POSTCARD is malicious is less sensible. Deleting or blocking messages because they have a highly generic subject line associated with a virus that doesn’t actually exist is even less sensible.

Shut down your computer immediately.

I’m not sure what the logic is here. If you didn’t open the message, it’s unlikely that whatever malicious code it’s supposed to contain could be executed. There have been occasions where a bug in a specific email client could cause code to be executed from an unopened message, but it’s rare, and there’s no indication of an email client problem here. The remote possibility of such an issue is a good reason for keeping your operating system and applications promptly patched and updated. But that isn’t alarmist enough for a chain letter.

Of course, if the malware was real and as bad as described, shutting down the PC would probably mean you wouldn’t be able to start it up again.

This is the worst virus announced by CNN.

Well, a news channel is obviously best-equipped to make a rational assessment of the impact of the threat. In the real world, though, it might be nice if it could be attributed to a security company with some knowledge of malware. Failing that, at least give us a URL to verify… (Preferably a link to a trustworthy site, and no URL shortening, QR codes or other link obfuscation gambits.

It has been classified by Microsoft as the most destructive virus ever.

Oh, OK. Though actually, at the time this hoax first appeared, few would have considered Microsoft to be a security company at all. But they certainly know something about malware now. But again, there’s no way of verifying the assertion. Of course, there’s no way to check that Microsoft really did classify the thing in this way. But that would be because they didn’t.

This virus was discovered by McAfee yesterday,

No verification. Yawn. And no way of establishing when ‘yesterday’ might have been. 2001 or earlier, I’d say… Strange that at least two major security companies know about it and yet…

…and there is no repair yet for this kind of Virus.

We’re doomed.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

Well, you can certainly cause appreciable (not necessarily permanent) damage by trashing the Master Boot Record, which is what normally occupies Sector 0, but the risk to real hardware from an imaginary virus is fairly small.


No, no, no. Please don’t. This is just emotional blackmail and social engineering. Don’t forward it.

And do feel free to let the person who sent it to you know that it’s a hoax. (However, if the mail was sent to lots of other people at the same time – as is usually the case – I don’t generally recommend that you “reply all” so that they all get to hear that it’s a hoax.

It’s often the case – in my experience – that when you let people know they’ve been hoaxed, they take some convincing. Well, no-one wants to be made to feel stupid. Here are some more resources you can quote them if they don’t believe you.

In general, any instruction to send an email to all your friends is by definition a chain message. That doesn’t make it a hoax by definition, but it’s always worth (a) verifying before you send (b) considering whether your friends will really appreciate getting 25 copies of more-or-less the same message. I know I wouldn’t.

David Harley 
Small Blue-Green World

Posted by: David Harley | March 5, 2014

Social media advice for tween parents

I don’t suppose I’d have come across this if I hadn’t been invited to contribute to it: Fashion Playtes is more about tween fashion and Generation Z, and that’s not my usual audience. However, Angela Stringfellow invited me and 36 other people to provide tips to parents of tweens on social media and safety, and that certainly seemed worth doing. :)

36 Social Media Experts & Parents Share Tips On How To Keep Your Tween Safe On Social Media

David Harley
Small Blue-Green World

Posted by: David Harley | March 5, 2014

Courier Scams

My attention was drawn this morning to a phone scam that seems to be pretty prevalent in my area right now. It’s not new, but I thought it was worth a detailed explanation, so I blogged it at ESET.

Courier Scams – don’t give away your bank card

courier phone

David Harley
Small Blue-Green World

Posted by: David Harley | March 3, 2014

Out of the phrying pan

An energetic hat tip to Martijn Grooten for drawing my attention to a very significant blog by Jérôme Segura on a tech support scam with a phishing twist, for Malwarebytes.

Yes, I know. Yet another tech support scam. But this one is really interesting:

Netflix Phishing Scam leads to Fake Microsoft Tech Support

My own commentary for ESET is here:

Netflix phish, tech support scam, same phrying pan

David Harley
Small Blue-Green World

Posted by: David Harley | March 2, 2014

ESET blog on phishing and vulnerable smartphone users

Just for a change, an ESET blog on phishing that I didn’t write, though Rob Waugh does quote me at some length:

Smells phishy? New email scams –and why smartphone users need to stay alert

Rob points out that:

Phishing is unique among cyber attacks – it doesn’t rely on weaknesses in computer software, or new vulnerabilities – it relies, initially at least, on human gullibility.

This means that devices users often think of as ‘immune’ to cyber attacks – such as smartphones – are in fact the perfect vehicle for phishing attacks.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Softpedia Warns of Fake Facebook Giveaway

, writing for Softpedia, describes a Facebook scam where people are lured into Liking a Facebook page by the promise that one of them will receive a brand new BMW X6. He says:

Of course, BMW doesn’t have anything to do with this BMW Manager page or with the alleged giveaway. Instead, as Hoax Slayer highlights, scammers are simply trying to trick users into liking their Facebook page to increase its value.

The article is at Facebook Scam: BMW Manager Donates a Brand New X6. Of course, there are probably lots of legitimate pages that offer giveaways for Likes, but there are also a lot of pages that don’t represent the company they seem to. Unfortunately, it’s not always easy to distinguish between fakers and the real thing.

(HT to Steve Santorelli for flagging the article)

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Fake conference papers

An article on Slashdot reports that Publishers Withdraw More Than 120 Fake Papers: the papers referred to are apparently ‘computer-generated papers’ that were published in conference proceedings between 2008 and 2013, the publishers involved being Springer and the IEEE.

The article is referring to a far more detailed report by Richard van Noorden for Nature: Publishers withdraw more than 120 gibberish papers. While the automation aspect is new to me, it’s been apparent for quite a while that dubious conferences and  journals that have more to do with quantity than quality, and more to do with the exploitation of the need many academics have to publish in order to maintain tenure, have been a considerable blot on the scientific escutcheon for some time. I posted a brief article addressing some of the issues for the Anti-Phishing Working Group blog about a year ago: Academic Vanity Press: Who Gets Scammed?

There may not be any direct connection, but those of us who have got tired over the years of being contacted every few months by editors at the security magazine Hakin9 in search of lengthy but unpaid articles from the security research community had a quiet giggle in 2012 when Hakin9 published an article on DARPA Inference Checking Kludge Scanning (note the acronym) apparently submitted to draw attention to the magazine’s poor editorial standard. John Leyden’s Register article Experts troll ‘biggest security mag in the world’ with DICKish submission has the detail on that story.

David Harley
ESET Senior Research Fellow

Posted by: David Harley | February 23, 2014

Call centre scams: not just tech support

I’ve written here and elsewhere many times about tech support scams. However, one of my recent blogs for ESET includes some new info on those,  but also looks at some other scams apparently deriving from the same call centres, especially the accident insurance scams and PPI scams that seem to be particularly prevalent in the UK at the moment.

Scams: Tech Support, Accident Insurance, PPI, Oh My My

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Posted by: David Harley | February 23, 2014

Not Angelas but maybe not Angels*

As I mentioned here recently, the Talking Angela myth Graham Cluley first reported about a year ago still has legs (not to mention its mouth, which seems to be the main point of contention). As well as Paul Ducklin’s look at the chain message, Graham has had occasion to return to the topic several times in the past week or two.

  • Talking Angela app scare spreads between English and French Facebook users:  I’m not sure whether it’s serendipitous or maybe a subtle intentional pun that Graham describes the app as a chat-bot. The app centres on conversations with an Eliza-like program that extracts elements from sentences typed in by a human and uses them to generate human-like responses, but ‘Angela’ is represented as a cat, not a human. And the French for cat is ‘chat’. :)
  •  Two days later he reported on a story that a 7-year-old boy had disappeared after his mother installed Talking Angela onto her iPhone. The story apparently originates on Huzlers, a site that announces its intentions (in a footnote at the bottom of its main page) as being: “… a combination of real shocking news and satire news to keep its visitors in a state of disbelief.” While that footnote seems to suggest that some of its ‘shocking news’ stories are real, there’s a Huzlers Facebook page that proclaims ‘…because you like being lied to”, and other sources assume that its content is purely satire/fiction. Be that as it may, I’ve found no indication anywhere that there’s any truth in this particular story, and I don’t advocate passing on any Huzlers story without very careful verification. At the very least, it seems that the site is inspiring a state of belief rather than unbelief in social media users.
  • Most bizarrely, perhaps, he reported on a phone call he received from a lady in the North of England wanting to know if he’d written the app, since his name cropped up when she looked up ‘Talking Angela’ on Google. He didn’t, and if you’re reading this, madam, neither did I. :) The worrying aspect of this story is that when people are determined to believe a hoax or semi-hoax, they can be quite aggressive in its defence, resorting to ad hominem attacks on the morals and intellectual capacity of someone advocating a reasoned, analytical consideration of an issue rather than an emotion-clouded knee-jerk reaction. Happily, that doesn’t seem to have been the case in this instance.

Stuart Dredge also looked at the Talking Angela issue for the Guardian: he talked to the real developers, Outfit7, and it turns out that the conversations are collected, though the company states that “We take out anything that could be potentially identifiable. We’re over-cautious in how we filter information, to make sure nothing identifiable can leave the app.” Dredge’s article is by no means a PR exercise in favour of the company: he does raise some concerns about the app, though they seem very minor compared to the hysterical tone of some of the warnings Graham quotes. In another article – What the Talking Angela app is really saying to your kids – he examines some of the app behaviour that seems to have inspired some of the hysteria and concludes:

A couple of commenters on my previous article about the Talking Angela hoax suggested concerns about the app normalising the kind of conversations that you wouldn’t want children having with strangers in the real world. That’s a legitimate criticism, and one that Outfit7 should act on by making it harder for kids to turn off the Child Mode.

He raises some other issues that would probably discourage me from allowing my own young children from using the app, if I still had any. However, that’s a long way from the sort of exploitation and grooming scares that are currently circulating.

Outfit7 has an FAQ that tries to address some of the concerns here.

*There is a story that when Pope Gregory (c. 540-604 A.D.) first saw fair-haired children in the slave market he was told that they were Angles (one of the Germanic peoples who settled in England following the fall of the Roman Empire – hence Anglo-Saxons), he punned ‘Non Angli sed Angeli’ (not Angles but Angels). I don’t see why he and Graham should have all the pun fun.

David Harley
Small Blue-Green World

« Newer Posts - Older Posts »



Get every new post delivered to your Inbox.