Posted by: David Harley | September 17, 2014

Swotting up on SWATting

Well, this is embarrassing.

Yesterday, a blog article of mine appeared at on The economics of benevolence: mean memes’ bemoaning the fact that ‘members of the security community, an industry which is so sensitive (with some justification) to statistical legerdemain and to being misrepresented in the media (social or otherwise), being so insensitive as to spread unverified, misleading commentary when it relates to contexts outside their own fields of expertise.’ Elsewhere, with reference (pun intended) to an article on the anal preoccupation in academia with correctly cited references, I remarked:

I’m ambivalent about this. I don’t enjoy doing the sort of paper where I have to spend more time getting the references into exactly the right format – in fact, the older I get, the less I’m inclined to submit for academic conferences, for more than one reason – but there is so much misinformation and misattribution on the internet, I can’t say that rigour isn’t called for.

And then I saw an article shared on Facebook by one of my colleagues in the security industry about a gamer imprisoned for SWATting. Not swatting as in swatting flies or wasps like ‘wanton gods’ (King Lear, Act IV, Scene 1), but swatting as in tricking an emergency service into responding to a fake emergency. Unfortunately, my BS antennae were evidently taking the day off – I thought, “that’s interesting…” and shared it myself, before it was pointed out to me (thank you, Zusana) that it was a repost/retread (one among many) of a known hoax article – sorry, apparently it’s satire, not a hoax – from the National Report. In fact, the photograph seems to be of Dylan Schumaker, who is reported as having been sentenced to 25 years for killing his girlfriend’s toddler.

I’m sure there’s a good reason for the explosion in fake news stories on the 21st century internet, even if I haven’t quite worked out what it is. Nor do I know when the term satire became a synonym for hoax. But I do know that it’s getting (even) harder to distinguish fact from factoid from fiction, and even those of us who’ve been scam/spam/hoaxwatching for decades can get sucked in sometimes.

In my defence, swatting is a long-established issue and no joke at all. And yes, there are frequent reports of the online gaming fraternity (brotherly love, huh?) perpetrating it. There are instances of more hard-core criminals doing the same thing, though. Security blogger Brian Krebs has himself been victimized and has written several articles about the phenomenon since.

David Harley

Posted by: David Harley | August 14, 2014

New tech-support-related blog

“Chris Larson, for Blue Coat, reports finding a site with a fake anti-virus scan masquerading as Microsoft Security Essentials. However, instead of being prompted as with old-time fake AV to download fake AV, he was prompted to connect with a ‘live’ support specialist via LiveChat.”

Read more in Malvertising leading to fake support, posted to the AVIEN blog. Two links also added to the PC ‘TECH SUPPORT’ COLD-CALL SCAM RESOURCES page.

David Harley
Small Blue-Green World

Posted by: David Harley | August 3, 2014

Automated phishing scams to cell phones

For Betanews, Joe Wilcox reports that he received on successive days automated scam calls purporting to have come from Barclays and AT&T: Don’t fall for phone phishing scams.

The ‘Barclays’ call claimed that there had been suspicious purchases on the Wilcoxes’ account (which they doesn’t have), and wanted his card number in order to proceed. It’s not unknown for a bank to call a customer to verify a purchase, but you should expect the bank to authenticate itself to you before it starts asking for personal data.

‘AT&T’ claimed that the Wilcox account (which they also don’t have) had been breached and demanded the last four digits of Mrs Wilcox’s social security number. (I discussed the misuse of SSNs as an authentication measure at some length, in a paper for ESET: Social Security Numbers: Identification is Not Authentication.

Hat tip to ESET’s Aryeh Goretsky for flagging the article.

David Harley
Small Blue-Green World

Posted by: David Harley | July 3, 2014

Windows Support Service Scam Center

Another article for Graham Cluley’s blog about a site used to direct support scam victims to remote access software: Support scammers – at your service! (There is an ESET connection: I was alerted to the existence of the site by someone commenting on one of my ESET blogs on the topic.)

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Posted by: David Harley | June 24, 2014

Psychological Testing and Psychobabble Hoaxing

This is a version of an internet meme I’ve only come across recently, though an article on Snopes about a very similar message notes that it’s been around since 2002.

This is a genuine psychological test:

It is a story about a girl. While at the funeral of her own mother, she met this guy whom she did not know. She thought this guy was amazing, so much her dream guy she believed him to be just that, she fell in love with him there and then but never asked for his number and then… A few days later the girl killed her own sister.

Question: What is her motive in killing her sister?

Think about this before you scroll down for the answer.

Since this isn’t a genuine psychological test and doesn’t prove what it claims to prove I don’t mind in the least if you scroll down to find out what the answer is. On the other hand, you might find it amusing as an exercise. So the only purpose and relevance of this photograph of the Wordsworth family graves in Grasmere, in the English Lake District, is as a distractor, to give you a moment to think about whether you want to have a guess or just cut to the chase.

(Please, no Hitchcock jokes about shower curtains.)


OK. Ready for the answer?

Answer: She was hoping that the guy would appear at the funeral again.

If you answered this correctly, you think like a psychopath.

This was a test by a famous American psychologist used to test if one has the same mentality as a killer. Many arrested serial killers took part in this test and answered it correctly. If you didn’t answer correctly – good for you. If your friends hit the jackpot, may I suggest that you keep your distance. (If you got the answer correct, please let me know so that I can take you off my distribution list.)

You know what I’m going to say about this, don’t you?

The last line is amusing in a sour sort of way, but this is a hoax. (Or maybe a semi-hoax: a meme that isn’t true but may not have ben intended to mislead, but has become more misleading as it has passed from person to person.) It might have some validity as a test of lateral thinking, but if a psychologist – or, come to that, a psychiatrist – had really proposed that you could use a single question as a test of psychopathy, he’d need to be sent back to shrink school.

The fact that there’s no attempt to attribute it by name is a fair indication of an attempt to deceive, though it’s very common for real people or organizations to be cited in a hoax as a source, on the all-too-justified assumption that many people won’t take the time to check.

There isn’t even universal agreement on whether psychopathy is a discrete psychological category or just a definition of someone who scores higher than the general population in certain antisocial traits and behaviours, let alone on the exact definition of a psychopath.

So no-one who answers the question correctly should start worrying about being an undiagnosed psychopath. Though you might argue that someone who would worry about that would probably not score highly on generally-acknowledged psychopathic traits like disinhibition and lack of empathy.

Being able to think like a psychopath isn’t something to fret about (though it’s not necessarily something to boast about): I’d worry more about thinking like a scriptwriter.

On the other hand, if you feel the need to forward this thing for the joke value of its rather weak punchline, at least make it clear that it is a joke. I’m not sure that everyone is going to get it. And some people who do get it are going to find it less than amusing.

In a Facebook-disseminated variant I saw, the punchline was something like “if you got it right, let me know so that I can unfriend you…” It’s amazing how well email hoaxes have translated to social networking.

By the way, Barbara Mikkelson, at Snopes, does a pretty good job of explaining just why this is such a ‘silly canard’, even if she does give the impression that psychopathy and sociopathy are exactly the same thing. This isn’t altogether true, even though these conditions may present similarly, clinically speaking. But that’s a discussion probably best left to someone with more (and more recent) experience of the mental health system.

David Harley
Small Blue-Green World

Posted by: David Harley | June 24, 2014

Tech Support Scams

It occurs to me that I’ve missed flagging here quite a few support scam blogs that I’ve addressed in other blogs. As a quick catch-up, here’s a cut-and-paste from the scam resource page I maintain over at AVIEN.

Most recently, my article for Graham Cluley’s blog: Tech support scams and the wisdom of Solomon

Plus the six blogs referenced in that article “where Dr Solly messes with the heads of assorted grades of support scammer”:

There’s yet another Harley support scam article for ESET’s WeLiveSecurity blog: Support Scam Using (MS-)DOS* Attack. The never-ending Windows support scam often misrepresents obsolete MS-DOS utilities. But three simple rules will bypass most of that social engineering.

And yet another: Scams: Tech Support, Accident Insurance, PPI, Oh My My.

David Harley
ESET Senior Research Fellow
Small Blue-Green World

Posted by: David Harley | March 18, 2014

Sextortion Tips

My colleague Lysa Myers has put together an excellent article for ESET on the topic: Tips for protecting against sextortion. As well as offering some good advice, she also cites a case where an individual has been indicted on charges that for the last eight years he used Facebook, Kik Messenger, Text Me!, aYahoo! and Dropbox accounts:

‘“to communicate with dozens of minor females throughout the United States while posing as a minor female.” After establishing communication with the girls, some as young as 13, he would “threaten to reveal sexually explicit images of their friends unless the victim sent to him images of themselves nude or engaging in sexually explicit conduct.”’

30 years in IT has certainly taught me more about the depths to which human beings can sink than I ever really wanted to know.

David Harley
Small Blue-Green World

Posted by: David Harley | March 13, 2014

Malware goes for the Jugular

Here’s a particularly unpleasant bit of social engineering reported in the UK by  for Softpedia: Cybercriminals Tell Users They Might Have Cancer to Trick Them into Installing Malware.

Which pretty much says it all. The email purports to have been sent by NICE (the National Institute for Health and Care Excellence) which has put up a spam warning accordingly. However, this is more than spam: it contains an attachment claimed to be a blood count report suggesting that the recipient may have cancer, but in fact it’s a password stealer.

There are obvious logical flaws here.

Firstly, it’s likely that if you’d given a sample for a blood test you’d remember. However, there’s obviously a chance that some of these messages might reach people who have actually given samples recently, and would be more likely to be panicked into clicking on the malicious attachment.

Secondly, NICE is not in the business of doing blood tests: its remit is rather more abstract. But again, the hope is that the victim will be too panicked to check properly.

David Harley
Small Blue-Green World

Posted by: David Harley | March 13, 2014

Mystery Shopper Scam

Here’s a mystery shopper scam phish that Mich Kabay brought to my attention. You can find out more about it in the blog I just put up for ESET: More Mystery Shopper Misery

mystery shopper

David Harley
Small Blue-Green World

Posted by: David Harley | March 10, 2014

Postcard from Hallmark hoax

Here’s a hoax alert I was asked about recently. It’s far from new, but it seems to be enjoying a new lease of life on social media at the moment. As it’s an example of a very prevalent kind of hoax, it’s worth giving it some special attention, in the hope that it will be easier to spot similar timewasters.

THIS IS IMPORTANT BEWARE and tell everybody you can think of!!!

[Yes, we know it’s important because it’s IN CAPITALS and has three exclamation marks!!! Wait a minute… Who decided it was IMPORTANT, and on what authority? We’ll get to that in a minute.]

Regards, Better to be safe than sorry

Regards? End of the message already? Obviously not, but this does suggest more than one message stitched together, a very common feature of dross like this. I don’t think there’s a single line in this message I haven’t seen elsewhere, but so many hoax gambits in a single message is an educational opportunity I can’t pass up.

Dave’ s brother is a very advanced programmer who does computer work for a living…

I don’t know who Dave is (it isn’t me, I haven’t coded anything in years!), let alone his brother. So excuse me if I don’t take their programming expertise or knowledge of malicious software as a given. As a matter of fact, since I sidled into the IT industry in 1986, I’ve found programmers and other IT professionals  to be as capable as anyone else (including security professionals) of spreading misinformation when they step outside their own specializations. And by the way, you can be extremely technically knowledgeable without being a professional programmer, you know, though having no knowledge at all of programming would be a significant disadvantage in some contexts.

…and has a high up status with Microsoft.

Remember that story about Bill Gates being unable to install the Windows 8.1 upgrade? Except that it appears that story originated with the New Yorker’s satirical Andy Borowitz column, which rather casts doubt on its accuracy (even though many sites have republished or summarized it without question). Still, if there’s one thing I’ve learned from nearly 30 years in the industry, it’s this: even technically accomplished people tend to lose their technical grasp as they acquire more and more people who can do routine tasks for them. High status does not equal technical expertise.

He doesn’t send these if they aren’t real. If He says this is for real, it for sure is.

Of course it is. How could anyone not take Dave’s brother’s word on it?

Be aware. VIRUS COMING !

This is just so wrong on so many levels. I don’t know what it reminds me of most: those helpful people who tell you to be careful while you’re picking yourself up off the ice you just slipped on, or those security experts who tell you not to open suspicious messages. “Oh look, it’s a suspicious message. I must open it and see what it says.”

Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

What on earth does ‘gearing up’ mean? They’re looking for a sample? They’re trying to work out how to detect it? They’re putting up sandbags so that it doesn’t leak into their offices? No, it means ‘I haven’t been in touch with anyone at Symantec/Norton at all, but maybe Dave’s brother has.’

I checked Snopes , and it is for real.

This is interesting. And a common claim by hoaxers who’ve done no such thing and are hoping that you won’t either, in case you find that there’s a Snopes entry that says exactly the opposite. In this case, though, the Snopes entry lists this as ‘outdated’ rather than as an out-and-out hoax, despite the manifest improbability of some of the claims made in this message. Which may be why some hoaxes sometimes include the specific URL for this entry.

The rationale here is that there really have been instances of malware spread via what were passed off as links to e-card sites, notably in Nuwar/Storm campaigns, with subject lines like “You’ve received a postcard from a family member!” Quite a few of those subject lines are listed in the Snopes article, but while it’s perfectly possible that future malware campaigns will re-use this approach and even some of those subject lines, the idea that you can spot an incoming malicious message by its subject line is misleading at best. In fact, it’s characterized email virus hoaxes going right back to the venerable (but not venerated) Good Times hoax, and even further back to the ‘Mogul metavirus’ spoof, which was meant to be humorous but, arguably, spawned a million imitators. Elements of many of those imitators are present in the POSTCARD FROM HALLMARK hoax, including the Olympic Torch hoax, A Virtual Card For You, the Invitation hoax and so on.

Get this E-mail message sent around to your contacts ASAP.

Quick, before you have time to think about it and see how ridiculous it is. This does give you some idea of how old this hoax actually is, going back to the days when email was the main channel for Internet communication and social media were barely an idea.


“You know we mean it. We’re typing in capitals again.” But please don’t forward it. Really.

You should be alert during the next few days.

Be alert. Facebook needs more lerts. (Sorry. Couldn’t resist.)

Do not open any message with an attachment entitled POSTCARD FROM HALLMARK , regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of your computer.

Sounds alarming. Imagine all those melting hard disk platters. “Hello, Dali, well, hello, Dali….” Actually, it sounds as if Dave’s brother doesn’t know a lot about storage technology or even how Windows sees a hard drive.

This virus will be received from someone who has your e -mail address in his/her contact list. This is the reason you need to send this e -mail to all your contacts.

Specious reasoning if ever I saw it… This just means “I want you to forward this to as many people as possible and hopefully you won’t look too carefully at the logic.”

It is better to receive this message 25 times than to receive the virus and open it.

That could possibly be true if the virus was real, but it’s even better not to receive any copies of a useless but somewhat viral message. It’s better not to receive real malware (most modern malware isn’t viral) than to receive it. But receiving a memetic virus is in itself pretty irritating, if not as unequivocally damaging as a CIH or Autostart.

If you receive an email entitled “POSTCARD,” even though it was sent to you by a friend, do not open it!

That, at least, makes some sense in that you can’t safely trust a message just because it appears to come from a person whose intentions you trust. Unfortunately, simply assuming that all email with the subject POSTCARD is malicious is less sensible. Deleting or blocking messages because they have a highly generic subject line associated with a virus that doesn’t actually exist is even less sensible.

Shut down your computer immediately.

I’m not sure what the logic is here. If you didn’t open the message, it’s unlikely that whatever malicious code it’s supposed to contain could be executed. There have been occasions where a bug in a specific email client could cause code to be executed from an unopened message, but it’s rare, and there’s no indication of an email client problem here. The remote possibility of such an issue is a good reason for keeping your operating system and applications promptly patched and updated. But that isn’t alarmist enough for a chain letter.

Of course, if the malware was real and as bad as described, shutting down the PC would probably mean you wouldn’t be able to start it up again.

This is the worst virus announced by CNN.

Well, a news channel is obviously best-equipped to make a rational assessment of the impact of the threat. In the real world, though, it might be nice if it could be attributed to a security company with some knowledge of malware. Failing that, at least give us a URL to verify… (Preferably a link to a trustworthy site, and no URL shortening, QR codes or other link obfuscation gambits.

It has been classified by Microsoft as the most destructive virus ever.

Oh, OK. Though actually, at the time this hoax first appeared, few would have considered Microsoft to be a security company at all. But they certainly know something about malware now. But again, there’s no way of verifying the assertion. Of course, there’s no way to check that Microsoft really did classify the thing in this way. But that would be because they didn’t.

This virus was discovered by McAfee yesterday,

No verification. Yawn. And no way of establishing when ‘yesterday’ might have been. 2001 or earlier, I’d say… Strange that at least two major security companies know about it and yet…

…and there is no repair yet for this kind of Virus.

We’re doomed.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

Well, you can certainly cause appreciable (not necessarily permanent) damage by trashing the Master Boot Record, which is what normally occupies Sector 0, but the risk to real hardware from an imaginary virus is fairly small.


No, no, no. Please don’t. This is just emotional blackmail and social engineering. Don’t forward it.

And do feel free to let the person who sent it to you know that it’s a hoax. (However, if the mail was sent to lots of other people at the same time – as is usually the case – I don’t generally recommend that you “reply all” so that they all get to hear that it’s a hoax.

It’s often the case – in my experience – that when you let people know they’ve been hoaxed, they take some convincing. Well, no-one wants to be made to feel stupid. Here are some more resources you can quote them if they don’t believe you.

In general, any instruction to send an email to all your friends is by definition a chain message. That doesn’t make it a hoax by definition, but it’s always worth (a) verifying before you send (b) considering whether your friends will really appreciate getting 25 copies of more-or-less the same message. I know I wouldn’t.

David Harley 
Small Blue-Green World

« Newer Posts - Older Posts »



Get every new post delivered to your Inbox.