Vulnerabilities / Threats
10/22/2008
02:11 PM
50%
50%

7 Fantastic Internet Hoaxes

Despite our increasing technological sophistication, we can't help falling for e-mail about Bigfoot, giant mutant cats, doomed tourists, and deadly butt spiders.

This story was originally published on October 25, 2008.

Admit it. Even you, a savvy veteran e-mail user, have fallen for one or more of these Internet rumors. Or, even if you weren't quite sure of the veracity of a particular story or photograph, you e-mailed it to your friends to amuse/warn them, or to see what they thought.

Don't be embarrassed, you're not alone. Despite our increasing technological sophistication, we seem to be as susceptible as ever to people determined to make suckers of us. After all, Internet hoaxes play on our human, not technical, vulnerabilities.

"These hoaxes use social engineering to trick people into doing what they otherwise wouldn't do," said Patrick Runald, chief security advisor for F-Secure, an Internet security firm. Graham Cluley, a senior security analyst with Sophos, a London-based security vendor, agreed. "The most successful hoaxes have been the ones that people had a real compulsion to forward. These things can't travel unless humans participate. And, unlike anti-virus software, we haven't found a way to upgrade the human brain," said Cluley.

A lot of times these hoaxes are based on engendering fear -- such as the virus hoaxes that periodically sweep over the Internet (keep reading). "At other times, they play off people's curiosity or vanity, or even desire to help others. In any case, although some might originate in a sense of lighthearted fun, "many are far from being harmless pranks," said Runald. "They can take a real financial and emotional toll."

Jim Graham, founder of the Web site HoaxBusters.org, which tracks and debunks Internet hoaxes, agrees. "Hoaxes can cause panic, anxiety, and stress to individual recipients," he said. "In the business world, they can lead to lost productivity, take up valuable network bandwidth, and present a serious security issue." Moreover, he said, "to a spammer, the addresses found in forwarded e-mails are like finding gold."

And the line between hoaxes and fraud can be very thin. Often attackers will build on the momentum that an especially widespread hoax has already achieved, said Zulfikar Ramzan, technical director at Symantec, which tracks online attempts to defraud consumers. "What often happens is that someone perpetrates a hoax -- say invents a fake news story -- and attackers take that and piggyback malicious code on top of it," he said. For example, the virus hoax claiming that opening an email with "An E-Card for You" would crash the recipient's computer eventually picked up an actual virus, said Bill Austin, who runs the Web site VirusHoaxBusters.com. "In effect, the hoax becomes the mechanism for the fraud," he said.

How common are Internet hoaxes? David Emery, the Urban Legends guide for About.com, hears about "several hundred a week. I can't begin to cover them all," he said. "It's quite a phenomenon and speaks to the nature of the Internet, about the gullibility of people, who tend to think that because something has been written down, or because there's a photograph, that it must be true."

Just in time for Halloween, InformationWeek interviewed a battery of security experts, Internet folklorists, and hoax watchdog groups to get their take on the most successful Internet hoaxes to date.

Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0845
Published: 2015-04-17
Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates.

CVE-2015-0967
Published: 2015-04-17
Multiple cross-site scripting (XSS) vulnerabilities in SearchBlox before 8.2 allow remote attackers to inject arbitrary web script or HTML via (1) the search field in plugin/index.html or (2) the title field in the Create Featured Result form in admin/main.jsp.

CVE-2015-0968
Published: 2015-04-17
Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 8.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and the image/jpeg content type, a different vulnerability than CVE-2013-3590.

CVE-2015-0969
Published: 2015-04-17
SearchBlox before 8.2 allows remote attackers to obtain sensitive information via a pretty=true action to the _cluster/health URI.

CVE-2015-0970
Published: 2015-04-17
Cross-site request forgery (CSRF) vulnerability in SearchBlox before 8.2 allows remote attackers to hijack the authentication of arbitrary users.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.