Vulnerabilities / Threats
10/22/2008
02:11 PM
50%
50%

7 Fantastic Internet Hoaxes

Despite our increasing technological sophistication, we can't help falling for e-mail about Bigfoot, giant mutant cats, doomed tourists, and deadly butt spiders.

This story was originally published on October 25, 2008.

Admit it. Even you, a savvy veteran e-mail user, have fallen for one or more of these Internet rumors. Or, even if you weren't quite sure of the veracity of a particular story or photograph, you e-mailed it to your friends to amuse/warn them, or to see what they thought.

Don't be embarrassed, you're not alone. Despite our increasing technological sophistication, we seem to be as susceptible as ever to people determined to make suckers of us. After all, Internet hoaxes play on our human, not technical, vulnerabilities.

"These hoaxes use social engineering to trick people into doing what they otherwise wouldn't do," said Patrick Runald, chief security advisor for F-Secure, an Internet security firm. Graham Cluley, a senior security analyst with Sophos, a London-based security vendor, agreed. "The most successful hoaxes have been the ones that people had a real compulsion to forward. These things can't travel unless humans participate. And, unlike anti-virus software, we haven't found a way to upgrade the human brain," said Cluley.

A lot of times these hoaxes are based on engendering fear -- such as the virus hoaxes that periodically sweep over the Internet (keep reading). "At other times, they play off people's curiosity or vanity, or even desire to help others. In any case, although some might originate in a sense of lighthearted fun, "many are far from being harmless pranks," said Runald. "They can take a real financial and emotional toll."

Jim Graham, founder of the Web site HoaxBusters.org, which tracks and debunks Internet hoaxes, agrees. "Hoaxes can cause panic, anxiety, and stress to individual recipients," he said. "In the business world, they can lead to lost productivity, take up valuable network bandwidth, and present a serious security issue." Moreover, he said, "to a spammer, the addresses found in forwarded e-mails are like finding gold."

And the line between hoaxes and fraud can be very thin. Often attackers will build on the momentum that an especially widespread hoax has already achieved, said Zulfikar Ramzan, technical director at Symantec, which tracks online attempts to defraud consumers. "What often happens is that someone perpetrates a hoax -- say invents a fake news story -- and attackers take that and piggyback malicious code on top of it," he said. For example, the virus hoax claiming that opening an email with "An E-Card for You" would crash the recipient's computer eventually picked up an actual virus, said Bill Austin, who runs the Web site VirusHoaxBusters.com. "In effect, the hoax becomes the mechanism for the fraud," he said.

How common are Internet hoaxes? David Emery, the Urban Legends guide for About.com, hears about "several hundred a week. I can't begin to cover them all," he said. "It's quite a phenomenon and speaks to the nature of the Internet, about the gullibility of people, who tend to think that because something has been written down, or because there's a photograph, that it must be true."

Just in time for Halloween, InformationWeek interviewed a battery of security experts, Internet folklorists, and hoax watchdog groups to get their take on the most successful Internet hoaxes to date.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0999
Published: 2015-06-02
Sendio before 7.2.4 includes the session identifier in URLs in emails, which allows remote attackers to obtain sensitive information and hijack sessions by reading the jsessionid parameter in the Referrer HTTP header.

CVE-2014-8391
Published: 2015-06-02
The Web interface in Sendio before 7.2.4 does not properly handle sessions, which allows remote authenticated users to obtain sensitive information from other users' sessions via a large number of request.

CVE-2015-0759
Published: 2015-06-02
Cross-site request forgery (CSRF) vulnerability in Cisco Headend Digital Broadband Delivery System allows remote attackers to hijack the authentication of arbitrary users.

CVE-2015-0850
Published: 2015-06-02
The Git plugin for FusionForge before 6.0rc4 allows remote attackers to execute arbitrary code via an unspecified parameter when creating a secondary Git repository.

CVE-2015-1945
Published: 2015-06-02
Unspecified vulnerability in the Reference Data Management component in IBM InfoSphere Master Data Management 10.1, 11.0, 11.3 before FP3, and 11.4 allows remote authenticated users to gain privileges via unknown vectors.

Dark Reading Radio
Archived Dark Reading Radio
From Target to Sony to Anthem, they are happening all around you: the “big” data breaches that compromise critical data and threaten the welfare of the corporate brand. Is your organization ready to respond?