Too Many Hoaxes

At first, I was just plain annoyed. Someone forwarded a hoax email to me twice in the same week. I am often asked about hoax email: “Kevin, you work at Symantec, is this true?” That’s fine; that’s not what annoyed me. What set me off was that both emails had been forwarded to warn me. The forwarder wasn’t even questioning the content of the email. They had accepted clearly bogus warnings about the “world’s worst virus” as fact.
Then I started thinking about the Twitter discussion I recently had about education. Some security professionals are turned off by education because they don’t believe it works. The rest feel it’s important, but never done right. (I fall into the latter category.) And, I decided that my previous approach to educating people about these hoaxes was not working. Just giving people a link to a Web page that disputes the hoax is not enough. Rather than give a man a fish, I needed to teach them how to fish.
So, I sat down and wrote an email explaining how to spot a virus hoax. It took a little longer than just forwarding a link, but I think it will be more effective. Plus, I can now just cut and paste this email as a response the next time someone forwards a hoax email to me.
If you want to give what I’ve done a try, I turned my email into a template that you can use. (See below.) The next time someone forwards a hoax email to you, just cut and paste this into a reply. I’m optimistic that we can educate people—we just need to adjust and adapt when things don’t work.


Dear [fill in friend’s name],
As you know, I work at [Company Name] in the group that covers computer security. I see my fair share of viruses. I also see quite a bit of hoax email. The email you forwarded is a hoax.
It is true that miscreants are sending email with attachments and making posts to people’s Facebook pages with links that lead to malware. They use high profile events or interesting sounding videos to get you to click on the attachment or link. The goal is always the same, to get you to click and become infected. It is only the come-on that changes.
But, the thing is, any warning that comes in via email is almost always a hoax. They are never about real malware. Sometimes they tell you to do things that could actually damage your computer. (Hoaxers have a strange sense of humor.)
There are five easy ways to tell if the email you’ve received is a hoax:
1.    Snopes verified it.
The email you forwarded to me is confirmed by Snopes as a hoax. The hoaxers only tell you Snopes has verified it as true so you will not check for yourself.
2.    It’s the worst virus Symantec has ever seen.
Even if it truly existed, it would not be the worst virus ever seen. Trust me. Unless it will force cylinders used for uranium enrichment to spin out of control, it is not the worse virus ever seen.
3.    It does irreversible harm to your computer.
People who write malware are crooks, not vandals. They try to steal your information. They need your machine to stay functioning to do that.
4.    A reliable person forwarded the email.
Being reliable and being a good judge of hoaxes are two completely different skills.
5.   You are to forward the email to everyone you know.
Good-hearted people try to warn others of impending disasters. Hoaxers tell people to forward an email to everyone they know. Thanks for being so concerned—it speaks well of you as a person. But, next time, please just delete the email.
[Your name here]

What is Zeus? Notorious malware under the microscope

ZeusZeus, also known as ZBot, has grown into one of the most popular (or should that be unpopular?) and widespread crimeware kits on the internet.

Its ease of use and effectiveness make it an attractive choice for today’s cybercriminals.

And an infection by Zeus can be extremely costly. Whether you’re an individual or an organisation, the impact of losing passwords and online banking details can be disastrous.

Clearly there’s a significant demand for easy-to-use, information-stealing Trojans amongst the internet underground, and we can expect to see more from Zeus itself and its competitors.

Today SophosLabs expert James Wyke has published a technical paper, taking an indepth look at Zeus’s functionality and behaviour of the Zbot binary, in an examination which gives some feeling for the malware’s sophistication.

Download the free “What is Zeus” technical paper now.
[no registration required]

Profile Stalkers on Facebook? Check out the viral scam that’s spreading

Profile stalkers on FacebookAnother scam is being spammed out across Facebook, tricking users into helping its spread by fooling them into believing they will discover who is secretly viewing their profile.

Using a cartoon image of what appears to be a chimpanzee looking through binoculars,
the messages are being sent from other Facebook users who have already fallen into the trap of clicking on the link and following the scammers’ instructions.

Clicking on the link contained inside the message (which I have obscured in the screen grab below) is a big mistake, as it takes you one step further into the criminals’ trap.

Checkout your Profile Stalkers on Facebook

WICKED! Now you can see who views your facebook profile.. i saw my top profile stalkers and my EX is still creeping my profile every day

Checkout your PROFILE stalkers
Now you can see who stalks your profile daily

If you do click on the link you are taken to a third-party webpage which urges you to cut-and-paste some JavaScript code into your web browser’s address bar. The page claims that it is your unique code to view your Top 10 Profile Spys – but it’s not true at all.

Checkout your Profile Stalkers on Facebook

This is a trick being commonly used by scammers at the moment. If you paste their code into your address bar, it will typically pass the message onto other Facebook users – including your online friends. We recently saw it deployed in a Facebook scam offering a “Dislike” button for instance.

Ultimately scams this typically end up with you being taken to a webpage which asks you to complete a survey – and the scammers earn commission for each survey completed.

Don’t let the scammers make a monkey of you, and don’t risk spreading a scam like this to your online friends.

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Update: I’m reliably informed that the cartoon chimp is Curious George.

Converting currency on Google can lead to malware attack

Euro and dollarOne of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.

So he did what any of us would probably do. He Googled it.

215 euro to usd

Google very cleverly and kindly tells you what it believes the conversion rate to be, but you’re also given a number of search results:

Euro to USD currency conversion search results

It’s that final search result which is of interest to us. A quick search finds a number of other webpages which don’t just use keywords related to currency conversion, but also other terms – “dirty sexist jokes”, for instance.

Euro to USD currency conversion search results

What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.

The good news is that Sophos can offer a layered defence against this attack.

The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.

The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.

Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.


We see online criminals poisoning search engine results using blackhat SEO techniques a lot.

Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.

SEO poisoning technical paper

It’s a great read. Check it out now.