Earlier today I got a call from a journalist at a media organisation (I won’t say which one to spare their blushes..) with a plaintive cry:
"I think we might have been hoaxed. Could you take a look and see what you think?"
It turned out that many websites (CNN, BBC, NPR, CNET, Forbes, the Daily Mail, Mashable, the Daily Telegraph are just a handful) had been duped in recent days by supposed research from AptiQuant showing that users of Internet Explorer scored lower than average in IQ tests.
A claim like that is obviously going to be essential reading for anyone with a technical bent, and it was unsurprising to see so many websites report the story.
Of course, when many people read the story they probably thought – as I did – that the research was bound to be a bit shonky. You can, after all, easily mislead people with statistics or use a biased sample to get the results you want.
But, fascinatingly, it wasn’t just the research that was utterly bogus – it was the company behind the research too. Because AptiQuant didn’t really exist.
Sure, I discovered that its website existed (albeit a WHOIS search revealed it was only registered as a domain since mid-July, which seemed odd for a company which claimed to have been in operation for some years). But it transpired that it had also copied content (such as the images of staff members) from a legitimate psychometric testing company called Central Test.
I even went onto Google Maps’ Street view mode to look up AptiQuant’s alleged street address in Vancouver, but found no sign of an office. I was even planning to ask one of my colleagues in Sophos’s Vancouver office to do a drive-by to see if they could raise anyone at AptiQuant after my phone calls went unanswered.
It seemed clear to me that the skeptics were right – the research and the firm were fictitious.
The only question left was why was someone doing this?
Could it be maybe a publicity stunt for someone? After all, we recently saw an online dating site claim to have had a virus attack purely to drum up new business.
Or perhaps it was someone with a grudge against Internet Explorer, or dirty guerilla tactics by a rival web browser firm?
Maybe it was performance art?
Nothing seemed to make sense.
Then I thought – hang on, everyone is downloading a PDF of this so-called research.. What if the PDF was infected by malware? That would be an ingenious way to spread malicious code.
After all, we do see a lot of attacks spread via boobytrapped Adobe PDF files that exploit vulnerabilities on users’ unpatched computers.
But a quick check by the experts in SophosLabs found nothing obviously dangerous in the PDF.
This evening, to some relief, the truth has come out.
AptiQuant’s website has been updated with an admission that it was a hoax, and an explanation that the stunt was motivated by frustration at Internet Explorer’s infamously poor compatibility with web standards.
Various news agencies are left with egg on their face for feverishly reporting the story without applying the right level of skepticism, and the hoaxers are no doubt delighted that their real shopping comparison website has received some publicity.
Me? I’m not going to be visiting the shopping comparison website that appears to be behind the hoax.
For one thing, I am suspicious of any site that so strongly recommends I install a Facebook app to win a laptop. Why would I want to grant them access to so much of my Facebook profile and personal information?
If there’s an important lesson to learn from this story, and it’s an important one for everyone who is serious about computer security, it’s this: Don’t believe everything you read on the internet.
