An Information Security Community
This post has been published previously on http://lvdeijk.wordpress.com
Today I had a funny one at my work.
for some reason, people still keep falling for e-mail chainletters and hoaxes. The question just asks itself: why?
First of all, for those who don't know what either is:
An e-mail chainletter is some e-mail message like this: Bill Gates Fortune. Aside from being a hoax as well, usually people refer to false virus-notifications as being a hoax, like: The Olympic Torch Hoax. Both are hoaxes as said.
Hoaxes can be categorized into three rather distinct types:
All have some characteristics by which one can recognize a hoax:
The ones claiming to be a virus-notification fooling unsuspecting users I can understand. The hoaxes about 'missing' persons as well because of the perceived tragedy, but especially the ones claiming to grant some form of free money, like the Bill Gates Fortune hoax, should be an obvious fake to most sensible people. Still, that doesn't seem to be so.
Personally I think the reason people fall for this kind of messages is threefold:
The first is blatantly obvious and blatantly simple: People are social creatures, want to be liked and therefor tend to act nicely towards others. Some explanation can be found at the Social Engineering Framework. These hoaxes capitalize on this phenomenon: They ask the reader to do something, which they simply are inclined to do. The two major reasons for this reaction are: The sender of the message is most likely someone the reader knows and likes and the message appears to come from some authority, be it with many steps between, but still.
The second seems obvious as well: Most hoaxes are either based on the threat of a non-working PC, which in the mind of the reader equates to losing money, or they're based on receiving free money by massively forwarding said message. The original 'analog' chainletter did the same: Forward the letter to as many people one could think of, put one's name on the bottom of the list, remove the topmost name and send money to that person. The whole system just screams 'Pyramid Scheme'.
The last is a bit harder. This one more has to do with the fact that a reader doesn't see he is reading a hoax than something else. Just imagine: Joe Average User just gets a panicky message from his aunt: Some eeevil virus is on the loose, eating PC's. Noone can detect it, but some high-up tech-savvy company found it anyway and offers a simple solution:
How, not being tech-savvy, does Joe A. User know it's just a hoax? Seeing it's from a techy company and his aunt sent it to him, reason 1 and 2 kick in. He makes a Pascal's Wager and chooses the safest option for him: Forward, Delete the file and hope for the best.
Being at work in a large organization, in my experience these kind of hoaxes have a two-way effect: Huge bandwidth usage on the mail-backbone and address-harvesting for spamming.
Just one incoming hoax-message can have serious effects on a corporate mail-system. People who react with a CTRL-A, CTRL-C, CTRL-V on the Global Addresslist multiply the original message by each and every e-mail address in that list. Knowing most companies have many distribution lists as well, each with a number of recipients in it, one can imagine the amount of messages it will create when one unsuspecting user wants to be helpful and hits that [SEND] button. Next comes the facts that some users aren't online or are connected through small datalinks because they're at some remote location. These messages need to be stored.
The fun starts when some _other_ user, being slightly more tech-savvy than the original sender sees the message, knows it's a hoax and wants to be helpful by notifying the organization of the sender's error by, oh the irony, hitting [REPLY TO ALL].
Then there's the funny functions of 'notification of receipt' and 'notification of read' added to the mix and the surefire effect of the first [REPLY TO ALL] inciting the massive amount of reactions of others
telling it's wrong to use [REPLY TO ALL].
Result: Mailserver goes
Sometimes I think this was the original reason the phenomenon of the hoax exists in the first place.
People who have ever seen a fully matured hoax-message know what I'm talking about when I say it's easily possible to gather about 3000-10000 e-mail addresses from one stream of 'FW: FW: FW: FW: your average hoax'.
Everyone makes the same mistake: Hit Forward, Copy all addresses from one's address book and paste them into the TO: field. Somewhere down the line, someone's bound to pick up the mail, gather all addresses from it and feeds them into his spam-server.
Hasn't anyone ever heard of using Blind Carbon Copy? If not for the safekeeping of one's address book, then at least to keep the size of the forwarded message within reasonable limits!
These days, with organizations having quite a bit more bandwidth and storage capacity than, say 10 years ago, this problem is even bigger than the first one. No matter how well an organization tries to keep it's employee database to itself, there's always someone who just dumps the entire addresslist in some chainletter and sends it to the outside world.
The only way to minimize the damage of this effect is to implement a strict policy of who may use how many addresses of the global address list at once. It still doesn't prevent Joe A. User to use his own address list at home of course. For that, more awareness will be needed. Awareness on all
levels of the internet-population.
To wrap it all, some useful links to pass on to who's interested or needs the awareness:
and one more to learn about social engineering which, after all, is the basis of the effectiveness of a hoax: